scripts/image_signing/ensure_secure_kernelparams.sh - Issue 6253014: Add script to validate kernel params before we sign images

Side by Side Diff: scripts/image_signing/ensure_secure_kernelparams.sh

Issue 6253014: Add script to validate kernel params before we sign images (Closed) Base URL: ssh://git@gitrw.chromium.org:9222/vboot_reference.git@master

Patch Set: Fixes for review feedback. Created 9 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
(Empty)
	1 #!/bin/bash

	2

	3 # Copyright (c) 2011 The Chromium OS Authors. All rights reserved.

	4 # Use of this source code is governed by a BSD-style license that can be

	5 # found in the LICENSE file.

	6

	7 # abort on error

	8 set -e

	9

	10 # Load common constants and variables.

	11 . "$(dirname "$0")/common.sh"

	12

	13 # Given a kernel boot param string which includes ...dm="dmstuff"...

	14 # this returns the dmstuff by itself.

	15 get_dmparams() {

	16 echo "$1" \| sed 's/^.\ dm="$[^"]$".*/\1/'

	17 }

	18

	19 # Given a kernel boot param string which includes ...dm="stuff"...

	20 # this returns the param string with the dm="..." section removed.

	21 # Useful in conjunction with get_dmparams to divide and process

	22 # the two sections of parameters in seperate passes

	23 kparams_remove_dm() {

	24 echo "$1" \| sed 's/dm="[^"]*"//'

	25 }

	26

	27 # Given a dm param string which includes a long and unpredictable

	28 # sha1 hash, return the same string with the sha1 hash replaced

	29 # with a magic placeholder. This same magic placeholder is used

	30 # in the config file, for comparison purposes.

	31 dmparams_mangle_sha1() {

	32 echo "$1" \| sed 's/sha1 [0-9a-fA-F]*/sha1 MAGIC_HASH/'

	33 }

	34

	35 usage() {

	36 echo "Usage $PROG image [config]"

	37 }

	38

	39 main() {

	40 if [ $# -ne 1 ] && [ $# -ne 2 ]; then

	41 usage

	42 exit 1

	43 fi

	44

	45 image="$1"

	46

	47 # Default config location: same name/directory as this script,

	48 # with a .config file extension, ie ensure_secure_kernelparams.config

	49 configfile="$(dirname "$0")/${0/%.sh/.config}"

	50 # Or, maybe a config was provided on the command line

	51 if [ $# -eq 2 ]; then

	52 configfile="$2"

	53 fi

	54 # Either way, load test-expectations data from config

	55 . "$configfile"

	56

	57 testfail=0
	gauravsh 2011/01/27 22:25:59 define this at the beginning of the function (and define this at the beginning of the function (and add a comment). Also, for vars that have function scope, it is a good idea to mark them clearly as such by defining them as local.
	58 kernelblob=$(make_temp_file)

	59 extract_image_partition "$image" 2 "$kernelblob"

	60 rootfs=$(make_temp_dir)

	61 mount_image_partition_ro "$image" 3 "$rootfs"

	62

	63 # Pick the right set of test-expectation data to use. This substitution

	64 # turns e.g. x86-foo as a well as x86-foo-pvtkeys into "x86_foo" by

	65 # grabbing the first two runs of non-hyphen characters found after '='

	66 board=$(grep CHROMEOS_RELEASE_BOARD= "$rootfs/etc/lsb-release" \| \

	67 sed 's/.=$[^-]$-$[^-]$./\1_\2/')
	gauravsh 2011/01/27 22:25:59 cut -f 1-2 -d '-' \| sed -e s/-/_/ maybe a tad bit cut -f 1-2 -d '-' \| sed -e s/-/_/ maybe a tad bit easier to to read than the sed command. your call. :)
	68 eval "required_kparams=(\${required_kparams_$board[@]})"

	69 eval "optional_kparams=(\${optional_kparams_$board[@]})"

	70 eval "required_dmparams=\"\$required_dmparams_$board\""

	71

	72 # Divide the dm params from the rest and process seperately

	73 kparams=$(dump_kernel_config "$kernelblob")

	74 dmparams=$(dmparams_mangle_sha1 "$(get_dmparams "$kparams")")

	75 kparams_nodm=$(kparams_remove_dm "$kparams")

	76

	77 # Special-case handling of the dm= param:

	78 if [ "$dmparams" != "$required_dmparams" ]; then

	79 echo "Kernel dm= parameter does not match expected value!"

	80 echo "Expected: $required_dmparams"

	81 echo "Actual: $dmparams"

	82 testfail=1

	83 fi

	84

	85 # Ensure all other required params are present
	gauravsh 2011/01/27 22:25:59 nit: general comment about comments - typically al nit: general comment about comments - typically all comment sentences must end in a period.
	86 for param in ${required_kparams[@]}; do :

	87 if [[ "$kparams_nodm" != $param ]]; then
	gauravsh 2011/01/27 22:25:59 nit: use one of either [ ] or [[ ]]. recommended i nit: use one of either [ ] or [[ ]]. recommended is to just use [ ]
	88 echo "Kernel parameters missing required value: $param"

	89 testfail=1

	90 else

	91 # Remove matched params as we go. If all goes well, kparams_nodm

	92 # will be nothing left but whitespace by the end.

	93 kparams_nodm=${kparams_nodm/$param/}

	94 fi

	95 done

	96

	97 # Check-off each of the allowed-but-optional params that were present

	98 for param in ${optional_kparams[@]}; do :

	99 kparams_nodm=${kparams_nodm/$param/}

	100 done

	101

	102 # This section enforces the default-deny for any unexpected params

	103 # not already processed by one of the above loops.

	104 if [ ! -z ${kparams_nodm// /} ]; then

	105 echo "Unexpected kernel parameters found: $kparams_nodm"

	106 testfail=1

	107 fi

	108

	109 exit $testfail

	110 }

	111

	112 main $@

OLD	NEW

« scripts/image_signing/ensure_secure_kernelparams.config ('K') | « scripts/image_signing/ensure_secure_kernelparams.config ('k') | no next file » | no next file with comments »