diff options
| author | Paul Taysom <taysom@chromium.org> | 2012-10-08 15:58:35 -0700 |
|---|---|---|
| committer | Gerrit <chrome-bot@google.com> | 2012-10-09 13:45:13 -0700 |
| commit | 212eb98136679320d17ccec6c6ddcbc6ecec8613 (patch) | |
| tree | 513c6951ab89d4d04e094ced2590a265876c11d2 | |
| parent | 4615b96345d57a09e058a3fc43755d132a025019 (diff) | |
| download | vboot-212eb98136679320d17ccec6c6ddcbc6ecec8613.tar.gz | |
Added patterns for bootcache
The bootcache will be changing the linux command line. Added additional
patterns that are acceptable to the signing software.
BUG=chromium-os:25441
TEST=ran security_test_image script against stumpy recovery images
BRANCH=none
Change-Id: I22d00ebc6191b5499f722974d90c260b78eb63b2
Reviewed-on: https://gerrit.chromium.org/gerrit/34959
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Ready: Paul Taysom <taysom@chromium.org>
Tested-by: Paul Taysom <taysom@chromium.org>
| -rwxr-xr-x | scripts/image_signing/ensure_secure_kernelparams.sh | 28 |
1 files changed, 25 insertions, 3 deletions
diff --git a/scripts/image_signing/ensure_secure_kernelparams.sh b/scripts/image_signing/ensure_secure_kernelparams.sh index 31d6d644..0f15490f 100755 --- a/scripts/image_signing/ensure_secure_kernelparams.sh +++ b/scripts/image_signing/ensure_secure_kernelparams.sh @@ -39,6 +39,12 @@ dmparams_mangle() { if [[ $dmparams != *MAGIC_HASH* ]]; then dmparams=$(echo $dmparams | sed 's/sha1 [0-9a-fA-F]*/sha1 MAGIC_HASH/') fi + # If we have bootcache enabled, replace its copy of the root_hexdigest + # with MAGIC_HASH. The parameter is positional. + if [[ $dmparams == *bootcache* ]]; then + dmparams=$(echo $dmparams | + sed -r 's/(bootcache %U\+1 [0-9]+) [0-9a-fA-F]+/\1 MAGIC_HASH/') + fi echo $dmparams } @@ -90,12 +96,15 @@ main() { # turn e.g. x86-foo as a well as x86-foo-pvtkeys into x86_foo. local board=$(grep CHROMEOS_RELEASE_BOARD= "$rootfs/etc/lsb-release" | \ cut -d = -f 2 | cut -d - -f 1,2 --output-delimiter=_) - eval "required_kparams=(\${required_kparams_$board[@]})" - eval "optional_kparams=(\${optional_kparams_$board[@]})" - eval "optional_kparams_regex=(\${optional_kparams_regex_$board[@]})" + eval "required_kparams=(\"\${required_kparams_$board[@]}\")" + eval "required_kparams_regex=(\"\${required_kparams_regex_$board[@]}\")" + eval "optional_kparams=(\"\${optional_kparams_$board[@]}\")" + eval "optional_kparams_regex=(\"\${optional_kparams_regex_$board[@]}\")" eval "required_dmparams=(\"\${required_dmparams_$board[@]}\")" output+="required_kparams=(\n" output+="$(printf "\t'%s'\n" "${required_kparams[@]}")\n)\n" + output+="required_kparams_regex=(\n" + output+="$(printf "\t'%s'\n" "${required_kparams_regex[@]}")\n)\n" output+="optional_kparams=(\n" output+="$(printf "\t'%s'\n" "${optional_kparams[@]}")\n)\n" output+="optional_kparams_regex=(\n" @@ -148,6 +157,19 @@ main() { fi done + # Ensure all other required regex params are present. + for param in "${required_kparams_regex[@]}"; do + if [[ "$kparams_nodm" != *$param* ]]; then + echo "Kernel parameters missing required value: $param" + testfail=1 + else + # Remove matched params as we go. If all goes well, kparams_nodm + # will be nothing left but whitespace by the end. + kparams_nodm=$(echo " ${kparams_nodm} " | + sed "s${M} ${param} ${M} ${M}") + fi + done + # Check-off each of the allowed-but-optional params that were present. for param in "${optional_kparams[@]}"; do param=$(escape_regexmetas "$param") |