image security test: Allow alternatives for verity parameters

This is again working around the fact that the signer isn't branch conscious. Depending on which branch you look at, there are 3 possible verity parameter styles in use. This CL allows the kernel parameter test to allow multiple alternatives for verity dm= parameters. BUG=chromium-os:20640 TEST=manually tried with a R16, R15 and R14 image Change-Id: I07554594d6adbdfd1988395d3e91edfd603d8cd4 Reviewed-on: http://gerrit.chromium.org/gerrit/8067 Reviewed-by: Jim Hebert <jimhebert@chromium.org> Commit-Ready: Gaurav Shah <gauravsh@chromium.org> Tested-by: Gaurav Shah <gauravsh@chromium.org>
2026-01-09 00:51:29 +00:00 · 2011-09-21 11:36:16 -07:00
parent 06edfc60f3
commit e622f11595
2 changed files with 36 additions and 15 deletions
--- a/scripts/image_signing/ensure_secure_kernelparams.sh
+++ b/scripts/image_signing/ensure_secure_kernelparams.sh
@@ -24,12 +24,22 @@ kparams_remove_dm() {
    echo "$1" | sed 's/dm="[^"]*"//'
 }

-# Given a dm param string which includes a long and unpredictable
-# sha1 hash, return the same string with the sha1 hash replaced
-# with a magic placeholder. This same magic placeholder is used
-# in the config file, for comparison purposes.
-dmparams_mangle_sha1() {
-    echo "$1" | sed 's/sha1 [0-9a-fA-F]*/sha1 MAGIC_HASH/'
+# Given a dm param string which includes dynamic values, return the
+# same string with these values replaced by a magic string placeholder.
+# This same magic placeholder is used in the config file, for comparison
+# purposes.
+dmparams_mangle() {
+  local dmparams=$1
+  # First handle new key-value style verity parameters.
+  dmparams=$(echo "$dmparams" |
+    sed -e 's/root_hexdigest=[0-9a-fA-F]*/root_hexdigest=MAGIC_HASH/' |
+    sed -e 's/salt=[0-9a-fA-F]*/salt=MAGIC_SALT'/)
+  # If we didn't substitute the MAGIC_HASH yet, these are the old
+  # verity parameter format.
+  if [[ $dmparams != *MAGIC_HASH* ]]; then
+    dmparams=$(echo $dmparams | sed 's/sha1 [0-9a-fA-F]*/sha1 MAGIC_HASH/')
+  fi
+  echo $dmparams
 }

 # This escapes any non-alphanum character, since many such characters
@@ -77,19 +87,28 @@ main() {
    eval "required_kparams=(\${required_kparams_$board[@]})"
    eval "optional_kparams=(\${optional_kparams_$board[@]})"
    eval "optional_kparams_regex=(\${optional_kparams_regex_$board[@]})"
-    eval "required_dmparams=\"\$required_dmparams_$board\""
+    eval "required_dmparams=(\"\${required_dmparams_$board[@]}\")"

    # Divide the dm params from the rest and process seperately.
    local kparams=$(dump_kernel_config "$kernelblob")
-    local dmparams=$(dmparams_mangle_sha1 "$(get_dmparams "$kparams")")
+    local dmparams=$(get_dmparams "$kparams")
    local kparams_nodm=$(kparams_remove_dm "$kparams")

+    mangled_dmparams=$(dmparams_mangle "${dmparams}")
    # Special-case handling of the dm= param:
-    if [[ "$dmparams" != "$required_dmparams" ]]; then
-        echo "Kernel dm= parameter does not match expected value!"
-        echo "Expected: $required_dmparams"
+    for expected_dmparams in "${required_dmparams[@]}"; do
+      # Filter out all dynamic parameters.
+      testfail=1
+      if [ "$mangled_dmparams" = "$expected_dmparams" ]; then
+        testfail=0
+        break
+      fi
+    done
+
+    if [ $testfail -eq 1 ]; then
+        echo "Kernel dm= parameter does not match any expected values!"
        echo "Actual:   $dmparams"
-        testfail=1
+        echo "Expected: ${required_dmparams[@]}"
    fi

    # Ensure all other required params are present.
--- a/scripts/image_signing/sample-test-configs/ensure_secure_kernelparams.config
+++ b/scripts/image_signing/sample-test-configs/ensure_secure_kernelparams.config
@@ -22,9 +22,11 @@ optional_kparams_regex_common=( )
 # taken from observation of current builds. In particular we may see
 # the size of the filesystem creep over time. That size is denoted by
 # the large number that appears a couple times in this string.
-required_dmparams_common="vroot none ro,0 1740800 verity /dev/sd%D%P \
-/dev/sd%D%P 1740800 1 sha1 MAGIC_HASH"
+dmparams_common_list=('vroot none ro,0 1740800 verity %U+1 %U+1 1740800 0 sha1 MAGIC_HASH' 
+'vroot none ro,0 1740800 verity payload=%U+1 hashtree=%U+1 hashstart=1740800 alg=sha1 root_hexdigest=MAGIC_HASH' 

+'vroot none ro,0 1740800 verity payload=%U+1 hashtree=%U+1 hashstart=1740800 alg=sha1 root_hexdigest=MAGIC_HASH salt=MAGIC_SALT' 
+)

 #
 # x86-mario
@@ -32,7 +34,7 @@ required_dmparams_common="vroot none ro,0 1740800 verity /dev/sd%D%P \
 required_kparams_x86_mario=( ${required_kparams_common[@]} )
 optional_kparams_x86_mario=( ${optional_kparams_common[@]} )
 optional_kparams_regex_x86_mario=( ${optional_kparams_regex_common[@]} )
-required_dmparams_x86_mario="$required_dmparams_common"
+required_dmparams_x86_mario=("${required_dmparams_common[@]}")

 # Set up additional boards here. The "common" variables are
 # not directly consulted by the test script, they're only