build/security/verifier/verify_kernel_cmdline.gni - fuchsia - Git at Google

 # Copyright 2021 The Fuchsia Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 import("//build/dev.gni")
 import("//src/developer/ffx/build/ffx_action.gni")

 # Check the kernel cmdline extracted from ZBI against a golden file.
 #
 # Parameters
 #
 #   zbi_is_signed (required)
 #     [boolean] Whether the ZBI from assembly is signed.
 #
 #   image_assembler_target (required)
 #     [string] The target that assembles system images, including the system
 #     blobfs archive file.
 #
 #   assembly_image_name (required)
 #     [string] The image_name designated in the system assembly associated with
 #     image_assembler_target.
 #
 #   goldens (required)
 #     [list of strings] Path to a list of golden files that contain golden
 #     kernel cmdline in the format of one cmdline entry per line. The actual
 #     cmdline must match either one of the goldens. There should be only one
 #     golden file in this list for normal case and two golden files, one for the
 #     old golden file, one for the new golden file during a soft transition.
 #
 #   deps, public_deps, data_deps (optional)
 #     Usual GN meaning.

 template("verify_kernel_cmdline") {
   assert(defined(invoker.zbi_is_signed),
          "verify_kernel_cmdline() must specify zbi_is_signed")
   assert(defined(invoker.image_assembler_target),
          "verify_kernel_cmdline() must specify image_assembler_target")
   assert(defined(invoker.assembly_image_name),
          "verify_kernel_cmdline() must specify assembly_image_name")
   assert(defined(invoker.goldens),
          "verify_kernel_cmdline() must specify goldens")

   image_assembler_target_out_dir =
       get_label_info(invoker.image_assembler_target, "target_out_dir")
   assembly_image_name = invoker.assembly_image_name
   image_assembler_dir = "$image_assembler_target_out_dir/$assembly_image_name"

   if (invoker.zbi_is_signed) {
     zbi = "$image_assembler_dir/$assembly_image_name.zbi.signed"
   } else {
     zbi = "$image_assembler_dir/$assembly_image_name.zbi"
   }

   ffx_action(target_name) {
     forward_variables_from(invoker,
                            [
                              "testonly",
                              "deps",
                              "public_deps",
                              "data_deps",
                              "visibility",
                            ])

     stamp_file = "$target_gen_dir/$target_name.verified"
     depfile = "$target_gen_dir/$target_name.d"

     inputs = [ zbi ] + invoker.goldens
     outputs = [ stamp_file ]

     args = [
       "scrutiny",
       "verify",
       "--depfile",
       rebase_path(depfile, root_build_dir),
       "--stamp",
       rebase_path(stamp_file, root_build_dir),
       "kernel-cmdline",
       "--zbi",
       rebase_path(zbi, root_build_dir),
     ]
     foreach(golden, invoker.goldens) {
       args += [
         "--golden",
         rebase_path(golden, root_build_dir),
       ]
     }

     if (!defined(invoker.deps)) {
       deps = []
     }
     deps += [ invoker.image_assembler_target ]
   }
 }
	# Copyright 2021 The Fuchsia Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	import("//build/dev.gni")
	import("//src/developer/ffx/build/ffx_action.gni")

	# Check the kernel cmdline extracted from ZBI against a golden file.
	#
	# Parameters
	#
	# zbi_is_signed (required)
	# [boolean] Whether the ZBI from assembly is signed.
	#
	# image_assembler_target (required)
	# [string] The target that assembles system images, including the system
	# blobfs archive file.
	#
	# assembly_image_name (required)
	# [string] The image_name designated in the system assembly associated with
	# image_assembler_target.
	#
	# goldens (required)
	# [list of strings] Path to a list of golden files that contain golden
	# kernel cmdline in the format of one cmdline entry per line. The actual
	# cmdline must match either one of the goldens. There should be only one
	# golden file in this list for normal case and two golden files, one for the
	# old golden file, one for the new golden file during a soft transition.
	#
	# deps, public_deps, data_deps (optional)
	# Usual GN meaning.

	template("verify_kernel_cmdline") {
	assert(defined(invoker.zbi_is_signed),
	"verify_kernel_cmdline() must specify zbi_is_signed")
	assert(defined(invoker.image_assembler_target),
	"verify_kernel_cmdline() must specify image_assembler_target")
	assert(defined(invoker.assembly_image_name),
	"verify_kernel_cmdline() must specify assembly_image_name")
	assert(defined(invoker.goldens),
	"verify_kernel_cmdline() must specify goldens")

	image_assembler_target_out_dir =
	get_label_info(invoker.image_assembler_target, "target_out_dir")
	assembly_image_name = invoker.assembly_image_name
	image_assembler_dir = "$image_assembler_target_out_dir/$assembly_image_name"

	if (invoker.zbi_is_signed) {
	zbi = "$image_assembler_dir/$assembly_image_name.zbi.signed"
	} else {
	zbi = "$image_assembler_dir/$assembly_image_name.zbi"
	}

	ffx_action(target_name) {
	forward_variables_from(invoker,
	[
	"testonly",
	"deps",
	"public_deps",
	"data_deps",
	"visibility",
	])

	stamp_file = "$target_gen_dir/$target_name.verified"
	depfile = "$target_gen_dir/$target_name.d"

	inputs = [ zbi ] + invoker.goldens
	outputs = [ stamp_file ]

	args = [
	"scrutiny",
	"verify",
	"--depfile",
	rebase_path(depfile, root_build_dir),
	"--stamp",
	rebase_path(stamp_file, root_build_dir),
	"kernel-cmdline",
	"--zbi",
	rebase_path(zbi, root_build_dir),
	]
	foreach(golden, invoker.goldens) {
	args += [
	"--golden",
	rebase_path(golden, root_build_dir),
	]
	}

	if (!defined(invoker.deps)) {
	deps = []
	}
	deps += [ invoker.image_assembler_target ]
	}
	}