Added handling of regex for dm params

To handle a more diverse set of configurations, added processing of regular expressions for the dm params. BUG=chromium-os:36441 TEST=rand security_test_image for various configurations BRANCH=none Change-Id: I4d9e610586cc9f63d55397e60462600ed9b9651f Reviewed-on: https://gerrit.chromium.org/gerrit/38202 Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Ready: Paul Taysom <taysom@chromium.org> Tested-by: Paul Taysom <taysom@chromium.org>
2026-01-09 17:11:42 +00:00 · 2012-11-16 09:06:06 -08:00
parent 7682e5e87a
commit 0bbc17c69a
1 changed files with 16 additions and 5 deletions
--- a/scripts/image_signing/ensure_secure_kernelparams.sh
+++ b/scripts/image_signing/ensure_secure_kernelparams.sh
@@ -73,6 +73,10 @@ main() {

    local image="$1"

+    # A byte that should not appear in the command line to use as a sed
+    # marker when doing regular expression replacements.
+    local M=$'\001'
+
    # Default config location: same name/directory as this script,
    # with a .config file extension, ie ensure_secure_kernelparams.config.
    local configfile="$(dirname "$0")/${0/%.sh/.config}"
@@ -101,6 +105,7 @@ main() {
    eval "optional_kparams=(\"\${optional_kparams_$board[@]}\")"
    eval "optional_kparams_regex=(\"\${optional_kparams_regex_$board[@]}\")"
    eval "required_dmparams=(\"\${required_dmparams_$board[@]}\")"
+    eval "required_dmparams_regex=(\"\${required_dmparams_regex_$board[@]}\")"
    output+="required_kparams=(\n"
    output+="$(printf "\t'%s'\n" "${required_kparams[@]}")\n)\n"
    output+="required_kparams_regex=(\n"
@@ -111,6 +116,8 @@ main() {
    output+="$(printf "\t'%s'\n" "${optional_kparams_regex[@]}")\n)\n"
    output+="required_dmparams=(\n"
    output+="$(printf "\t'%s'\n" "${required_dmparams[@]}")\n)\n"
+    output+="required_dmparams_regex=(\n"
+    output+="$(printf "\t'%s'\n" "${required_dmparams_regex[@]}")\n)\n"

    # Divide the dm params from the rest and process seperately.
    local kparams=$(dump_kernel_config "$kernelblob")
@@ -124,25 +131,29 @@ main() {
    mangled_dmparams=$(dmparams_mangle "${dmparams}")
    output+="\nmangled_dmparams='${mangled_dmparams}'\n"
    # Special-case handling of the dm= param:
+    testfail=1
    for expected_dmparams in "${required_dmparams[@]}"; do
      # Filter out all dynamic parameters.
-      testfail=1
      if [ "$mangled_dmparams" = "$expected_dmparams" ]; then
        testfail=0
        break
      fi
    done

+    for expected_dmparams in "${required_dmparams_regex[@]}"; do
+      if [[ -z $(echo "${mangled_dmparams}" | \
+           sed "s${M}^${expected_dmparams}\$${M}${M}") ]]; then
+        testfail=0
+        break
+      fi
+    done
+
    if [ $testfail -eq 1 ]; then
        echo "Kernel dm= parameter does not match any expected values!"
        echo "Actual:   $dmparams"
        echo "Expected: ${required_dmparams[@]}"
    fi

-    # A byte that should not appear in the command line to use as a sed
-    # marker when doing regular expression replacements.
-    M=$'\001'
-
    # Ensure all other required params are present.
    for param in "${required_kparams[@]}"; do
        if [[ "$kparams_nodm" != *$param* ]]; then