scripts/image_signing: Add general security test script

This commit adds a general security test script. This allows
some logic to be moved out of the signer as well as providing a single
entry point for the security tests run by the signer.

BRANCH=none
BUG=b:202397678
TEST=Verified that correct security tests ran with/without
`--keyset-is-mp`

Change-Id: Ib4c779a90d2fe9160c278f20d7ec61242f1d68cc
Signed-off-by: Robert Zieba <robertzieba@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3820999
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>

1 files changed, 99 insertions, 0 deletions

diff --git a/scripts/image_signing/security_test_artifact.py b/scripts/image_signing/security_test_artifact.py
new file mode 100755
index 00000000..78ffd09d
--- /dev/null
+++ b/scripts/image_signing/security_test_artifact.py
@@ -0,0 +1,99 @@
+#!/usr/bin/env python3
+# Copyright 2022 The ChromiumOS Authors.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+"""Run security tests on an artifact"""
+
+import argparse
+import os
+from pathlib import Path
+import subprocess
+import sys
+
+DIR = Path(__file__).resolve().parent
+
+
+def exec_test(name, input, args):
+    """Runs a given script
+
+    Args:
+        name: the name of the script to execute
+        input: the input artifact
+        args: list of additional arguments for the script
+    """
+    # Ensure this script can execute from any directory
+    cmd_path = DIR / f"{name}.sh"
+
+    cmd = [cmd_path, input] + args
+    ret = subprocess.run(cmd, check=False)
+    if ret.returncode:
+        sys.exit(ret.returncode)
+
+
+def get_parser():
+    """Creates an argument parser"""
+    parser = argparse.ArgumentParser(description=__doc__)
+    parser.add_argument(
+        "--config",
+        "-c",
+        help="Security test baseline config directory",
+        required=True,
+        type=Path,
+    )
+
+    parser.add_argument(
+        "--input",
+        "-i",
+        help="Artfact to test",
+        required=True,
+        type=Path,
+    )
+
+    parser.add_argument(
+        "--keyset-is-mp",
+        action="store_true",
+        help="Target artifact is signed with a mass production keyset",
+        default=False,
+    )
+
+    return parser
+
+
+def main(argv):
+    """Main function, parses arguments and invokes the relevant scripts"""
+    parser = get_parser()
+    opts = parser.parse_args(argv)
+
+    # Run generic baseline tests.
+    baseline_tests = [
+        "ensure_sane_lsb-release",
+    ]
+
+    if opts.keyset_is_mp:
+        baseline_tests += [
+            "ensure_no_nonrelease_files",
+            "ensure_secure_kernelparams",
+        ]
+
+    for test in baseline_tests:
+        exec_test(
+            test, opts.input, [os.path.join(opts.config, f"{test}.config")]
+        )
+
+    # Run generic non-baseline tests.
+    tests = []
+
+    if opts.keyset_is_mp:
+        tests += [
+            "ensure_not_ASAN",
+            "ensure_not_tainted_license",
+            "ensure_update_verification",
+        ]
+
+    for test in tests:
+        exec_test(test, opts.input, [])
+
+
+if __name__ == "__main__":
+    sys.exit(main(sys.argv[1:]))