diff options
Diffstat (limited to 'scripts')
-rwxr-xr-x | scripts/image_signing/security_test_artifact.py | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/scripts/image_signing/security_test_artifact.py b/scripts/image_signing/security_test_artifact.py new file mode 100755 index 00000000..78ffd09d --- /dev/null +++ b/scripts/image_signing/security_test_artifact.py @@ -0,0 +1,99 @@ +#!/usr/bin/env python3 +# Copyright 2022 The ChromiumOS Authors. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +"""Run security tests on an artifact""" + +import argparse +import os +from pathlib import Path +import subprocess +import sys + +DIR = Path(__file__).resolve().parent + + +def exec_test(name, input, args): + """Runs a given script + + Args: + name: the name of the script to execute + input: the input artifact + args: list of additional arguments for the script + """ + # Ensure this script can execute from any directory + cmd_path = DIR / f"{name}.sh" + + cmd = [cmd_path, input] + args + ret = subprocess.run(cmd, check=False) + if ret.returncode: + sys.exit(ret.returncode) + + +def get_parser(): + """Creates an argument parser""" + parser = argparse.ArgumentParser(description=__doc__) + parser.add_argument( + "--config", + "-c", + help="Security test baseline config directory", + required=True, + type=Path, + ) + + parser.add_argument( + "--input", + "-i", + help="Artfact to test", + required=True, + type=Path, + ) + + parser.add_argument( + "--keyset-is-mp", + action="store_true", + help="Target artifact is signed with a mass production keyset", + default=False, + ) + + return parser + + +def main(argv): + """Main function, parses arguments and invokes the relevant scripts""" + parser = get_parser() + opts = parser.parse_args(argv) + + # Run generic baseline tests. + baseline_tests = [ + "ensure_sane_lsb-release", + ] + + if opts.keyset_is_mp: + baseline_tests += [ + "ensure_no_nonrelease_files", + "ensure_secure_kernelparams", + ] + + for test in baseline_tests: + exec_test( + test, opts.input, [os.path.join(opts.config, f"{test}.config")] + ) + + # Run generic non-baseline tests. + tests = [] + + if opts.keyset_is_mp: + tests += [ + "ensure_not_ASAN", + "ensure_not_tainted_license", + "ensure_update_verification", + ] + + for test in tests: + exec_test(test, opts.input, []) + + +if __name__ == "__main__": + sys.exit(main(sys.argv[1:])) |