| OLD | NEW |
|---|
| (Empty) | |
| 1 #!/bin/bash |
| 2 |
| 3 # Copyright (c) 2011 The Chromium OS Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. |
| 6 |
| 7 # Abort on error. |
| 8 set -e |
| 9 |
| 10 # Load common constants and variables. |
| 11 . "$(dirname "$0")/common.sh" |
| 12 |
| 13 # Given a kernel boot param string which includes ...dm="dmstuff"... |
| 14 # this returns the dmstuff by itself. |
| 15 get_dmparams() { |
| 16 echo "$1" | sed 's/^.*\ dm="\([^"]*\)".*/\1/' |
| 17 } |
| 18 |
| 19 # Given a kernel boot param string which includes ...dm="stuff"... |
| 20 # this returns the param string with the dm="..." section removed. |
| 21 # Useful in conjunction with get_dmparams to divide and process |
| 22 # the two sections of parameters in seperate passes |
| 23 kparams_remove_dm() { |
| 24 echo "$1" | sed 's/dm="[^"]*"//' |
| 25 } |
| 26 |
| 27 # Given a dm param string which includes a long and unpredictable |
| 28 # sha1 hash, return the same string with the sha1 hash replaced |
| 29 # with a magic placeholder. This same magic placeholder is used |
| 30 # in the config file, for comparison purposes. |
| 31 dmparams_mangle_sha1() { |
| 32 echo "$1" | sed 's/sha1 [0-9a-fA-F]*/sha1 MAGIC_HASH/' |
| 33 } |
| 34 |
| 35 usage() { |
| 36 echo "Usage $PROG image [config]" |
| 37 } |
| 38 |
| 39 main() { |
| 40 # We want to catch all the discrepancies, not just the first one. |
| 41 # So, any time we find one, we set testfail=1 and continue. |
| 42 # When finished we will use testfail to determine our exit value. |
| 43 local testfail=0 |
| 44 |
| 45 if [[ $# -ne 1 ]] && [[ $# -ne 2 ]]; then |
| 46 usage |
| 47 exit 1 |
| 48 fi |
| 49 |
| 50 local image="$1" |
| 51 |
| 52 # Default config location: same name/directory as this script, |
| 53 # with a .config file extension, ie ensure_secure_kernelparams.config. |
| 54 local configfile="$(dirname "$0")/${0/%.sh/.config}" |
| 55 # Or, maybe a config was provided on the command line. |
| 56 if [[ $# -eq 2 ]]; then |
| 57 configfile="$2" |
| 58 fi |
| 59 # Either way, load test-expectations data from config. |
| 60 . "$configfile" |
| 61 |
| 62 local kernelblob=$(make_temp_file) |
| 63 extract_image_partition "$image" 2 "$kernelblob" |
| 64 local rootfs=$(make_temp_dir) |
| 65 mount_image_partition_ro "$image" 3 "$rootfs" |
| 66 |
| 67 # Pick the right set of test-expectation data to use. The cuts |
| 68 # turn e.g. x86-foo as a well as x86-foo-pvtkeys into x86_foo. |
| 69 local board=$(grep CHROMEOS_RELEASE_BOARD= "$rootfs/etc/lsb-release" | \ |
| 70 cut -d = -f 2 | cut -d - -f 1,2 --output-delimiter=_) |
| 71 eval "required_kparams=(\${required_kparams_$board[@]})" |
| 72 eval "optional_kparams=(\${optional_kparams_$board[@]})" |
| 73 eval "required_dmparams=\"\$required_dmparams_$board\"" |
| 74 |
| 75 # Divide the dm params from the rest and process seperately. |
| 76 local kparams=$(dump_kernel_config "$kernelblob") |
| 77 local dmparams=$(dmparams_mangle_sha1 "$(get_dmparams "$kparams")") |
| 78 local kparams_nodm=$(kparams_remove_dm "$kparams") |
| 79 |
| 80 # Special-case handling of the dm= param: |
| 81 if [[ "$dmparams" != "$required_dmparams" ]]; then |
| 82 echo "Kernel dm= parameter does not match expected value!" |
| 83 echo "Expected: $required_dmparams" |
| 84 echo "Actual: $dmparams" |
| 85 testfail=1 |
| 86 fi |
| 87 |
| 88 # Ensure all other required params are present. |
| 89 for param in ${required_kparams[@]}; do : |
| 90 if [[ "$kparams_nodm" != *$param* ]]; then |
| 91 echo "Kernel parameters missing required value: $param" |
| 92 testfail=1 |
| 93 else |
| 94 # Remove matched params as we go. If all goes well, kparams_nodm |
| 95 # will be nothing left but whitespace by the end. |
| 96 kparams_nodm=${kparams_nodm/$param/} |
| 97 fi |
| 98 done |
| 99 |
| 100 # Check-off each of the allowed-but-optional params that were present. |
| 101 for param in ${optional_kparams[@]}; do : |
| 102 kparams_nodm=${kparams_nodm/$param/} |
| 103 done |
| 104 |
| 105 # This section enforces the default-deny for any unexpected params |
| 106 # not already processed by one of the above loops. |
| 107 if [[ ! -z ${kparams_nodm// /} ]]; then |
| 108 echo "Unexpected kernel parameters found: $kparams_nodm" |
| 109 testfail=1 |
| 110 fi |
| 111 |
| 112 exit $testfail |
| 113 } |
| 114 |
| 115 main $@ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6253014:
Add script to validate kernel params before we sign images (Closed)
Base URL: ssh://git@gitrw.chromium.org:9222/vboot_reference.git@master