security_test_image: new signer test script

Add a script so devs can run signer security tests themselves to
make sure they don't break them.

BUG=chromium-os:19543
TEST=`cbuildbot lumpy-release` passed and ran signer tests

Change-Id: I68cc3ec19616be3c91a1a14550cb38c2e6f2503d
Reviewed-on: https://gerrit.chromium.org/gerrit/34326
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>

security_test_image

@@ -0,0 +1,112 @@
+#!/bin/bash
+
+# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+CROS_LOG_PREFIX=${0##*/}
+
+SCRIPT_ROOT=$(dirname "$(readlink -f "$0")")
+. "${SCRIPT_ROOT}/build_library/build_common.sh" || exit 1
+
+# Developer-visible flags.
+DEFINE_string board "${DEFAULT_BOARD}" \
+  "The board to build an image for."
+DEFINE_string image "" \
+  "Source release image to use (${CHROMEOS_RECOVERY_IMAGE_NAME} by default)."
+DEFINE_string baselines "" \
+  "Directory to load security baselines from (default from cros-signing)"
+
+FLAGS_HELP="USAGE: security_test_image [flags]
+This script is used to run security tests on a Chrome OS images.
+
+Note: You probably will need an internal checkout by default for these
+      tests to be useful.  You can provide your own baselines, but you
+      can certainly provide your own set of configs.
+
+Note: These tests will fail on dev images.  They are designed to
+      check recovery images only.
+"
+show_help_if_requested "$@"
+
+# Parse command line.
+FLAGS "$@" || exit 1
+eval set -- "${FLAGS_ARGV}"
+
+# Only now can we die on error.  shflags functions leak non-zero error codes,
+# so will die prematurely if 'switch_to_strict_mode' is specified before now.
+switch_to_strict_mode
+
+SIGNER_DIR="${CHROOT_TRUNK_DIR}/cros-signing"
+SIGNING_TOOLS_DIR="${SIGNER_DIR}/signer/signingtools-bin"
+SECURITY_BASELINE_DIR="${SIGNER_DIR}/security_test_baselines"
+VBOOT_DIR="${CHROOT_TRUNK_DIR}/src/platform/vboot_reference/scripts/"\
+"image_signing"
+
+# No security baselines provided.  Use the standard one.
+if [[ -z ${FLAGS_baselines} ]]; then
+  FLAGS_baselines=${SECURITY_BASELINE_DIR}
+  if [[ ! -d ${FLAGS_baselines} ]]; then
+    if [[ ! -d ${SIGNER_DIR} ]]; then
+      warn "Skipping security tests with public manifest"
+      exit 0
+    else
+      die "Could not locate security baselines from" \
+          "${FLAGS_baselines} with private manifest"
+    fi
+  fi
+fi
+info "Loading baselines from ${FLAGS_baselines}"
+
+# No image was provided.  Use the standard latest image.
+if [[ -z ${FLAGS_image} ]]; then
+  DEFAULT_IMAGE_DIR=$("${SCRIPT_ROOT}"/get_latest_image.sh \
+                        --board="${FLAGS_board}")
+  FLAGS_image="${DEFAULT_IMAGE_DIR}/${CHROMEOS_RECOVERY_IMAGE_NAME}"
+fi
+info "Using ${FLAGS_image}"
+
+# The signer uses these binaries, so we should too.
+PATH="${SIGNING_TOOLS_DIR}:${PATH}"
+
+# Run all the security tests.
+failed_count=0
+run_check() {
+  local cmd=(
+    "${VBOOT_DIR}/ensure_$1.sh"
+    "${FLAGS_image}"
+  )
+  if [[ $# -ge 2 ]]; then
+    cmd+=( "${FLAGS_baselines}/ensure_$1.config" )
+  fi
+  info "Running ensure_$1.sh"
+  if ! "${cmd[@]}"; then
+    error "$1: test failed"
+    : $(( ++failed_count ))
+  fi
+}
+
+sec_checks=(
+  no_nonrelease_files
+  sane_lsb-release
+  secure_kernelparams
+)
+for check in "${sec_checks[@]}"; do
+  run_check "${check}" "${check}"
+done
+
+sec_checks=(
+  not_ASAN
+  # This test requires an update key to be inserted
+  # first which the signer itself currently does.
+  #update_verification
+)
+for check in "${sec_checks[@]}"; do
+  run_check "${check}"
+done
+
+if [[ ${failed_count} -gt 0 ]]; then
+  die_notrace "${failed_count} tests failed"
+else
+  info "All tests passed!"
+fi