signer scripts: break kernel parameters on spaces rather than word boundaries

The current kernel parameter parsing logic uses word boundaries (\b) to keep from replacing parameters inside of other parameters (like "level=1" mangling "loglevel=1" into "log"), but this fails when the last character isn't a "word" character. e.g. "\bconsole=\b" doesn't match "console=". Change the \b to a space. Since we're already using spaces as our split marker, this shouldn't be a problem. BRANCH=None BUG=chrome-os-partner:12780 BUG=chromium-os:33868 TEST=ran `ensure_secure_kernelparams.sh` on an image with 'console=' and saw it work Change-Id: Id69250179ea76aabfed9cd21c1c59483d78a215d Reviewed-on: https://gerrit.chromium.org/gerrit/31356 Reviewed-by: David McMahon <djmm@chromium.org> Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org>
2025-11-25 10:45:02 +00:00 · 2012-08-24 14:28:50 -04:00
parent 513be212d9
commit 16de2c7bae
1 changed files with 15 additions and 7 deletions
--- a/scripts/image_signing/ensure_secure_kernelparams.sh
+++ b/scripts/image_signing/ensure_secure_kernelparams.sh
@@ -130,8 +130,12 @@ main() {
        echo "Expected: ${required_dmparams[@]}"
    fi

+    # A byte that should not appear in the command line to use as a sed
+    # marker when doing regular expression replacements.
+    M=$'\001'
+
    # Ensure all other required params are present.
-    for param in ${required_kparams[@]}; do
+    for param in "${required_kparams[@]}"; do
        if [[ "$kparams_nodm" != *$param* ]]; then
            echo "Kernel parameters missing required value: $param"
            testfail=1
@@ -139,25 +143,29 @@ main() {
            # Remove matched params as we go. If all goes well, kparams_nodm
            # will be nothing left but whitespace by the end.
            param=$(escape_regexmetas "$param")
-            kparams_nodm=$(echo "$kparams_nodm" | sed "s/\b$param\b//")
+            kparams_nodm=$(echo " ${kparams_nodm} " |
+                           sed "s${M} ${param} ${M} ${M}")
        fi
    done

    # Check-off each of the allowed-but-optional params that were present.
-    for param in ${optional_kparams[@]}; do
+    for param in "${optional_kparams[@]}"; do
        param=$(escape_regexmetas "$param")
-        kparams_nodm=$(echo "$kparams_nodm" | sed "s/\b$param\b//")
+        kparams_nodm=$(echo " ${kparams_nodm} " |
+                       sed "s${M} ${param} ${M} ${M}")
    done

    # Check-off each of the allowed-but-optional params that were present.
-    for param in ${optional_kparams_regex[@]}; do
-        kparams_nodm=$(echo "$kparams_nodm" | sed "s/\b$param\b//")
+    for param in "${optional_kparams_regex[@]}"; do
+        kparams_nodm=$(echo " ${kparams_nodm} " |
+                       sed "s${M} ${param} ${M} ${M}")
    done

    # This section enforces the default-deny for any unexpected params
    # not already processed by one of the above loops.
    if [[ ! -z ${kparams_nodm// /} ]]; then
-        echo "Unexpected kernel parameters found: $kparams_nodm"
+        echo "Unexpected kernel parameters found:"
+        echo " $(echo "${kparams_nodm}" | sed -r 's:  +: :g')"
        testfail=1
    fi