projects / openwrt / staging / ynezz.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ec78f03)
base-files: introduce sysupgrade signature chain verification
authorDaniel Golle <daniel@makrotopia.org>
Mon, 15 Jan 2018 02:37:17 +0000 (03:37 +0100)
committerDaniel Golle <daniel@makrotopia.org>
Wed, 8 Aug 2018 00:22:54 +0000 (02:22 +0200)
Verify ucert signature chains in sysupgrade images in case ucert is
installed and $CHECK_IMAGE_SIGNARURE = 1.
Also make sure ucert host binary is present and generate a self-signed
ucert in case $TOPDIR/key-build.ucert is missing.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
package/base-files/Makefile patch | blob | history
package/base-files/files/lib/upgrade/fwtool.sh patch | blob | history
package/base-files/files/sbin/sysupgrade patch | blob | history

diff --git a/package/base-files/Makefile b/package/base-files/Makefile
index 04a863a8c50e6fc95ed572541a3443d5ad8bbaf9..b72b17ee16763b95558bb8ea78d61a265e863538 100644 (file)
--- a/package/base-files/Makefile
+++ b/package/base-files/Makefile
@@ -12,11 +12,11 @@ include $(INCLUDE_DIR)/version.mk
 include $(INCLUDE_DIR)/feeds.mk
 
 PKG_NAME:=base-files
-PKG_RELEASE:=194
+PKG_RELEASE:=195
 PKG_FLAGS:=nonshared
 
 PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
-PKG_BUILD_DEPENDS:=usign/host
+PKG_BUILD_DEPENDS:=usign/host ucert/host
 PKG_LICENSE:=GPL-2.0
 
 # Extend depends from version.mk
@@ -102,6 +102,9 @@ ifdef CONFIG_SIGNED_PACKAGES
        [ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \
                $(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key"
 
+       [ -s $(BUILD_KEY).ucert ] || \
+               $(STAGING_DIR_HOST)/bin/ucert -I -c $(BUILD_KEY).ucert -p $(BUILD_KEY).pub -s $(BUILD_KEY)
+
   endef
 
   define Package/base-files/install-key
diff --git a/package/base-files/files/lib/upgrade/fwtool.sh b/package/base-files/files/lib/upgrade/fwtool.sh
index aa2ac79d13790200163c284e04d961d185b21463..3f28fccd904dc0ae1019ad31ad11b5a1c220b905 100644 (file)
--- a/package/base-files/files/lib/upgrade/fwtool.sh
+++ b/package/base-files/files/lib/upgrade/fwtool.sh
@@ -1,3 +1,28 @@
+fwtool_check_signature() {
+       [ $# -gt 1 ] && return 1
+
+       [ ! -x /usr/bin/ucert ] && {
+               if [ "$REQUIRE_IMAGE_SIGNATURE" = 1 ]; then
+                       return 1
+               else
+                       return 0
+               fi
+       }
+
+       if ! fwtool -q -t -s /tmp/sysupgrade.ucert "$1"; then
+               echo "Image signature not found"
+               [ "$REQUIRE_IMAGE_SIGNATURE" = 1 -a "$FORCE" != 1 ] && {
+                       echo "Use sysupgrade -F to override this check when downgrading or flashing to vendor firmware"
+               }
+               [ "$REQUIRE_IMAGE_SIGNATURE" = 1 ] && return 1
+               return 0
+       fi
+
+       ucert -V -m "$1" -c "/tmp/sysupgrade.ucert" -P /etc/opkg/keys
+
+       return $?
+}
+
 fwtool_check_image() {
        [ $# -gt 1 ] && return 1
 
diff --git a/package/base-files/files/sbin/sysupgrade b/package/base-files/files/sbin/sysupgrade
index c9615e54c30253a9eb611a4d730556ea7746f1c2..3cebfb68e06a838f2dac8e3dda28e27ea3418df3 100755 (executable)
--- a/package/base-files/files/sbin/sysupgrade
+++ b/package/base-files/files/sbin/sysupgrade
@@ -136,7 +136,7 @@ add_overlayfiles() {
 }
 
 # hooks
-sysupgrade_image_check="fwtool_check_image platform_check_image"
+sysupgrade_image_check="fwtool_check_signature fwtool_check_image platform_check_image"
 
 if [ $SAVE_OVERLAY = 1 ]; then
        [ ! -d /overlay/upper/etc ] && {
Staging tree of Petr Stetiar