From fdb750c74ff1ff9a145f4deb5cd6caa32ab8b72a Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@chromium.org>
Date: Wed, 21 Aug 2019 14:58:26 -0400
Subject: ensure_secure_kernelparams: add sanity checks on baseline sed scripts

The way the sed logic was written we allowed invalid sed expressions
to count as "pass".  This is because we use "no output" as the signal
that the command line option is OK (since the sed script deleted it),
but it meant that invalid sed scripts produced no output too.  Add an
explicit exit status check to make sure invalid scripts fail.

BUG=chromium:991590
TEST=`./image_signing/ensure_secure_kernelparams.sh ./coral-12439.0.0-recovery.bin .../cros-signing/security_test_baselines/ensure_secure_kernelparams.config` produces no errors
BRANCH=None

Change-Id: I1de3ada7e44c49f97ecc40824d98cca9291ab7e6
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1762459
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
---
 .../image_signing/ensure_secure_kernelparams.sh    | 23 ++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/scripts/image_signing/ensure_secure_kernelparams.sh b/scripts/image_signing/ensure_secure_kernelparams.sh
index daebe451..12bfbe5d 100755
--- a/scripts/image_signing/ensure_secure_kernelparams.sh
+++ b/scripts/image_signing/ensure_secure_kernelparams.sh
@@ -146,19 +146,30 @@ main() {
       fi
     done
 
+    local sedout
     for expected_dmparams in "${required_dmparams_regex[@]}"; do
-      if [[ -z $(echo "${mangled_dmparams}" | \
-           sed "s${M}^${expected_dmparams}\$${M}${M}") ]]; then
+      if ! sedout=$(echo "${mangled_dmparams}" | \
+                    sed "s${M}^${expected_dmparams}\$${M}${M}"); then
+        echo "INTERNAL ERROR from sed script: ${expected_dmparams}"
+        break
+      elif [[ -z "${sedout}" ]]; then
         testfail=0
         break
       fi
     done
 
     if [ $testfail -eq 1 ]; then
-        echo "Kernel dm= parameter does not match any expected values!"
-        echo "Actual:   $dmparams"
-        echo "Expected: ${required_dmparams[*]}"
-        echo "Expected (regex): ${required_dmparams_regex[*]}"
+      echo "Kernel dm= parameter does not match any expected values!"
+      echo "Actual value:          ${dmparams}"
+      echo "Mangled testing value: ${mangled_dmparams}"
+      if [[ ${#required_dmparams[@]} -gt 0 ]]; then
+        echo "Expected -- only one need match:"
+        printf "  >>> %s\n" "${required_dmparams[@]}"
+      fi
+      if [[ ${#required_dmparams_regex[@]} -gt 0 ]]; then
+        echo "Expected (regex) -- only one need match:"
+        printf "  >>> %s\n" "${required_dmparams_regex[@]}"
+      fi
     fi
 
     # Ensure all other required params are present.
-- 
cgit v1.2.1