commit 0d428ab04fc739d4a842cc18ed660df60b9322a2
author Paul Taysom <taysom@chromium.org> Mon Oct 08 15:58:35 2012 -0700
committer Shawn Nematbakhsh <shawnn@google.com> Fri Nov 30 16:32:00 2012 -0800
tree 0fbdcab1e8768995afed8f4cf3afb676656ab48d
parent fc1ca94c740743b7dbec3dfb21ef7820ff46bb27

BUTTERFLY-FACTORY: Added patterns for bootcache.

The bootcache will be changing the linux command line. Added additional
patterns that are acceptable to the signing software.

BUG=chrome-os-partner:16370
TEST=none
BRANCH=none

Change-Id: Id46d5f5eeebfd72941127f4fab35da59b28f695e
Original-Change-Id: I22d00ebc6191b5499f722974d90c260b78eb63b2
Reviewed-on: https://gerrit.chromium.org/gerrit/39023
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Tested-by: Shawn Nematbakhsh <shawnn@google.com>

scripts/image_signing/ensure_secure_kernelparams.sh

diff --git a/scripts/image_signing/ensure_secure_kernelparams.sh b/scripts/image_signing/ensure_secure_kernelparams.sh
index e09e6dd..1db8f2d 100755
--- a/scripts/image_signing/ensure_secure_kernelparams.sh
+++ b/scripts/image_signing/ensure_secure_kernelparams.sh
@@ -39,6 +39,12 @@
   if [[ $dmparams != *MAGIC_HASH* ]]; then
     dmparams=$(echo $dmparams | sed 's/sha1 [0-9a-fA-F]*/sha1 MAGIC_HASH/')
   fi
+  # If we have bootcache enabled, replace its copy of the root_hexdigest
+  # with MAGIC_HASH. The parameter is positional.
+  if [[ $dmparams == *bootcache* ]]; then
+    dmparams=$(echo $dmparams |
+      sed -r 's/(bootcache %U\+1 [0-9]+) [0-9a-fA-F]+/\1 MAGIC_HASH/')
+  fi
   echo $dmparams
 }
 
@@ -94,13 +100,16 @@
     # turn e.g. x86-foo as a well as x86-foo-pvtkeys into x86_foo.
     local board=$(grep CHROMEOS_RELEASE_BOARD= "$rootfs/etc/lsb-release" | \
                   cut -d = -f 2 | cut -d - -f 1,2 --output-delimiter=_)
-    eval "required_kparams=(\${required_kparams_$board[@]})"
-    eval "optional_kparams=(\${optional_kparams_$board[@]})"
-    eval "optional_kparams_regex=(\${optional_kparams_regex_$board[@]})"
+    eval "required_kparams=(\"\${required_kparams_$board[@]}\")"
+    eval "required_kparams_regex=(\"\${required_kparams_regex_$board[@]}\")"
+    eval "optional_kparams=(\"\${optional_kparams_$board[@]}\")"
+    eval "optional_kparams_regex=(\"\${optional_kparams_regex_$board[@]}\")"
     eval "required_dmparams=(\"\${required_dmparams_$board[@]}\")"
     eval "required_dmparams_regex=(\"\${required_dmparams_regex_$board[@]}\")"
     output+="required_kparams=(\n"
     output+="$(printf "\t'%s'\n" "${required_kparams[@]}")\n)\n"
+    output+="required_kparams_regex=(\n"
+    output+="$(printf "\t'%s'\n" "${required_kparams_regex[@]}")\n)\n"
     output+="optional_kparams=(\n"
     output+="$(printf "\t'%s'\n" "${optional_kparams[@]}")\n)\n"
     output+="optional_kparams_regex=(\n"
@@ -159,6 +168,19 @@
         fi
     done
 
+    # Ensure all other required regex params are present.
+    for param in "${required_kparams_regex[@]}"; do
+        if [[ "$kparams_nodm" != *$param* ]]; then
+            echo "Kernel parameters missing required value: $param"
+            testfail=1
+        else
+            # Remove matched params as we go. If all goes well, kparams_nodm
+            # will be nothing left but whitespace by the end.
+            kparams_nodm=$(echo " ${kparams_nodm} " |
+                           sed "s${M} ${param} ${M} ${M}")
+        fi
+    done
+
     # Check-off each of the allowed-but-optional params that were present.
     for param in "${optional_kparams[@]}"; do
         param=$(escape_regexmetas "$param")