domenico/openwrt_NSS_ACW
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

base-files: introduce sysupgrade signature chain verification

Browse Source 
Verify ucert signature chains in sysupgrade images in case ucert is
installed and $CHECK_IMAGE_SIGNARURE = 1.
Also make sure ucert host binary is present and generate a self-signed
ucert in case $TOPDIR/key-build.ucert is missing.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This commit is contained in:
Daniel Golle
2018-01-15 03:37:17 +01:00
parent ec78f03de5
commit 8174853c78
3 changed files with 31 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
package/base-files/Makefile
View File

@@ -12,11 +12,11 @@ include $(INCLUDE_DIR)/version.mk
include $(INCLUDE_DIR)/feeds.mk
PKG_NAME:=base-files
PKG_RELEASE:=194
PKG_RELEASE:=195
PKG_FLAGS:=nonshared
PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
PKG_BUILD_DEPENDS:=usign/host
PKG_BUILD_DEPENDS:=usign/host ucert/host
PKG_LICENSE:=GPL-2.0
# Extend depends from version.mk
@@ -102,6 +102,9 @@ ifdef CONFIG_SIGNED_PACKAGES
[ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \
$(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key"
[ -s $(BUILD_KEY).ucert ] || \
$(STAGING_DIR_HOST)/bin/ucert -I -c $(BUILD_KEY).ucert -p $(BUILD_KEY).pub -s $(BUILD_KEY)
endef
define Package/base-files/install-key

25
package/base-files/files/lib/upgrade/fwtool.sh
View File

@@ -1,3 +1,28 @@
fwtool_check_signature() {
[ $# -gt 1 ] && return 1
[ ! -x /usr/bin/ucert ] && {
if [ "$REQUIRE_IMAGE_SIGNATURE" = 1 ]; then
return 1
else
return 0
fi
}
if ! fwtool -q -t -s /tmp/sysupgrade.ucert "$1"; then
echo "Image signature not found"
[ "$REQUIRE_IMAGE_SIGNATURE" = 1 -a "$FORCE" != 1 ] && {
echo "Use sysupgrade -F to override this check when downgrading or flashing to vendor firmware"
}
[ "$REQUIRE_IMAGE_SIGNATURE" = 1 ] && return 1
return 0
fi
ucert -V -m "$1" -c "/tmp/sysupgrade.ucert" -P /etc/opkg/keys
return $?
}
fwtool_check_image() {
[ $# -gt 1 ] && return 1

2
package/base-files/files/sbin/sysupgrade
View File

@@ -136,7 +136,7 @@ add_overlayfiles() {
}
# hooks
sysupgrade_image_check="fwtool_check_image platform_check_image"
sysupgrade_image_check="fwtool_check_signature fwtool_check_image platform_check_image"
if [ $SAVE_OVERLAY = 1 ]; then
[ ! -d /overlay/upper/etc ] && {