scripts/image_signing/ensure_secure_kernelparams.sh - Issue 6253014: Add script to validate kernel params before we sign images

Side by Side Diff: scripts/image_signing/ensure_secure_kernelparams.sh

Issue 6253014: Add script to validate kernel params before we sign images (Closed) Base URL: ssh://git@gitrw.chromium.org:9222/vboot_reference.git@master

Patch Set: Created 9 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
(Empty)
	1 #!/bin/bash

	2

	3 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
	gauravsh 2011/01/26 22:55:57 2011 2011
	4 # Use of this source code is governed by a BSD-style license that can be

	5 # found in the LICENSE file.

	6

	7 # abort on error

	8 set -e

	9

	10 # Load common constants and variables.

	11 . "$(dirname "$0")/common.sh"

	12

	13 if [ $# -ne 1 ]; then

	14 echo "Usage $0 <image>"
	gauravsh 2011/01/26 22:55:57 nit: use $PROG instead of $0 (for consistency, not nit: use $PROG instead of $0 (for consistency, nothing else)
	15 exit 1

	16 fi

	17

	18 # Load test-expectations data from config

	19 . "$(dirname "$0")/${0/%.sh/.config}"
	gauravsh 2011/01/26 22:55:57 the substitution is a bit cryptic. I would suggest the substitution is a bit cryptic. I would suggest explicitly naming the expectations file here. Better yet, make the expectation file be an argument (maybe, optional) to the script.
	20

	21

	22 # Given a kernel boot param string which includes ...dm="dmstuff"...

	23 # this returns the dmstuff by itself.

	24 get_dmparams() {

	25 echo "$1" \| sed 's/^.\ dm="$[^"]$".*/\1/'

	26 }

	27

	28 # Given a kernel boot param string which includes ...dm="stuff"...

	29 # this returns the param string with the dm="..." section removed.

	30 # Useful in conjunction with get_dmparams to divide and process

	31 # the two sections of parameters in seperate passes

	32 kparams_remove_dm() {

	33 echo "$1" \| sed 's/dm="[^"]*"//'

	34 }

	35

	36 # Given a dm param string which includes a long and unpredictable

	37 # sha1 hash, return the same string with the sha1 hash replaced

	38 # with a magic placeholder. This same magic placeholder is used

	39 # in the config file, for comparison purposes.

	40 dmparams_mangle_sha1() {

	41 echo "$1" \| sed 's/sha1 [0-9a-fA-F]*/sha1 MAGIC_HASH/'

	42 }

	43

	44 # main execution starts here

	45 testpass=true
	gauravsh 2011/01/26 22:55:57 all globals should be all uppercase. if you prefer all globals should be all uppercase. if you prefer, you can encapsulate the whole loop into a main() function and a "main $@" that starts off the main script.
	46 image="$1"

	47 kernelblob="$(make_temp_file)"

	48 extract_image_partition "$image" 2 "$kernelblob"

	49 rootfs="$(make_temp_dir)"

	50 mount_image_partition_ro "$image" 3 "$rootfs"

	51

	52 # Pick the right set of test-expectation data to use

	53 board=$(grep CHROMEOS_RELEASE_BOARD= "$rootfs/etc/lsb-release" \| \
	gauravsh 2011/01/26 22:55:57 Note that this will not work on an already signed Note that this will not work on an already signed image since we change the release board then. (x86-mario may become x86-mario-pvtkeys etc.)
	54 cut -d = -f 2 \| tr - _)

	55 eval "required_kparams=(\${required_kparams_$board[@]})"

	56 eval "optional_kparams=(\${optional_kparams_$board[@]})"

	57 eval "required_dmparams=\"\$required_dmparams_$board\""

	58

	59 # Divide the dm params from the rest and process seperately

	60 kparams="$(dump_kernel_config "$kernelblob")"
	gauravsh 2011/01/26 22:55:57 nit: i think you probably don't need the extra quo nit: i think you probably don't need the extra quotes around $(). There is an unofficial chrome os sh style guide which talks about avoid excessive quoting. Can't seem to find it now.
	61 dmparams="$(dmparams_mangle_sha1 "$(get_dmparams "$kparams")")"

	62 kparams_nodm="$(kparams_remove_dm "$kparams")"

	63

	64 # Special-case handling of the dm= param:

	65 if [ "$dmparams" != "$required_dmparams" ]; then

	66 echo "Kernel dm= parameter does not match expected value!"

	67 echo "Expected: $required_dmparams"

	68 echo "Actual: $dmparams"

	69 testpass=false

	70 fi

	71

	72 # Ensure all other required params are present

	73 for param in ${required_kparams[@]}; do :
	gauravsh 2011/01/26 22:55:57 probably not a very big deal - but how will this h probably not a very big deal - but how will this handle changes in the order of individual params, or repetitions. I am not sure is there are kernel options like that - where order matters.
	74 if [[ "$kparams_nodm" != $param ]]; then

	75 echo "Kernel parameters missing required value: $param"

	76 testpass=false

	77 else

	78 # Remove matched params as we go. If all goes well, kparams_nodm

	79 # will be nothing left but whitespace by the end.

	80 kparams_nodm=${kparams_nodm/$param/}

	81 fi

	82 done

	83

	84 # Check-off each of the allowed-but-optional params that were present

	85 for param in ${optional_kparams[@]}; do :

	86 kparams_nodm=${kparams_nodm/$param/}

	87 done

	88

	89 # This section enforces the default-deny for any unexpected params

	90 # not already processed by one of the above loops.

	91 if [ ! -z ${kparams_nodm// /} ]; then

	92 echo "Unexpected kernel parameters found: $kparams_nodm"

	93 testpass=false

	94 fi

	95

	96 if $testpass; then
	gauravsh 2011/01/26 22:55:57 instead of testpass, you could just use testfail=0 instead of testpass, you could just use testfail=0 in the beginning, and set it to 1 when a failure occurs. then here, simply exit $testfail
	97 exit 0

	98 else

	99 exit 1

	100 fi

OLD	NEW

« scripts/image_signing/ensure_secure_kernelparams.config ('K') | « scripts/image_signing/ensure_secure_kernelparams.config ('k') | no next file » | no next file with comments »