diff options
author | Gaurav Shah <gauravsh@chromium.org> | 2012-06-15 12:53:52 -0700 |
---|---|---|
committer | Gerrit <chrome-bot@google.com> | 2012-06-18 15:21:42 -0700 |
commit | 79461cbc03b5f72d6fb70bad79ced5cdb693fcf5 (patch) | |
tree | 8ef235e0546e135e6c663ac4408f1701a0c16ff8 | |
parent | 592567e95612cdfa679b9b9fd3e4afe0579b1210 (diff) | |
download | vboot-79461cbc03b5f72d6fb70bad79ced5cdb693fcf5.tar.gz |
security test: Add test that verifies that update verification is enabled
BUG=chromium-os:31893
TEST=verified on images with/without payload verification enabled.
Change-Id: Ic1883aafcc2c48d9e7c5323d6dc7e21fb8f47585
Reviewed-on: https://gerrit.chromium.org/gerrit/25407
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
-rwxr-xr-x | scripts/image_signing/ensure_no_nonrelease_files.sh | 2 | ||||
-rwxr-xr-x | scripts/image_signing/ensure_no_password.sh | 3 | ||||
-rwxr-xr-x | scripts/image_signing/ensure_not_ASAN.sh | 2 | ||||
-rwxr-xr-x | scripts/image_signing/ensure_update_verification.sh | 34 |
4 files changed, 37 insertions, 4 deletions
diff --git a/scripts/image_signing/ensure_no_nonrelease_files.sh b/scripts/image_signing/ensure_no_nonrelease_files.sh index e2e437f6..bc38a57f 100755 --- a/scripts/image_signing/ensure_no_nonrelease_files.sh +++ b/scripts/image_signing/ensure_no_nonrelease_files.sh @@ -50,4 +50,4 @@ main() { exit $testfail } -main $@ +main "$@" diff --git a/scripts/image_signing/ensure_no_password.sh b/scripts/image_signing/ensure_no_password.sh index a6adb858..10363bf3 100755 --- a/scripts/image_signing/ensure_no_password.sh +++ b/scripts/image_signing/ensure_no_password.sh @@ -20,6 +20,5 @@ ROOTFS=$(make_temp_dir) mount_image_partition_ro "$IMAGE" 3 "$ROOTFS" if ! no_chronos_password $ROOTFS; then - echo "chronos password is set! Shouldn't be for release builds." - exit 1 + die "chronos password is set! Shouldn't be for release builds." fi diff --git a/scripts/image_signing/ensure_not_ASAN.sh b/scripts/image_signing/ensure_not_ASAN.sh index aeb8b6c9..5ea51660 100755 --- a/scripts/image_signing/ensure_not_ASAN.sh +++ b/scripts/image_signing/ensure_not_ASAN.sh @@ -32,4 +32,4 @@ main() { exit 1 fi } -main $@ +main "$@" diff --git a/scripts/image_signing/ensure_update_verification.sh b/scripts/image_signing/ensure_update_verification.sh new file mode 100755 index 00000000..34fb2cb3 --- /dev/null +++ b/scripts/image_signing/ensure_update_verification.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +# Copyright (c) 2012 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# Verify that update payload verification is enabled. + +# Abort on error. +set -e + +# Load common constants and variables. +. "$(dirname "$0")/common.sh" + +usage() { + echo "Usage: $PROG image" +} + +main() { + if [ $# -ne 1 ]; then + usage + exit 1 + fi + + local image=$1 + local rootfs=$(make_temp_dir) + local key_location="/usr/share/update_engine/update-payload-key.pub.pem" + mount_image_partition_ro "$image" 3 "$rootfs" + if [ ! -e "$rootfs/$key_location" ]; then + die "Update payload verification key not found at $key_location" + fi +} + +main "$@" |