scripts/image_signing/security_test_artifact.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

#!/usr/bin/env python3
# Copyright 2022 The ChromiumOS Authors.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

"""Run security tests on an artifact"""

import argparse
import os
from pathlib import Path
import subprocess
import sys

DIR = Path(__file__).resolve().parent


def exec_test(name, input, args):
    """Runs a given script

    Args:
        name: the name of the script to execute
        input: the input artifact
        args: list of additional arguments for the script
    """
    # Ensure this script can execute from any directory
    cmd_path = DIR / f"{name}.sh"

    cmd = [cmd_path, input] + args
    ret = subprocess.run(cmd, check=False)
    if ret.returncode:
        sys.exit(ret.returncode)


def get_parser():
    """Creates an argument parser"""
    parser = argparse.ArgumentParser(description=__doc__)
    parser.add_argument(
        "--config",
        "-c",
        help="Security test baseline config directory",
        required=True,
        type=Path,
    )

    parser.add_argument(
        "--input",
        "-i",
        help="Artfact to test",
        required=True,
        type=Path,
    )

    parser.add_argument(
        "--keyset-is-mp",
        action="store_true",
        help="Target artifact is signed with a mass production keyset",
        default=False,
    )

    return parser


def main(argv):
    """Main function, parses arguments and invokes the relevant scripts"""
    parser = get_parser()
    opts = parser.parse_args(argv)

    # Run generic baseline tests.
    baseline_tests = [
        "ensure_sane_lsb-release",
    ]

    if opts.keyset_is_mp:
        baseline_tests += [
            "ensure_no_nonrelease_files",
            "ensure_secure_kernelparams",
        ]

    for test in baseline_tests:
        exec_test(
            test, opts.input, [os.path.join(opts.config, f"{test}.config")]
        )

    # Run generic non-baseline tests.
    tests = []

    if opts.keyset_is_mp:
        tests += [
            "ensure_not_ASAN",
            "ensure_not_tainted_license",
            "ensure_update_verification",
        ]

    for test in tests:
        exec_test(test, opts.input, [])


if __name__ == "__main__":
    sys.exit(main(sys.argv[1:]))