diff options
| author | Sergey Frolov <sfrolov@google.com> | 2020-12-29 17:42:30 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2021-01-01 00:19:31 +0000 |
| commit | 506d9df62d10ad0fde2d8d96b25b194d749262ff (patch) | |
| tree | bcc837446605fe65c0ce4e860777461ae23702b9 | |
| parent | 681305cd1caefeef9a62e210267d63a1e3f133e0 (diff) | |
| download | vboot-stabilize-rust-13720.B.tar.gz | |
Add ensure_not_tainted_license.shstabilize-rust-13720.Bmasterfactory-zork-13700.B
This is a part of the work to ensure that tainted images are never
signed with MP keys. A special tainted tag was added to the license file by
https://chromium-review.googlesource.com/c/chromiumos/chromite/+/2560225
and in ensure_not_tainted.sh we detect the presence of this tag.
This script has been manually tested on tainted and non-tainted images.
BUG=chromium:1059363
TEST=manual
BRANCH=none
Change-Id: I17ca27bb7895f268a79cca3ad948808f0f96b8c7
Signed-off-by: Sergey Frolov <sfrolov@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2607414
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Allen Webb <allenwebb@google.com>
| -rwxr-xr-x | scripts/image_signing/ensure_not_tainted_license.sh | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/scripts/image_signing/ensure_not_tainted_license.sh b/scripts/image_signing/ensure_not_tainted_license.sh new file mode 100755 index 00000000..cd640493 --- /dev/null +++ b/scripts/image_signing/ensure_not_tainted_license.sh @@ -0,0 +1,66 @@ +#!/bin/bash +# +# Copyright 2020 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. +# +# This script ensures absence of a <!-- tainted --> tag in image's license. + +# Abort on error. +set -e + +# Load common constants and variables. +. "$(dirname "$0")/common.sh" + +usage() { + echo "Usage ${PROG} image" +} + +main() { + if [[ $# -ne 1 ]]; then + usage + exit 1 + fi + + local image="$1" + + local loopdev rootfs + if [[ -d "${image}" ]]; then + rootfs="${image}" + else + rootfs=$(make_temp_dir) + loopdev=$(loopback_partscan "${image}") + mount_loop_image_partition_ro "${loopdev}" 3 "${rootfs}" + fi + + local license_dir license tainted_tag tainted_status + license_dir="${rootfs}/opt/google/chrome/" + if [[ ! -d "${license_dir}" ]]; then + echo "Directory ${license_dir} does not exist. Skipping the tainted check." + exit 0 + fi + + license=$(find "${license_dir}" -name about_os_credits.html 2>/dev/null) + if [[ -z "${license}" ]]; then + echo "License file about_os_credits.html not found in ${license_dir}" + exit 1 + fi + + tainted_tag="<!-- tainted -->" + tainted_status=$(grep "${tainted_tag}" "${license}") + if [[ -n "${tainted_status}" ]]; then + echo "${license}:" + echo "License file contains packages with LICENSE=TAINTED." + echo "Remove those packages or modify their license to allow signing." + # Print the list of tainted packages. + sed -n '/Image is TAINTED/,/<\/ul>/{ + # Strip out HTML tags. + s/<[^>]*>//g + # Delete any empty lines. + /^[[:space:]]*$/d + p + }' "${license}" + fi + exit 0 +} +main "$@" |