xref: /aosp_15_r20/external/vboot_reference/scripts/image_signing/security_test_artifact.py (revision 8617a60d3594060b7ecbd21bc622a7c14f3cf2bc) 
1#!/usr/bin/env python3
2# Copyright 2022 The ChromiumOS Authors
3# Use of this source code is governed by a BSD-style license that can be
4# found in the LICENSE file.
5
6"""Run security tests on an artifact"""
7
8import argparse
9import os
10from pathlib import Path
11import subprocess
12import sys
13
14
15DIR = Path(__file__).resolve().parent
16
17
18def exec_test(name, input, args):
19    """Runs a given script
20
21    Args:
22        name: the name of the script to execute
23        input: the input artifact
24        args: list of additional arguments for the script
25    """
26    # Ensure this script can execute from any directory
27    cmd_path = DIR / f"{name}.sh"
28
29    cmd = [cmd_path, input] + args
30    ret = subprocess.run(cmd, check=False)
31    if ret.returncode:
32        sys.exit(ret.returncode)
33
34
35def get_parser():
36    """Creates an argument parser"""
37    parser = argparse.ArgumentParser(description=__doc__)
38    parser.add_argument(
39        "--board",
40        "-b",
41        default="",
42        help="Board name",
43        type=str,
44    )
45
46    parser.add_argument(
47        "--config",
48        "-c",
49        help="Security test baseline config directory",
50        required=True,
51        type=Path,
52    )
53
54    parser.add_argument(
55        "--input",
56        "-i",
57        help="Artfact to test",
58        required=True,
59        type=Path,
60    )
61
62    parser.add_argument(
63        "--keyset-is-mp",
64        action="store_true",
65        help="Target artifact is signed with a mass production keyset",
66        default=False,
67    )
68
69    return parser
70
71
72def main(argv):
73    """Main function, parses arguments and invokes the relevant scripts"""
74    parser = get_parser()
75    opts = parser.parse_args(argv)
76
77    # Run generic baseline tests.
78    baseline_tests = [
79        "ensure_sane_lsb-release",
80    ]
81
82    if opts.keyset_is_mp:
83        baseline_tests += [
84            "ensure_no_nonrelease_files",
85            "ensure_secure_kernelparams",
86        ]
87
88    for test in baseline_tests:
89        exec_test(
90            test, opts.input, [os.path.join(opts.config, f"{test}.config")]
91        )
92
93    # Run generic non-baseline tests.
94    tests = []
95
96    if opts.keyset_is_mp:
97        tests += [
98            "ensure_not_ASAN",
99            "ensure_not_tainted_license",
100            "ensure_update_verification",
101        ]
102
103    for test in tests:
104        exec_test(test, opts.input, [])
105
106    # Run custom tests.
107    if opts.keyset_is_mp:
108        # AMD PSP flags only need to be checked for MP-signed artifacts.
109        exec_test("ensure_amd_psp_flags", opts.input, [opts.board])
110
111
112if __name__ == "__main__":
113    sys.exit(main(sys.argv[1:]))
114