diff options
| author | Amey Deshpande <ameyd@google.com> | 2015-04-24 13:56:17 -0700 |
|---|---|---|
| committer | ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> | 2015-04-29 19:43:14 +0000 |
| commit | 7dd3bd0fcf565901aacc512cd29cefe19291c2e7 (patch) | |
| tree | 4fb4a73d67dc10a570842ea8479d3d108f26ef7a | |
| parent | 4ce1cc01c08ad58abca12577c5d18e9071a26383 (diff) | |
| download | vboot-stabilize-7039.B.tar.gz | |
image_signing: use per-board release file blackliststabilize-7039.B
This patch changes ensure_no_nonrelease_files.sh to use per-board
release file blacklist instead of the default one. It also uses this
opportunity to make ensure_no_nonrelease_files.sh consistently
formatted.
BRANCH=none
TEST=Ran ./security_test_image on a lakitu image and --vboot_hash
pointing to this commit, and verified ensure_no_nonrelease_files.sh passes.
BUG=brillo:823
Change-Id: I2cff56192a5ff0b917faba7549e7adafb4757a47
Reviewed-on: https://chromium-review.googlesource.com/267335
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Amey Deshpande <ameyd@google.com>
Tested-by: Amey Deshpande <ameyd@google.com>
| -rw-r--r-- | scripts/image_signing/common.sh | 10 | ||||
| -rwxr-xr-x | scripts/image_signing/ensure_no_nonrelease_files.sh | 29 | ||||
| -rwxr-xr-x | scripts/image_signing/ensure_secure_kernelparams.sh | 6 |
3 files changed, 28 insertions, 17 deletions
diff --git a/scripts/image_signing/common.sh b/scripts/image_signing/common.sh index 599c9e1e..62dc362a 100644 --- a/scripts/image_signing/common.sh +++ b/scripts/image_signing/common.sh @@ -75,6 +75,16 @@ die() { exit 1 } +# Extract and return board name from /etc/lsb-release. +# Args: rootfs +get_board_from_lsb_release() { + local rootfs=$1 + # The cuts turn e.g. x86-foo as a well as x86-foo-pvtkeys into x86_foo. + local board=$(grep CHROMEOS_RELEASE_BOARD= "${rootfs}/etc/lsb-release" | \ + cut -d = -f 2 | cut -d - -f 1,2 --output-delimiter=_) + echo "${board}" +} + # This will override the trap set in common_minmal.sh trap "cleanup" INT TERM EXIT diff --git a/scripts/image_signing/ensure_no_nonrelease_files.sh b/scripts/image_signing/ensure_no_nonrelease_files.sh index 339e5fe9..a912c449 100755 --- a/scripts/image_signing/ensure_no_nonrelease_files.sh +++ b/scripts/image_signing/ensure_no_nonrelease_files.sh @@ -20,7 +20,7 @@ main() { # When finished we will use testfail to determine our exit value. local testfail=0 - if [ $# -ne 1 ] && [ $# -ne 2 ]; then + if [[ $# -ne 1 ]] && [[ $# -ne 2 ]]; then usage exit 1 fi @@ -31,33 +31,36 @@ main() { # with a .config file extension, ie ensure_no_nonrelease_files.config. local configfile="$(dirname "$0")/${0/%.sh/.config}" # Or, maybe a config was provided on the command line. - if [ $# -eq 2 ]; then + if [[ $# -eq 2 ]]; then configfile="$2" fi # Either way, load test-expectations data from config. - . "$configfile" || return 1 + . "${configfile}" || return 1 local rootfs=$(make_temp_dir) - mount_image_partition_ro "$image" 3 "$rootfs" + mount_image_partition_ro "${image}" 3 "${rootfs}" + # Pick the right set of test-expectation data to use. + local board=$(get_board_from_lsb_release "${rootfs}") + eval "release_file_blacklist=(\"\${RELEASE_FILE_BLACKLIST_${board}[@]}\")" - for file in ${RELEASE_FILE_BLACKLIST[@]}; do - if [ -e "$rootfs/$file" ]; then - echo "FAIL: $file exists in this image!" - ls -al "$rootfs/$file" + for file in ${release_file_blacklist}; do + if [ -e "${rootfs}/${file}" ]; then + echo "FAIL: ${file} exists in this image!" + ls -al "${rootfs}/${file}" testfail=1 fi done # Verify that session_manager isn't configured to pass additional # environment variables or command-line arguments to Chrome. - local config_path="$rootfs/etc/chrome_dev.conf" + local config_path="${rootfs}/etc/chrome_dev.conf" local matches=$(grep -s "^[^#]" "${config_path}") - if [ -n "$matches" ]; then - echo "FAIL: Found commands in $config_path:" - echo "$matches" + if [ -n "${matches}" ]; then + echo "FAIL: Found commands in ${config_path}:" + echo "${matches}" testfail=1 fi - exit $testfail + exit ${testfail} } main "$@" diff --git a/scripts/image_signing/ensure_secure_kernelparams.sh b/scripts/image_signing/ensure_secure_kernelparams.sh index a471a6fc..044b441e 100755 --- a/scripts/image_signing/ensure_secure_kernelparams.sh +++ b/scripts/image_signing/ensure_secure_kernelparams.sh @@ -98,10 +98,8 @@ main() { local rootfs=$(make_temp_dir) mount_image_partition_ro "$image" 3 "$rootfs" - # Pick the right set of test-expectation data to use. The cuts - # turn e.g. x86-foo as a well as x86-foo-pvtkeys into x86_foo. - local board=$(grep CHROMEOS_RELEASE_BOARD= "$rootfs/etc/lsb-release" | \ - cut -d = -f 2 | cut -d - -f 1,2 --output-delimiter=_) + # Pick the right set of test-expectation data to use. + local board=$(get_board_from_lsb_release "${rootfs}") eval "required_kparams=(\"\${required_kparams_$board[@]}\")" eval "required_kparams_regex=(\"\${required_kparams_regex_$board[@]}\")" eval "optional_kparams=(\"\${optional_kparams_$board[@]}\")" |