Add script to validate kernel params before we sign images

scripts/image_signing/ensure_secure_kernelparams.sh

Index: scripts/image_signing/ensure_secure_kernelparams.sh
diff --git a/scripts/image_signing/ensure_secure_kernelparams.sh b/scripts/image_signing/ensure_secure_kernelparams.sh
new file mode 100755
index 0000000000000000000000000000000000000000..1d159d4c6c1d42ce85ebc7f01647e42a28155620
--- /dev/null
+++ b/scripts/image_signing/ensure_secure_kernelparams.sh
@@ -0,0 +1,115 @@
+#!/bin/bash
+
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Abort on error.
+set -e
+
+# Load common constants and variables.
+. "$(dirname "$0")/common.sh"
+
+# Given a kernel boot param string which includes ...dm="dmstuff"...
+# this returns the dmstuff by itself.
+get_dmparams() {
+    echo "$1" | sed 's/^.*\ dm="\([^"]*\)".*/\1/'
+}
+
+# Given a kernel boot param string which includes ...dm="stuff"...
+# this returns the param string with the dm="..." section removed.
+# Useful in conjunction with get_dmparams to divide and process
+# the two sections of parameters in seperate passes
+kparams_remove_dm() {
+    echo "$1" | sed 's/dm="[^"]*"//'
+}
+
+# Given a dm param string which includes a long and unpredictable
+# sha1 hash, return the same string with the sha1 hash replaced
+# with a magic placeholder. This same magic placeholder is used
+# in the config file, for comparison purposes.
+dmparams_mangle_sha1() {
+    echo "$1" | sed 's/sha1 [0-9a-fA-F]*/sha1 MAGIC_HASH/'
+}
+
+usage() {
+    echo "Usage $PROG image [config]"
+}
+
+main() {
+    # We want to catch all the discrepancies, not just the first one.
+    # So, any time we find one, we set testfail=1 and continue.
+    # When finished we will use testfail to determine our exit value.
+    local testfail=0
+
+    if [[ $# -ne 1 ]] && [[ $# -ne 2 ]]; then
+        usage
+        exit 1
+    fi
+
+    local image="$1"
+
+    # Default config location: same name/directory as this script,
+    # with a .config file extension, ie ensure_secure_kernelparams.config.
+    local configfile="$(dirname "$0")/${0/%.sh/.config}"
+    # Or, maybe a config was provided on the command line.
+    if [[ $# -eq 2 ]]; then
+        configfile="$2"
+    fi
+    # Either way, load test-expectations data from config.
+    . "$configfile"
+
+    local kernelblob=$(make_temp_file)
+    extract_image_partition "$image" 2 "$kernelblob"
+    local rootfs=$(make_temp_dir)
+    mount_image_partition_ro "$image" 3 "$rootfs"
+
+    # Pick the right set of test-expectation data to use. The cuts
+    # turn e.g. x86-foo as a well as x86-foo-pvtkeys into x86_foo.
+    local board=$(grep CHROMEOS_RELEASE_BOARD= "$rootfs/etc/lsb-release" | \
+                  cut -d = -f 2 | cut -d - -f 1,2 --output-delimiter=_)
+    eval "required_kparams=(\${required_kparams_$board[@]})"
+    eval "optional_kparams=(\${optional_kparams_$board[@]})"
+    eval "required_dmparams=\"\$required_dmparams_$board\""
+
+    # Divide the dm params from the rest and process seperately.
+    local kparams=$(dump_kernel_config "$kernelblob")
+    local dmparams=$(dmparams_mangle_sha1 "$(get_dmparams "$kparams")")
+    local kparams_nodm=$(kparams_remove_dm "$kparams")
+
+    # Special-case handling of the dm= param:
+    if [[ "$dmparams" != "$required_dmparams" ]]; then
+        echo "Kernel dm= parameter does not match expected value!"
+        echo "Expected: $required_dmparams"
+        echo "Actual:   $dmparams"
+        testfail=1
+    fi
+
+    # Ensure all other required params are present.
+    for param in ${required_kparams[@]}; do :
+        if [[ "$kparams_nodm" != *$param* ]]; then
+            echo "Kernel parameters missing required value: $param"
+            testfail=1
+        else
+            # Remove matched params as we go. If all goes well, kparams_nodm
+            # will be nothing left but whitespace by the end.
+            kparams_nodm=${kparams_nodm/$param/}
+        fi
+    done
+
+    # Check-off each of the allowed-but-optional params that were present.
+    for param in ${optional_kparams[@]}; do :
+        kparams_nodm=${kparams_nodm/$param/}
+    done
+
+    # This section enforces the default-deny for any unexpected params
+    # not already processed by one of the above loops.
+    if [[ ! -z ${kparams_nodm// /} ]]; then
+        echo "Unexpected kernel parameters found: $kparams_nodm"
+        testfail=1
+    fi
+
+    exit $testfail
+}
+
+main $@