ensure_secure_kernelparams: add sanity checks on baseline sed scripts

The way the sed logic was written we allowed invalid sed expressions to count as "pass". This is because we use "no output" as the signal that the command line option is OK (since the sed script deleted it), but it meant that invalid sed scripts produced no output too. Add an explicit exit status check to make sure invalid scripts fail. BUG=chromium:991590 TEST=`./image_signing/ensure_secure_kernelparams.sh ./coral-12439.0.0-recovery.bin .../cros-signing/security_test_baselines/ensure_secure_kernelparams.config` produces no errors BRANCH=None Change-Id: I1de3ada7e44c49f97ecc40824d98cca9291ab7e6 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1762459 Reviewed-by: LaMont Jones <lamontjones@chromium.org> Commit-Queue: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org>
author: Mike Frysinger <vapier@chromium.org> 2019-08-21 14:58:26 -0400
committer: Commit Bot <commit-bot@chromium.org> 2019-08-26 18:55:07 +0000
commit: fdb750c74ff1ff9a145f4deb5cd6caa32ab8b72a (patch)
tree: afe05702cc9acac04f93ce41664016ebd7b814af
parent: 595108c06a4a37f4d33f66052add2e7e0176cf1b (diff)
download: vboot-fdb750c74ff1ff9a145f4deb5cd6caa32ab8b72a.tar.gz
1 files changed, 17 insertions, 6 deletions
diff --git a/scripts/image_signing/ensure_secure_kernelparams.sh b/scripts/image_signing/ensure_secure_kernelparams.sh
index daebe451..12bfbe5d 100755
--- a/scripts/image_signing/ensure_secure_kernelparams.sh
+++ b/scripts/image_signing/ensure_secure_kernelparams.sh
@@ -146,19 +146,30 @@ main() {
       fi
     done
 
+    local sedout
     for expected_dmparams in "${required_dmparams_regex[@]}"; do
-      if [[ -z $(echo "${mangled_dmparams}" | \
-           sed "s${M}^${expected_dmparams}\$${M}${M}") ]]; then
+      if ! sedout=$(echo "${mangled_dmparams}" | \
+                    sed "s${M}^${expected_dmparams}\$${M}${M}"); then
+        echo "INTERNAL ERROR from sed script: ${expected_dmparams}"
+        break
+      elif [[ -z "${sedout}" ]]; then
         testfail=0
         break
       fi
     done
 
     if [ $testfail -eq 1 ]; then
-        echo "Kernel dm= parameter does not match any expected values!"
-        echo "Actual:   $dmparams"
-        echo "Expected: ${required_dmparams[*]}"
-        echo "Expected (regex): ${required_dmparams_regex[*]}"
+      echo "Kernel dm= parameter does not match any expected values!"
+      echo "Actual value:          ${dmparams}"
+      echo "Mangled testing value: ${mangled_dmparams}"
+      if [[ ${#required_dmparams[@]} -gt 0 ]]; then
+        echo "Expected -- only one need match:"
+        printf "  >>> %s\n" "${required_dmparams[@]}"
+      fi
+      if [[ ${#required_dmparams_regex[@]} -gt 0 ]]; then
+        echo "Expected (regex) -- only one need match:"
+        printf "  >>> %s\n" "${required_dmparams_regex[@]}"
+      fi
     fi
 
     # Ensure all other required params are present.
author	Mike Frysinger <vapier@chromium.org>	2019-08-21 14:58:26 -0400
committer	Commit Bot <commit-bot@chromium.org>	2019-08-26 18:55:07 +0000
commit	fdb750c74ff1ff9a145f4deb5cd6caa32ab8b72a (patch)
tree	afe05702cc9acac04f93ce41664016ebd7b814af
parent	595108c06a4a37f4d33f66052add2e7e0176cf1b (diff)
download	vboot-fdb750c74ff1ff9a145f4deb5cd6caa32ab8b72a.tar.gz