From: Daniel Golle Date: Mon, 15 Jan 2018 02:37:17 +0000 (+0100) Subject: base-files: introduce sysupgrade signature chain verification X-Git-Tag: state~1331 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=8174853c78f88b854ac66a3f0a5380d36ededa9a;p=openwrt%2Fstaging%2Fchunkeey.git base-files: introduce sysupgrade signature chain verification Verify ucert signature chains in sysupgrade images in case ucert is installed and $CHECK_IMAGE_SIGNARURE = 1. Also make sure ucert host binary is present and generate a self-signed ucert in case $TOPDIR/key-build.ucert is missing. Signed-off-by: Daniel Golle --- diff --git a/package/base-files/Makefile b/package/base-files/Makefile index 04a863a8c5..b72b17ee16 100644 --- a/package/base-files/Makefile +++ b/package/base-files/Makefile @@ -12,11 +12,11 @@ include $(INCLUDE_DIR)/version.mk include $(INCLUDE_DIR)/feeds.mk PKG_NAME:=base-files -PKG_RELEASE:=194 +PKG_RELEASE:=195 PKG_FLAGS:=nonshared PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/ -PKG_BUILD_DEPENDS:=usign/host +PKG_BUILD_DEPENDS:=usign/host ucert/host PKG_LICENSE:=GPL-2.0 # Extend depends from version.mk @@ -102,6 +102,9 @@ ifdef CONFIG_SIGNED_PACKAGES [ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \ $(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key" + [ -s $(BUILD_KEY).ucert ] || \ + $(STAGING_DIR_HOST)/bin/ucert -I -c $(BUILD_KEY).ucert -p $(BUILD_KEY).pub -s $(BUILD_KEY) + endef define Package/base-files/install-key diff --git a/package/base-files/files/lib/upgrade/fwtool.sh b/package/base-files/files/lib/upgrade/fwtool.sh index aa2ac79d13..3f28fccd90 100644 --- a/package/base-files/files/lib/upgrade/fwtool.sh +++ b/package/base-files/files/lib/upgrade/fwtool.sh @@ -1,3 +1,28 @@ +fwtool_check_signature() { + [ $# -gt 1 ] && return 1 + + [ ! -x /usr/bin/ucert ] && { + if [ "$REQUIRE_IMAGE_SIGNATURE" = 1 ]; then + return 1 + else + return 0 + fi + } + + if ! fwtool -q -t -s /tmp/sysupgrade.ucert "$1"; then + echo "Image signature not found" + [ "$REQUIRE_IMAGE_SIGNATURE" = 1 -a "$FORCE" != 1 ] && { + echo "Use sysupgrade -F to override this check when downgrading or flashing to vendor firmware" + } + [ "$REQUIRE_IMAGE_SIGNATURE" = 1 ] && return 1 + return 0 + fi + + ucert -V -m "$1" -c "/tmp/sysupgrade.ucert" -P /etc/opkg/keys + + return $? +} + fwtool_check_image() { [ $# -gt 1 ] && return 1 diff --git a/package/base-files/files/sbin/sysupgrade b/package/base-files/files/sbin/sysupgrade index c9615e54c3..3cebfb68e0 100755 --- a/package/base-files/files/sbin/sysupgrade +++ b/package/base-files/files/sbin/sysupgrade @@ -136,7 +136,7 @@ add_overlayfiles() { } # hooks -sysupgrade_image_check="fwtool_check_image platform_check_image" +sysupgrade_image_check="fwtool_check_signature fwtool_check_image platform_check_image" if [ $SAVE_OVERLAY = 1 ]; then [ ! -d /overlay/upper/etc ] && {