diff options
| author | Mike Frysinger <vapier@chromium.org> | 2019-08-21 14:58:26 -0400 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2019-08-26 18:55:07 +0000 |
| commit | fdb750c74ff1ff9a145f4deb5cd6caa32ab8b72a (patch) | |
| tree | afe05702cc9acac04f93ce41664016ebd7b814af /scripts | |
| parent | 595108c06a4a37f4d33f66052add2e7e0176cf1b (diff) | |
| download | vboot-fdb750c74ff1ff9a145f4deb5cd6caa32ab8b72a.tar.gz | |
ensure_secure_kernelparams: add sanity checks on baseline sed scripts
The way the sed logic was written we allowed invalid sed expressions
to count as "pass". This is because we use "no output" as the signal
that the command line option is OK (since the sed script deleted it),
but it meant that invalid sed scripts produced no output too. Add an
explicit exit status check to make sure invalid scripts fail.
BUG=chromium:991590
TEST=`./image_signing/ensure_secure_kernelparams.sh ./coral-12439.0.0-recovery.bin .../cros-signing/security_test_baselines/ensure_secure_kernelparams.config` produces no errors
BRANCH=None
Change-Id: I1de3ada7e44c49f97ecc40824d98cca9291ab7e6
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1762459
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/image_signing/ensure_secure_kernelparams.sh | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/scripts/image_signing/ensure_secure_kernelparams.sh b/scripts/image_signing/ensure_secure_kernelparams.sh index daebe451..12bfbe5d 100755 --- a/scripts/image_signing/ensure_secure_kernelparams.sh +++ b/scripts/image_signing/ensure_secure_kernelparams.sh @@ -146,19 +146,30 @@ main() { fi done + local sedout for expected_dmparams in "${required_dmparams_regex[@]}"; do - if [[ -z $(echo "${mangled_dmparams}" | \ - sed "s${M}^${expected_dmparams}\$${M}${M}") ]]; then + if ! sedout=$(echo "${mangled_dmparams}" | \ + sed "s${M}^${expected_dmparams}\$${M}${M}"); then + echo "INTERNAL ERROR from sed script: ${expected_dmparams}" + break + elif [[ -z "${sedout}" ]]; then testfail=0 break fi done if [ $testfail -eq 1 ]; then - echo "Kernel dm= parameter does not match any expected values!" - echo "Actual: $dmparams" - echo "Expected: ${required_dmparams[*]}" - echo "Expected (regex): ${required_dmparams_regex[*]}" + echo "Kernel dm= parameter does not match any expected values!" + echo "Actual value: ${dmparams}" + echo "Mangled testing value: ${mangled_dmparams}" + if [[ ${#required_dmparams[@]} -gt 0 ]]; then + echo "Expected -- only one need match:" + printf " >>> %s\n" "${required_dmparams[@]}" + fi + if [[ ${#required_dmparams_regex[@]} -gt 0 ]]; then + echo "Expected (regex) -- only one need match:" + printf " >>> %s\n" "${required_dmparams_regex[@]}" + fi fi # Ensure all other required params are present. |