From 506d9df62d10ad0fde2d8d96b25b194d749262ff Mon Sep 17 00:00:00 2001
From: Sergey Frolov <sfrolov@google.com>
Date: Tue, 29 Dec 2020 17:42:30 -0700
Subject: Add ensure_not_tainted_license.sh

This is a part of the work to ensure that tainted images are never
signed with MP keys. A special tainted tag was added to the license file by
https://chromium-review.googlesource.com/c/chromiumos/chromite/+/2560225
and in ensure_not_tainted.sh we detect the presence of this tag.

This script has been manually tested on tainted and non-tainted images.

BUG=chromium:1059363
TEST=manual
BRANCH=none

Change-Id: I17ca27bb7895f268a79cca3ad948808f0f96b8c7
Signed-off-by: Sergey Frolov <sfrolov@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2607414
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Allen Webb <allenwebb@google.com>
---
 .../image_signing/ensure_not_tainted_license.sh    | 66 ++++++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100755 scripts/image_signing/ensure_not_tainted_license.sh

diff --git a/scripts/image_signing/ensure_not_tainted_license.sh b/scripts/image_signing/ensure_not_tainted_license.sh
new file mode 100755
index 00000000..cd640493
--- /dev/null
+++ b/scripts/image_signing/ensure_not_tainted_license.sh
@@ -0,0 +1,66 @@
+#!/bin/bash
+#
+# Copyright 2020 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+#
+# This script ensures absence of a <!-- tainted --> tag in image's license.
+
+# Abort on error.
+set -e
+
+# Load common constants and variables.
+. "$(dirname "$0")/common.sh"
+
+usage() {
+  echo "Usage ${PROG} image"
+}
+
+main() {
+  if [[ $# -ne 1 ]]; then
+    usage
+    exit 1
+  fi
+
+  local image="$1"
+
+  local loopdev rootfs
+  if [[ -d "${image}" ]]; then
+    rootfs="${image}"
+  else
+    rootfs=$(make_temp_dir)
+    loopdev=$(loopback_partscan "${image}")
+    mount_loop_image_partition_ro "${loopdev}" 3 "${rootfs}"
+  fi
+
+  local license_dir license tainted_tag tainted_status
+  license_dir="${rootfs}/opt/google/chrome/"
+  if [[ ! -d "${license_dir}" ]]; then
+    echo "Directory ${license_dir} does not exist. Skipping the tainted check."
+    exit 0
+  fi
+
+  license=$(find "${license_dir}" -name about_os_credits.html 2>/dev/null)
+  if [[ -z "${license}" ]]; then
+    echo "License file about_os_credits.html not found in ${license_dir}"
+    exit 1
+  fi
+
+  tainted_tag="<!-- tainted -->"
+  tainted_status=$(grep "${tainted_tag}" "${license}")
+  if [[ -n "${tainted_status}" ]]; then
+    echo "${license}:"
+    echo "License file contains packages with LICENSE=TAINTED."
+    echo "Remove those packages or modify their license to allow signing."
+    # Print the list of tainted packages.
+    sed -n '/Image is TAINTED/,/<\/ul>/{
+      # Strip out HTML tags.
+      s/<[^>]*>//g
+      # Delete any empty lines.
+      /^[[:space:]]*$/d
+      p
+    }' "${license}"
+  fi
+  exit 0
+}
+main "$@"
-- 
cgit v1.2.1