From 3a70d67b7f3a449f573e43a952d94a6cb654570e Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Fri, 28 Sep 2012 23:43:15 -0400 Subject: [PATCH] security_test_image: new signer test script Add a script so devs can run signer security tests themselves to make sure they don't break them. BUG=chromium-os:19543 TEST=`cbuildbot lumpy-release` passed and ran signer tests Change-Id: I68cc3ec19616be3c91a1a14550cb38c2e6f2503d Reviewed-on: https://gerrit.chromium.org/gerrit/34326 Commit-Ready: Mike Frysinger Reviewed-by: Mike Frysinger Tested-by: Mike Frysinger --- security_test_image | 112 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100755 security_test_image diff --git a/security_test_image b/security_test_image new file mode 100755 index 0000000000..f35b9f8638 --- /dev/null +++ b/security_test_image @@ -0,0 +1,112 @@ +#!/bin/bash + +# Copyright (c) 2012 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +CROS_LOG_PREFIX=${0##*/} + +SCRIPT_ROOT=$(dirname "$(readlink -f "$0")") +. "${SCRIPT_ROOT}/build_library/build_common.sh" || exit 1 + +# Developer-visible flags. +DEFINE_string board "${DEFAULT_BOARD}" \ + "The board to build an image for." +DEFINE_string image "" \ + "Source release image to use (${CHROMEOS_RECOVERY_IMAGE_NAME} by default)." +DEFINE_string baselines "" \ + "Directory to load security baselines from (default from cros-signing)" + +FLAGS_HELP="USAGE: security_test_image [flags] +This script is used to run security tests on a Chrome OS images. + +Note: You probably will need an internal checkout by default for these + tests to be useful. You can provide your own baselines, but you + can certainly provide your own set of configs. + +Note: These tests will fail on dev images. They are designed to + check recovery images only. +" +show_help_if_requested "$@" + +# Parse command line. +FLAGS "$@" || exit 1 +eval set -- "${FLAGS_ARGV}" + +# Only now can we die on error. shflags functions leak non-zero error codes, +# so will die prematurely if 'switch_to_strict_mode' is specified before now. +switch_to_strict_mode + +SIGNER_DIR="${CHROOT_TRUNK_DIR}/cros-signing" +SIGNING_TOOLS_DIR="${SIGNER_DIR}/signer/signingtools-bin" +SECURITY_BASELINE_DIR="${SIGNER_DIR}/security_test_baselines" +VBOOT_DIR="${CHROOT_TRUNK_DIR}/src/platform/vboot_reference/scripts/"\ +"image_signing" + +# No security baselines provided. Use the standard one. +if [[ -z ${FLAGS_baselines} ]]; then + FLAGS_baselines=${SECURITY_BASELINE_DIR} + if [[ ! -d ${FLAGS_baselines} ]]; then + if [[ ! -d ${SIGNER_DIR} ]]; then + warn "Skipping security tests with public manifest" + exit 0 + else + die "Could not locate security baselines from" \ + "${FLAGS_baselines} with private manifest" + fi + fi +fi +info "Loading baselines from ${FLAGS_baselines}" + +# No image was provided. Use the standard latest image. +if [[ -z ${FLAGS_image} ]]; then + DEFAULT_IMAGE_DIR=$("${SCRIPT_ROOT}"/get_latest_image.sh \ + --board="${FLAGS_board}") + FLAGS_image="${DEFAULT_IMAGE_DIR}/${CHROMEOS_RECOVERY_IMAGE_NAME}" +fi +info "Using ${FLAGS_image}" + +# The signer uses these binaries, so we should too. +PATH="${SIGNING_TOOLS_DIR}:${PATH}" + +# Run all the security tests. +failed_count=0 +run_check() { + local cmd=( + "${VBOOT_DIR}/ensure_$1.sh" + "${FLAGS_image}" + ) + if [[ $# -ge 2 ]]; then + cmd+=( "${FLAGS_baselines}/ensure_$1.config" ) + fi + info "Running ensure_$1.sh" + if ! "${cmd[@]}"; then + error "$1: test failed" + : $(( ++failed_count )) + fi +} + +sec_checks=( + no_nonrelease_files + sane_lsb-release + secure_kernelparams +) +for check in "${sec_checks[@]}"; do + run_check "${check}" "${check}" +done + +sec_checks=( + not_ASAN + # This test requires an update key to be inserted + # first which the signer itself currently does. + #update_verification +) +for check in "${sec_checks[@]}"; do + run_check "${check}" +done + +if [[ ${failed_count} -gt 0 ]]; then + die_notrace "${failed_count} tests failed" +else + info "All tests passed!" +fi