#!/bin/bash # Copyright (c) 2011 The Chromium OS Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. # Abort on error. set -e # Load common constants and variables. . "$(dirname "$0")/common.sh" # Given a kernel boot param string which includes ...dm="dmstuff"... # this returns the dmstuff by itself. get_dmparams() { echo "$1" | sed 's/^.*\ dm="\([^"]*\)".*/\1/' } # Given a kernel boot param string which includes ...dm="stuff"... # this returns the param string with the dm="..." section removed. # Useful in conjunction with get_dmparams to divide and process # the two sections of parameters in seperate passes kparams_remove_dm() { echo "$1" | sed 's/dm="[^"]*"//' } # Given a dm param string which includes a long and unpredictable # sha1 hash, return the same string with the sha1 hash replaced # with a magic placeholder. This same magic placeholder is used # in the config file, for comparison purposes. dmparams_mangle_sha1() { echo "$1" | sed 's/sha1 [0-9a-fA-F]*/sha1 MAGIC_HASH/' } # This escapes any non-alphanum character, since many such characters # are regex metacharacters. escape_regexmetas() { echo "$1" | sed 's/\([^a-zA-Z0-9]\)/\\\1/g' } usage() { echo "Usage $PROG image [config]" } main() { # We want to catch all the discrepancies, not just the first one. # So, any time we find one, we set testfail=1 and continue. # When finished we will use testfail to determine our exit value. local testfail=0 if [[ $# -ne 1 ]] && [[ $# -ne 2 ]]; then usage exit 1 fi local image="$1" # Default config location: same name/directory as this script, # with a .config file extension, ie ensure_secure_kernelparams.config. local configfile="$(dirname "$0")/${0/%.sh/.config}" # Or, maybe a config was provided on the command line. if [[ $# -eq 2 ]]; then configfile="$2" fi # Either way, load test-expectations data from config. . "$configfile" local kernelblob=$(make_temp_file) extract_image_partition "$image" 2 "$kernelblob" local rootfs=$(make_temp_dir) mount_image_partition_ro "$image" 3 "$rootfs" # Pick the right set of test-expectation data to use. The cuts # turn e.g. x86-foo as a well as x86-foo-pvtkeys into x86_foo. local board=$(grep CHROMEOS_RELEASE_BOARD= "$rootfs/etc/lsb-release" | \ cut -d = -f 2 | cut -d - -f 1,2 --output-delimiter=_) eval "required_kparams=(\${required_kparams_$board[@]})" eval "optional_kparams=(\${optional_kparams_$board[@]})" eval "required_dmparams=\"\$required_dmparams_$board\"" # Divide the dm params from the rest and process seperately. local kparams=$(dump_kernel_config "$kernelblob") local dmparams=$(dmparams_mangle_sha1 "$(get_dmparams "$kparams")") local kparams_nodm=$(kparams_remove_dm "$kparams") # Special-case handling of the dm= param: if [[ "$dmparams" != "$required_dmparams" ]]; then echo "Kernel dm= parameter does not match expected value!" echo "Expected: $required_dmparams" echo "Actual: $dmparams" testfail=1 fi # Ensure all other required params are present. for param in ${required_kparams[@]}; do if [[ "$kparams_nodm" != *$param* ]]; then echo "Kernel parameters missing required value: $param" testfail=1 else # Remove matched params as we go. If all goes well, kparams_nodm # will be nothing left but whitespace by the end. param=$(escape_regexmetas "$param") kparams_nodm=$(echo "$kparams_nodm" | sed "s/\b$param\b//") fi done # Check-off each of the allowed-but-optional params that were present. for param in ${optional_kparams[@]}; do param=$(escape_regexmetas "$param") kparams_nodm=$(echo "$kparams_nodm" | sed "s/\b$param\b//") done # This section enforces the default-deny for any unexpected params # not already processed by one of the above loops. if [[ ! -z ${kparams_nodm// /} ]]; then echo "Unexpected kernel parameters found: $kparams_nodm" testfail=1 fi exit $testfail } main $@