image_signing: use per-board release file blacklist

This patch changes ensure_no_nonrelease_files.sh to use per-board release file blacklist instead of the default one. It also uses this opportunity to make ensure_no_nonrelease_files.sh consistently formatted. BRANCH=none TEST=Ran ./security_test_image on a lakitu image and --vboot_hash pointing to this commit, and verified ensure_no_nonrelease_files.sh passes. BUG=brillo:823 Change-Id: I2cff56192a5ff0b917faba7549e7adafb4757a47 Reviewed-on: https://chromium-review.googlesource.com/267335 Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: Amey Deshpande <ameyd@google.com> Tested-by: Amey Deshpande <ameyd@google.com>
2026-01-11 18:35:28 +00:00 · 2015-04-24 13:56:17 -07:00
parent 4ce1cc01c0
commit 7dd3bd0fcf
3 changed files with 28 additions and 17 deletions
--- a/scripts/image_signing/common.sh
+++ b/scripts/image_signing/common.sh
@@ -75,6 +75,16 @@ die() {
  exit 1
 }

+# Extract and return board name from /etc/lsb-release.
+# Args: rootfs
+get_board_from_lsb_release() {
+  local rootfs=$1
+  # The cuts turn e.g. x86-foo as a well as x86-foo-pvtkeys into x86_foo.
+  local board=$(grep CHROMEOS_RELEASE_BOARD= "${rootfs}/etc/lsb-release" | \
+                cut -d = -f 2 | cut -d - -f 1,2 --output-delimiter=_)
+  echo "${board}"
+}
+
 # This will override the trap set in common_minmal.sh
 trap "cleanup" INT TERM EXIT

--- a/scripts/image_signing/ensure_no_nonrelease_files.sh
+++ b/scripts/image_signing/ensure_no_nonrelease_files.sh
@@ -20,7 +20,7 @@ main() {
    # When finished we will use testfail to determine our exit value.
    local testfail=0

-    if [ $# -ne 1 ] && [ $# -ne 2 ]; then
+    if [[ $# -ne 1 ]] && [[ $# -ne 2 ]]; then
        usage
        exit 1
    fi
@@ -31,33 +31,36 @@ main() {
    # with a .config file extension, ie ensure_no_nonrelease_files.config.
    local configfile="$(dirname "$0")/${0/%.sh/.config}"
    # Or, maybe a config was provided on the command line.
-    if [ $# -eq 2 ]; then
+    if [[ $# -eq 2 ]]; then
        configfile="$2"
    fi
    # Either way, load test-expectations data from config.
-    . "$configfile" || return 1
+    . "${configfile}" || return 1

    local rootfs=$(make_temp_dir)
-    mount_image_partition_ro "$image" 3 "$rootfs"
+    mount_image_partition_ro "${image}" 3 "${rootfs}"
+    # Pick the right set of test-expectation data to use.
+    local board=$(get_board_from_lsb_release "${rootfs}")
+    eval "release_file_blacklist=(\"\${RELEASE_FILE_BLACKLIST_${board}[@]}\")"

-    for file in ${RELEASE_FILE_BLACKLIST[@]}; do
-        if [ -e "$rootfs/$file" ]; then
-            echo "FAIL: $file exists in this image!"
-            ls -al "$rootfs/$file"
+    for file in ${release_file_blacklist}; do
+        if [ -e "${rootfs}/${file}" ]; then
+            echo "FAIL: ${file} exists in this image!"
+            ls -al "${rootfs}/${file}"
            testfail=1
        fi
    done

    # Verify that session_manager isn't configured to pass additional
    # environment variables or command-line arguments to Chrome.
-    local config_path="$rootfs/etc/chrome_dev.conf"
+    local config_path="${rootfs}/etc/chrome_dev.conf"
    local matches=$(grep -s "^[^#]" "${config_path}")
-    if [ -n "$matches" ]; then
-        echo "FAIL: Found commands in $config_path:"
-        echo "$matches"
+    if [ -n "${matches}" ]; then
+        echo "FAIL: Found commands in ${config_path}:"
+        echo "${matches}"
        testfail=1
    fi

-    exit $testfail
+    exit ${testfail}
 }
 main "$@"
--- a/scripts/image_signing/ensure_secure_kernelparams.sh
+++ b/scripts/image_signing/ensure_secure_kernelparams.sh
@@ -98,10 +98,8 @@ main() {
    local rootfs=$(make_temp_dir)
    mount_image_partition_ro "$image" 3 "$rootfs"

-    # Pick the right set of test-expectation data to use. The cuts
-    # turn e.g. x86-foo as a well as x86-foo-pvtkeys into x86_foo.
-    local board=$(grep CHROMEOS_RELEASE_BOARD= "$rootfs/etc/lsb-release" | \
-                  cut -d = -f 2 | cut -d - -f 1,2 --output-delimiter=_)
+    # Pick the right set of test-expectation data to use.
+    local board=$(get_board_from_lsb_release "${rootfs}")
    eval "required_kparams=(\"\${required_kparams_$board[@]}\")"
    eval "required_kparams_regex=(\"\${required_kparams_regex_$board[@]}\")"
    eval "optional_kparams=(\"\${optional_kparams_$board[@]}\")"