diff options
| author | Gaurav Shah <gauravsh@chromium.org> | 2011-09-21 11:36:16 -0700 |
|---|---|---|
| committer | Gaurav Shah <gauravsh@chromium.org> | 2011-09-21 15:38:05 -0700 |
| commit | e622f1159557b53bac98d0b7b3a482f2a3cdac8f (patch) | |
| tree | 4aae09cfb7cb3013a1d948f0c965c761d1b76739 | |
| parent | 06edfc60f329d71ac00d16b29c034149cc5249a9 (diff) | |
| download | vboot-e622f1159557b53bac98d0b7b3a482f2a3cdac8f.tar.gz | |
image security test: Allow alternatives for verity parameters
This is again working around the fact that the signer isn't branch
conscious. Depending on which branch you look at, there are 3 possible
verity parameter styles in use.
This CL allows the kernel parameter test to allow multiple alternatives
for verity dm= parameters.
BUG=chromium-os:20640
TEST=manually tried with a R16, R15 and R14 image
Change-Id: I07554594d6adbdfd1988395d3e91edfd603d8cd4
Reviewed-on: http://gerrit.chromium.org/gerrit/8067
Reviewed-by: Jim Hebert <jimhebert@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
| -rwxr-xr-x | scripts/image_signing/ensure_secure_kernelparams.sh | 43 | ||||
| -rwxr-xr-x | scripts/image_signing/sample-test-configs/ensure_secure_kernelparams.config | 8 |
2 files changed, 36 insertions, 15 deletions
diff --git a/scripts/image_signing/ensure_secure_kernelparams.sh b/scripts/image_signing/ensure_secure_kernelparams.sh index b9dac90d..0fa116ee 100755 --- a/scripts/image_signing/ensure_secure_kernelparams.sh +++ b/scripts/image_signing/ensure_secure_kernelparams.sh @@ -24,12 +24,22 @@ kparams_remove_dm() { echo "$1" | sed 's/dm="[^"]*"//' } -# Given a dm param string which includes a long and unpredictable -# sha1 hash, return the same string with the sha1 hash replaced -# with a magic placeholder. This same magic placeholder is used -# in the config file, for comparison purposes. -dmparams_mangle_sha1() { - echo "$1" | sed 's/sha1 [0-9a-fA-F]*/sha1 MAGIC_HASH/' +# Given a dm param string which includes dynamic values, return the +# same string with these values replaced by a magic string placeholder. +# This same magic placeholder is used in the config file, for comparison +# purposes. +dmparams_mangle() { + local dmparams=$1 + # First handle new key-value style verity parameters. + dmparams=$(echo "$dmparams" | + sed -e 's/root_hexdigest=[0-9a-fA-F]*/root_hexdigest=MAGIC_HASH/' | + sed -e 's/salt=[0-9a-fA-F]*/salt=MAGIC_SALT'/) + # If we didn't substitute the MAGIC_HASH yet, these are the old + # verity parameter format. + if [[ $dmparams != *MAGIC_HASH* ]]; then + dmparams=$(echo $dmparams | sed 's/sha1 [0-9a-fA-F]*/sha1 MAGIC_HASH/') + fi + echo $dmparams } # This escapes any non-alphanum character, since many such characters @@ -77,19 +87,28 @@ main() { eval "required_kparams=(\${required_kparams_$board[@]})" eval "optional_kparams=(\${optional_kparams_$board[@]})" eval "optional_kparams_regex=(\${optional_kparams_regex_$board[@]})" - eval "required_dmparams=\"\$required_dmparams_$board\"" + eval "required_dmparams=(\"\${required_dmparams_$board[@]}\")" # Divide the dm params from the rest and process seperately. local kparams=$(dump_kernel_config "$kernelblob") - local dmparams=$(dmparams_mangle_sha1 "$(get_dmparams "$kparams")") + local dmparams=$(get_dmparams "$kparams") local kparams_nodm=$(kparams_remove_dm "$kparams") + mangled_dmparams=$(dmparams_mangle "${dmparams}") # Special-case handling of the dm= param: - if [[ "$dmparams" != "$required_dmparams" ]]; then - echo "Kernel dm= parameter does not match expected value!" - echo "Expected: $required_dmparams" + for expected_dmparams in "${required_dmparams[@]}"; do + # Filter out all dynamic parameters. + testfail=1 + if [ "$mangled_dmparams" = "$expected_dmparams" ]; then + testfail=0 + break + fi + done + + if [ $testfail -eq 1 ]; then + echo "Kernel dm= parameter does not match any expected values!" echo "Actual: $dmparams" - testfail=1 + echo "Expected: ${required_dmparams[@]}" fi # Ensure all other required params are present. diff --git a/scripts/image_signing/sample-test-configs/ensure_secure_kernelparams.config b/scripts/image_signing/sample-test-configs/ensure_secure_kernelparams.config index a3bef59b..9b78def0 100755 --- a/scripts/image_signing/sample-test-configs/ensure_secure_kernelparams.config +++ b/scripts/image_signing/sample-test-configs/ensure_secure_kernelparams.config @@ -22,9 +22,11 @@ optional_kparams_regex_common=( ) # taken from observation of current builds. In particular we may see # the size of the filesystem creep over time. That size is denoted by # the large number that appears a couple times in this string. -required_dmparams_common="vroot none ro,0 1740800 verity /dev/sd%D%P \ -/dev/sd%D%P 1740800 1 sha1 MAGIC_HASH" +dmparams_common_list=('vroot none ro,0 1740800 verity %U+1 %U+1 1740800 0 sha1 MAGIC_HASH' +'vroot none ro,0 1740800 verity payload=%U+1 hashtree=%U+1 hashstart=1740800 alg=sha1 root_hexdigest=MAGIC_HASH' +'vroot none ro,0 1740800 verity payload=%U+1 hashtree=%U+1 hashstart=1740800 alg=sha1 root_hexdigest=MAGIC_HASH salt=MAGIC_SALT' +) # # x86-mario @@ -32,7 +34,7 @@ required_dmparams_common="vroot none ro,0 1740800 verity /dev/sd%D%P \ required_kparams_x86_mario=( ${required_kparams_common[@]} ) optional_kparams_x86_mario=( ${optional_kparams_common[@]} ) optional_kparams_regex_x86_mario=( ${optional_kparams_regex_common[@]} ) -required_dmparams_x86_mario="$required_dmparams_common" +required_dmparams_x86_mario=("${required_dmparams_common[@]}") # Set up additional boards here. The "common" variables are # not directly consulted by the test script, they're only |