From c050cbd0f13f34915854137dced4003b8836f451 Mon Sep 17 00:00:00 2001 From: Robert Zieba Date: Mon, 8 Aug 2022 17:00:27 -0600 Subject: scripts/image_signing: Add general security test script This commit adds a general security test script. This allows some logic to be moved out of the signer as well as providing a single entry point for the security tests run by the signer. BRANCH=none BUG=b:202397678 TEST=Verified that correct security tests ran with/without `--keyset-is-mp` Change-Id: Ib4c779a90d2fe9160c278f20d7ec61242f1d68cc Signed-off-by: Robert Zieba Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3820999 Reviewed-by: Mike Frysinger Commit-Queue: Mike Frysinger --- scripts/image_signing/security_test_artifact.py | 99 +++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100755 scripts/image_signing/security_test_artifact.py diff --git a/scripts/image_signing/security_test_artifact.py b/scripts/image_signing/security_test_artifact.py new file mode 100755 index 00000000..78ffd09d --- /dev/null +++ b/scripts/image_signing/security_test_artifact.py @@ -0,0 +1,99 @@ +#!/usr/bin/env python3 +# Copyright 2022 The ChromiumOS Authors. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +"""Run security tests on an artifact""" + +import argparse +import os +from pathlib import Path +import subprocess +import sys + +DIR = Path(__file__).resolve().parent + + +def exec_test(name, input, args): + """Runs a given script + + Args: + name: the name of the script to execute + input: the input artifact + args: list of additional arguments for the script + """ + # Ensure this script can execute from any directory + cmd_path = DIR / f"{name}.sh" + + cmd = [cmd_path, input] + args + ret = subprocess.run(cmd, check=False) + if ret.returncode: + sys.exit(ret.returncode) + + +def get_parser(): + """Creates an argument parser""" + parser = argparse.ArgumentParser(description=__doc__) + parser.add_argument( + "--config", + "-c", + help="Security test baseline config directory", + required=True, + type=Path, + ) + + parser.add_argument( + "--input", + "-i", + help="Artfact to test", + required=True, + type=Path, + ) + + parser.add_argument( + "--keyset-is-mp", + action="store_true", + help="Target artifact is signed with a mass production keyset", + default=False, + ) + + return parser + + +def main(argv): + """Main function, parses arguments and invokes the relevant scripts""" + parser = get_parser() + opts = parser.parse_args(argv) + + # Run generic baseline tests. + baseline_tests = [ + "ensure_sane_lsb-release", + ] + + if opts.keyset_is_mp: + baseline_tests += [ + "ensure_no_nonrelease_files", + "ensure_secure_kernelparams", + ] + + for test in baseline_tests: + exec_test( + test, opts.input, [os.path.join(opts.config, f"{test}.config")] + ) + + # Run generic non-baseline tests. + tests = [] + + if opts.keyset_is_mp: + tests += [ + "ensure_not_ASAN", + "ensure_not_tainted_license", + "ensure_update_verification", + ] + + for test in tests: + exec_test(test, opts.input, []) + + +if __name__ == "__main__": + sys.exit(main(sys.argv[1:])) -- cgit v1.2.1