From: Paul Spooren Date: Mon, 2 Nov 2020 22:15:05 +0000 (-1000) Subject: imagebuilder: add package signature verification X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=418362b1cc106b9aca3905150199f60548906fff;p=openwrt%2Fstaging%2Frobimarko.git imagebuilder: add package signature verification The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures via `usign`, as enabled per default on running OpenWrt devices. Until now this was disabled for ImageBuilders because neither the `opkg` keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing `opkg` to verify downloaded package indices. This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys folder is added to ImageBuilder $TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNATURE_CHECK option. The keys stored in the ImageBuilder keys/ are the same as included in the openwrt-keyring package. To avoid the chicken-egg problem of downloading and verifying a package, containing signing keys, the keys are added during the ImageBuilder generation. They are same as in shipped images (stored at `/etc/opkg/keys/`). To allow a local package feed in which the user can add additional packages, a local set of `usign` and `ucert` keys is generated, same as building OpenWrt from source. The private key signs the local repository inside the packages/ folder. The local public key is added to the keys/ folder to be considered by `opkg` when updating repositories. This way a local package feed can be modified while requiring `opkg` to check signatures for remote feed, making HTTPS optional. The new option `ADD_LOCAL_KEY` allows to add the local key inside the created images, adding the advantage that sysupgrades can validate the ImageBuilders local key. Signed-off-by: Paul Spooren --- diff --git a/target/imagebuilder/Makefile b/target/imagebuilder/Makefile index 8b2f4e5af6..a96f8618e8 100644 --- a/target/imagebuilder/Makefile +++ b/target/imagebuilder/Makefile @@ -61,6 +61,14 @@ else -exec $(CP) -t $(IB_LDIR)/ {} + endif +ifneq ($(CONFIG_SIGNATURE_CHECK),) + echo '' >> $(PKG_BUILD_DIR)/repositories.conf + echo 'option check_signature' >> $(PKG_BUILD_DIR)/repositories.conf + $(INSTALL_DIR) $(PKG_BUILD_DIR)/keys + $(CP) -L $(STAGING_DIR_ROOT)/etc/opkg/keys/ $(PKG_BUILD_DIR)/ + $(CP) -L $(STAGING_DIR_ROOT)/usr/sbin/opkg-key $(PKG_BUILD_DIR)/scripts/ +endif + $(CP) $(TOPDIR)/target/linux $(PKG_BUILD_DIR)/target/ if [ -d $(TOPDIR)/staging_dir/host/lib/grub ]; then \ $(CP) $(TOPDIR)/staging_dir/host/lib/grub/ $(PKG_BUILD_DIR)/staging_dir/host/lib; \ diff --git a/target/imagebuilder/files/Makefile b/target/imagebuilder/files/Makefile index 0ce5f8b39b..65cba92b32 100644 --- a/target/imagebuilder/files/Makefile +++ b/target/imagebuilder/files/Makefile @@ -46,6 +46,7 @@ Building images: make image BIN_DIR="" # alternative output directory for the images make image EXTRA_IMAGE_NAME="" # Add this to the output image filename (sanitized) make image DISABLED_SERVICES=" [ [ ..]]" # Which services in /etc/init.d/ should be disabled + make image ADD_LOCAL_KEY=1 # store locally generated signing key in built images Print manifest: List "all" packages which get installed into the image. @@ -64,8 +65,10 @@ help: FORCE # override variables from rules.mk PACKAGE_DIR:=$(TOPDIR)/packages LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst /,$(space),$(TARGET_DIR))))$(DL_DIR) +export OPKG_KEYS:=$(TOPDIR)/keys OPKG:=$(call opkg,$(TARGET_DIR)) \ -f $(TOPDIR)/repositories.conf \ + --verify-program $(SCRIPT_DIR)/opkg-key \ --cache $(DL_DIR) \ --lists-dir $(LISTS_DIR) @@ -133,7 +136,9 @@ package_index: FORCE @echo Building package index... >&2 @mkdir -p $(TMP_DIR) $(TARGET_DIR)/tmp (cd $(PACKAGE_DIR); $(SCRIPT_DIR)/ipkg-make-index.sh . > Packages && \ - gzip -9nc Packages > Packages.gz \ + gzip -9nc Packages > Packages.gz; \ + $(if $(CONFIG_SIGNATURE_CHECK), \ + $(STAGING_DIR_HOST)/bin/usign -S -m Packages -s $(BUILD_KEY)); \ ) >/dev/null 2>/dev/null $(OPKG) update >&2 || true @@ -165,9 +170,14 @@ prepare_rootfs: FORCE @echo Finalizing root filesystem... $(CP) $(TARGET_DIR) $(TARGET_DIR_ORIG) + $(if $(CONFIG_SIGNATURE_CHECK), \ + $(if $(ADD_LOCAL_KEY), \ + OPKG_KEYS=$(TARGET_DIR)/etc/opkg/keys/ \ + $(SCRIPT_DIR)/opkg-key add $(BUILD_KEY).pub \ + ) \ + ) $(call prepare_rootfs,$(TARGET_DIR),$(USER_FILES),$(DISABLED_SERVICES)) - build_image: FORCE @echo @echo Building images... @@ -206,8 +216,26 @@ ifneq ($(PROFILE),) endif endif +_check_keys: FORCE +ifneq ($(CONFIG_SIGNATURE_CHECK),) + @if [ ! -s $(BUILD_KEY) -o ! -s $(BUILD_KEY).pub ]; then \ + echo Generate local signing keys... >&2; \ + $(STAGING_DIR_HOST)/bin/usign -G \ + -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key"; \ + $(SCRIPT_DIR)/opkg-key add $(BUILD_KEY).pub; \ + fi + if [ ! -s $(BUILD_KEY).ucert ]; then \ + echo Generate local certificate... >&2; \ + $(STAGING_DIR_HOST)/bin/ucert -I \ + -c $(BUILD_KEY).ucert \ + -p $(BUILD_KEY).pub \ + -s $(BUILD_KEY); \ + fi +endif + image: $(MAKE) -s _check_profile + $(MAKE) -s _check_keys (unset PROFILE FILES PACKAGES MAKEFLAGS; \ $(MAKE) -s _call_image \ $(if $(PROFILE),USER_PROFILE="$(PROFILE_FILTER)") \ @@ -218,6 +246,7 @@ image: manifest: FORCE $(MAKE) -s _check_profile + $(MAKE) -s _check_keys (unset PROFILE FILES PACKAGES MAKEFLAGS; \ $(MAKE) -s _call_manifest \ $(if $(PROFILE),USER_PROFILE="$(PROFILE_FILTER)") \