From 7dd3bd0fcf565901aacc512cd29cefe19291c2e7 Mon Sep 17 00:00:00 2001
From: Amey Deshpande <ameyd@google.com>
Date: Fri, 24 Apr 2015 13:56:17 -0700
Subject: image_signing: use per-board release file blacklist

This patch changes ensure_no_nonrelease_files.sh to use per-board
release file blacklist instead of the default one.  It also uses this
opportunity to make ensure_no_nonrelease_files.sh consistently
formatted.

BRANCH=none
TEST=Ran ./security_test_image on a lakitu image and --vboot_hash
pointing to this commit, and verified ensure_no_nonrelease_files.sh passes.
BUG=brillo:823

Change-Id: I2cff56192a5ff0b917faba7549e7adafb4757a47
Reviewed-on: https://chromium-review.googlesource.com/267335
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Amey Deshpande <ameyd@google.com>
Tested-by: Amey Deshpande <ameyd@google.com>
---
 scripts/image_signing/common.sh                    | 10 ++++++++
 .../image_signing/ensure_no_nonrelease_files.sh    | 29 ++++++++++++----------
 .../image_signing/ensure_secure_kernelparams.sh    |  6 ++---
 3 files changed, 28 insertions(+), 17 deletions(-)

diff --git a/scripts/image_signing/common.sh b/scripts/image_signing/common.sh
index 599c9e1e..62dc362a 100644
--- a/scripts/image_signing/common.sh
+++ b/scripts/image_signing/common.sh
@@ -75,6 +75,16 @@ die() {
   exit 1
 }
 
+# Extract and return board name from /etc/lsb-release.
+# Args: rootfs
+get_board_from_lsb_release() {
+  local rootfs=$1
+  # The cuts turn e.g. x86-foo as a well as x86-foo-pvtkeys into x86_foo.
+  local board=$(grep CHROMEOS_RELEASE_BOARD= "${rootfs}/etc/lsb-release" | \
+                cut -d = -f 2 | cut -d - -f 1,2 --output-delimiter=_)
+  echo "${board}"
+}
+
 # This will override the trap set in common_minmal.sh
 trap "cleanup" INT TERM EXIT
 
diff --git a/scripts/image_signing/ensure_no_nonrelease_files.sh b/scripts/image_signing/ensure_no_nonrelease_files.sh
index 339e5fe9..a912c449 100755
--- a/scripts/image_signing/ensure_no_nonrelease_files.sh
+++ b/scripts/image_signing/ensure_no_nonrelease_files.sh
@@ -20,7 +20,7 @@ main() {
     # When finished we will use testfail to determine our exit value.
     local testfail=0
 
-    if [ $# -ne 1 ] && [ $# -ne 2 ]; then
+    if [[ $# -ne 1 ]] && [[ $# -ne 2 ]]; then
         usage
         exit 1
     fi
@@ -31,33 +31,36 @@ main() {
     # with a .config file extension, ie ensure_no_nonrelease_files.config.
     local configfile="$(dirname "$0")/${0/%.sh/.config}"
     # Or, maybe a config was provided on the command line.
-    if [ $# -eq 2 ]; then
+    if [[ $# -eq 2 ]]; then
         configfile="$2"
     fi
     # Either way, load test-expectations data from config.
-    . "$configfile" || return 1
+    . "${configfile}" || return 1
 
     local rootfs=$(make_temp_dir)
-    mount_image_partition_ro "$image" 3 "$rootfs"
+    mount_image_partition_ro "${image}" 3 "${rootfs}"
+    # Pick the right set of test-expectation data to use.
+    local board=$(get_board_from_lsb_release "${rootfs}")
+    eval "release_file_blacklist=(\"\${RELEASE_FILE_BLACKLIST_${board}[@]}\")"
 
-    for file in ${RELEASE_FILE_BLACKLIST[@]}; do
-        if [ -e "$rootfs/$file" ]; then
-            echo "FAIL: $file exists in this image!"
-            ls -al "$rootfs/$file"
+    for file in ${release_file_blacklist}; do
+        if [ -e "${rootfs}/${file}" ]; then
+            echo "FAIL: ${file} exists in this image!"
+            ls -al "${rootfs}/${file}"
             testfail=1
         fi
     done
 
     # Verify that session_manager isn't configured to pass additional
     # environment variables or command-line arguments to Chrome.
-    local config_path="$rootfs/etc/chrome_dev.conf"
+    local config_path="${rootfs}/etc/chrome_dev.conf"
     local matches=$(grep -s "^[^#]" "${config_path}")
-    if [ -n "$matches" ]; then
-        echo "FAIL: Found commands in $config_path:"
-        echo "$matches"
+    if [ -n "${matches}" ]; then
+        echo "FAIL: Found commands in ${config_path}:"
+        echo "${matches}"
         testfail=1
     fi
 
-    exit $testfail
+    exit ${testfail}
 }
 main "$@"
diff --git a/scripts/image_signing/ensure_secure_kernelparams.sh b/scripts/image_signing/ensure_secure_kernelparams.sh
index a471a6fc..044b441e 100755
--- a/scripts/image_signing/ensure_secure_kernelparams.sh
+++ b/scripts/image_signing/ensure_secure_kernelparams.sh
@@ -98,10 +98,8 @@ main() {
     local rootfs=$(make_temp_dir)
     mount_image_partition_ro "$image" 3 "$rootfs"
 
-    # Pick the right set of test-expectation data to use. The cuts
-    # turn e.g. x86-foo as a well as x86-foo-pvtkeys into x86_foo.
-    local board=$(grep CHROMEOS_RELEASE_BOARD= "$rootfs/etc/lsb-release" | \
-                  cut -d = -f 2 | cut -d - -f 1,2 --output-delimiter=_)
+    # Pick the right set of test-expectation data to use.
+    local board=$(get_board_from_lsb_release "${rootfs}")
     eval "required_kparams=(\"\${required_kparams_$board[@]}\")"
     eval "required_kparams_regex=(\"\${required_kparams_regex_$board[@]}\")"
     eval "optional_kparams=(\"\${optional_kparams_$board[@]}\")"
-- 
cgit v1.2.1