openwrt/target/imagebuilder/files/Makefile

373 lines
12 KiB
Makefile
Raw Normal View History

# Makefile for OpenWrt
#
# Copyright (C) 2007-2015 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
TOPDIR:=${CURDIR}
LC_ALL:=C
LANG:=C
export TOPDIR LC_ALL LANG
export OPENWRT_VERBOSE=s
all: help
export ORIG_PATH:=$(if $(ORIG_PATH),$(ORIG_PATH),$(PATH))
export PATH:=$(TOPDIR)/staging_dir/host/bin:$(PATH)
ifneq ($(OPENWRT_BUILD),1)
override OPENWRT_BUILD=1
export OPENWRT_BUILD
endif
include rules.mk
include $(INCLUDE_DIR)/debug.mk
include $(INCLUDE_DIR)/depends.mk
include $(INCLUDE_DIR)/rootfs.mk
include $(INCLUDE_DIR)/version.mk
export REVISION
export SOURCE_DATE_EPOCH
define Helptext
Available Commands:
help: This help text
info: Show a list of available target profiles
clean: Remove images and temporary build files
image: Build an image (see below for more information).
manifest: Show all package that will be installed into the image
package_whatdepends: Show which packages have a dependency on this
package_depends: Show installation dependency of the package
image:
By default 'make image' will create an image with the default
target profile and package set. You can use the following parameters
to change that:
make image PROFILE="<profilename>" # override the default target profile
make image PACKAGES="<pkg1> [<pkg2> [<pkg3> ...]]" # include extra packages
make image FILES="<path>" # include extra files from <path>
make image BIN_DIR="<path>" # alternative output directory for the images
make image EXTRA_IMAGE_NAME="<string>" # Add this to the output image filename (sanitized)
make image DISABLED_SERVICES="<svc1> [<svc2> [<svc3> ..]]" # Which services in /etc/init.d/ should be disabled
imagebuilder: add package signature verification The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures via `usign`, as enabled per default on running OpenWrt devices. Until now this was disabled for ImageBuilders because neither the `opkg` keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing `opkg` to verify downloaded package indices. This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys folder is added to ImageBuilder $TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNATURE_CHECK option. The keys stored in the ImageBuilder keys/ are the same as included in the openwrt-keyring package. To avoid the chicken-egg problem of downloading and verifying a package, containing signing keys, the keys are added during the ImageBuilder generation. They are same as in shipped images (stored at `/etc/opkg/keys/`). To allow a local package feed in which the user can add additional packages, a local set of `usign` and `ucert` keys is generated, same as building OpenWrt from source. The private key signs the local repository inside the packages/ folder. The local public key is added to the keys/ folder to be considered by `opkg` when updating repositories. This way a local package feed can be modified while requiring `opkg` to check signatures for remote feed, making HTTPS optional. The new option `ADD_LOCAL_KEY` allows to add the local key inside the created images, adding the advantage that sysupgrades can validate the ImageBuilders local key. Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-11-02 22:15:05 +00:00
make image ADD_LOCAL_KEY=1 # store locally generated signing key in built images
make image ROOTFS_PARTSIZE="<size>" # override the default rootfs partition size in MegaBytes
manifest:
List "all" packages which get installed into the image.
You can use the following parameters:
make manifest PROFILE="<profilename>" # override the default target profile
make manifest PACKAGES="<pkg1> [<pkg2> [<pkg3> ...]]" # include extra packages
make manifest STRIP_ABI=1 # remove ABI version from printed package names
package_whatdepends:
List "all" packages that have a dependency on this package
You can use the following parameters:
make package_whatdepends PACKAGE="<pkg>"
package_depends:
List "all" packages dependency of the package
You can use the following parameters:
make package_depends PACKAGE="<pkg>"
endef
$(eval $(call shexport,Helptext))
help: FORCE
echo "$$$(call shvar,Helptext)"
# override variables from rules.mk
BUILD_KEY_APK_SEC=$(TOPDIR)/keys/local-private-key.pem
BUILD_KEY_APK_PUB=$(TOPDIR)/keys/local-public-key.pem
export PACKAGE_DIR:=$(TOPDIR)/packages
LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst /,$(space),$(TARGET_DIR))))$(DL_DIR)
export PACKAGE_DIR_ALL:=$(TOPDIR)/packages
imagebuilder: add package signature verification The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures via `usign`, as enabled per default on running OpenWrt devices. Until now this was disabled for ImageBuilders because neither the `opkg` keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing `opkg` to verify downloaded package indices. This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys folder is added to ImageBuilder $TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNATURE_CHECK option. The keys stored in the ImageBuilder keys/ are the same as included in the openwrt-keyring package. To avoid the chicken-egg problem of downloading and verifying a package, containing signing keys, the keys are added during the ImageBuilder generation. They are same as in shipped images (stored at `/etc/opkg/keys/`). To allow a local package feed in which the user can add additional packages, a local set of `usign` and `ucert` keys is generated, same as building OpenWrt from source. The private key signs the local repository inside the packages/ folder. The local public key is added to the keys/ folder to be considered by `opkg` when updating repositories. This way a local package feed can be modified while requiring `opkg` to check signatures for remote feed, making HTTPS optional. The new option `ADD_LOCAL_KEY` allows to add the local key inside the created images, adding the advantage that sysupgrades can validate the ImageBuilders local key. Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-11-02 22:15:05 +00:00
export OPKG_KEYS:=$(TOPDIR)/keys
OPKG:=$(call opkg,$(TARGET_DIR)) \
-f $(TOPDIR)/repositories.conf \
imagebuilder: add package signature verification The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures via `usign`, as enabled per default on running OpenWrt devices. Until now this was disabled for ImageBuilders because neither the `opkg` keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing `opkg` to verify downloaded package indices. This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys folder is added to ImageBuilder $TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNATURE_CHECK option. The keys stored in the ImageBuilder keys/ are the same as included in the openwrt-keyring package. To avoid the chicken-egg problem of downloading and verifying a package, containing signing keys, the keys are added during the ImageBuilder generation. They are same as in shipped images (stored at `/etc/opkg/keys/`). To allow a local package feed in which the user can add additional packages, a local set of `usign` and `ucert` keys is generated, same as building OpenWrt from source. The private key signs the local repository inside the packages/ folder. The local public key is added to the keys/ folder to be considered by `opkg` when updating repositories. This way a local package feed can be modified while requiring `opkg` to check signatures for remote feed, making HTTPS optional. The new option `ADD_LOCAL_KEY` allows to add the local key inside the created images, adding the advantage that sysupgrades can validate the ImageBuilders local key. Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-11-02 22:15:05 +00:00
--verify-program $(SCRIPT_DIR)/opkg-key \
--cache $(DL_DIR) \
--lists-dir $(LISTS_DIR)
export APK_KEYS:=$(TOPDIR)/keys
APK:=$(call apk,$(TARGET_DIR)) \
--repositories-file $(TOPDIR)/repositories \
$(if $(CONFIG_SIGNATURE_CHECK),,--allow-untrusted) \
--cache-dir $(DL_DIR)
include $(INCLUDE_DIR)/target.mk
-include .profiles.mk
USER_PROFILE ?= $(firstword $(PROFILE_NAMES))
PROFILE_LIST = $(foreach p,$(PROFILE_NAMES), \
echo '$(patsubst DEVICE_%,%,$(p)):'; $(if $($(p)_NAME),echo ' $(subst ','"'"',$($(p)_NAME))'; ) \
echo ' Packages: $($(p)_PACKAGES)'; echo ' hasImageMetadata: $($(p)_HAS_IMAGE_METADATA)'; \
$(if $($(p)_SUPPORTED_DEVICES),echo ' SupportedDevices: $($(p)_SUPPORTED_DEVICES)';) )
.profiles.mk: .targetinfo
@$(SCRIPT_DIR)/target-metadata.pl profile_mk $< '$(BOARD)/$(SUBTARGET)' > $@
staging_dir/host/.prereq-build: include/prereq-build.mk
mkdir -p tmp
@$(_SINGLE)$(NO_TRACE_MAKE) -j1 -r -s -f $(TOPDIR)/include/prereq-build.mk prereq IB=1 2>/dev/null || { \
echo "Prerequisite check failed. Use FORCE=1 to override."; \
false; \
}
ifneq ($(realpath $(TOPDIR)/include/prepare.mk),)
@$(_SINGLE)$(NO_TRACE_MAKE) -j1 -r -s -f $(TOPDIR)/include/prepare.mk prepare 2>/dev/null || { \
echo "Preparation failed."; \
false; \
}
endif
touch $@
_call_info: FORCE
echo 'Current Target: "$(TARGETID)"'
echo 'Current Architecture: "$(ARCH)"'
echo 'Current Revision: "$(REVISION)"'
echo 'Default Packages: $(DEFAULT_PACKAGES)'
echo 'Available Profiles:'
echo; $(PROFILE_LIST)
BUILD_PACKAGES:=$(sort $(DEFAULT_PACKAGES) $($(USER_PROFILE)_PACKAGES) kernel)
# "-pkgname" in the package list means remove "pkgname" from the package list
2007-01-21 12:56:55 +00:00
BUILD_PACKAGES:=$(filter-out $(filter -%,$(BUILD_PACKAGES)) $(patsubst -%,%,$(filter -%,$(BUILD_PACKAGES))),$(BUILD_PACKAGES))
BUILD_PACKAGES:=$(USER_PACKAGES) $(BUILD_PACKAGES)
BUILD_PACKAGES:=$(filter-out $(filter -%,$(BUILD_PACKAGES)) $(patsubst -%,%,$(filter -%,$(BUILD_PACKAGES))),$(BUILD_PACKAGES))
PACKAGES:=
_call_image: staging_dir/host/.prereq-build
echo 'Building images for $(BOARD)$(if $($(USER_PROFILE)_NAME), - $($(USER_PROFILE)_NAME))'
echo 'Packages: $(BUILD_PACKAGES)'
echo
rm -rf $(TARGET_DIR) $(TARGET_DIR_ORIG)
mkdir -p $(TARGET_DIR) $(BIN_DIR) $(TMP_DIR) $(DL_DIR)
$(MAKE) package_reload
$(MAKE) package_install
$(MAKE) -s prepare_rootfs
$(MAKE) -s build_image
$(MAKE) -s json_overview_image_info
$(MAKE) -s checksum
_call_manifest: FORCE
rm -rf $(TARGET_DIR)
mkdir -p $(TARGET_DIR) $(BIN_DIR) $(TMP_DIR) $(DL_DIR)
$(MAKE) package_reload >/dev/null
$(MAKE) package_install >/dev/null
ifeq ($(CONFIG_USE_APK),)
$(OPKG) list-installed $(if $(STRIP_ABI),--strip-abi)
else
$(APK) list --quiet --manifest --no-network
endif
package_index: FORCE
@echo >&2
@echo Building package index... >&2
@mkdir -p $(TMP_DIR) $(TARGET_DIR)/tmp
ifeq ($(CONFIG_USE_APK),)
(cd $(PACKAGE_DIR); $(SCRIPT_DIR)/ipkg-make-index.sh . > Packages && \
imagebuilder: add package signature verification The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures via `usign`, as enabled per default on running OpenWrt devices. Until now this was disabled for ImageBuilders because neither the `opkg` keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing `opkg` to verify downloaded package indices. This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys folder is added to ImageBuilder $TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNATURE_CHECK option. The keys stored in the ImageBuilder keys/ are the same as included in the openwrt-keyring package. To avoid the chicken-egg problem of downloading and verifying a package, containing signing keys, the keys are added during the ImageBuilder generation. They are same as in shipped images (stored at `/etc/opkg/keys/`). To allow a local package feed in which the user can add additional packages, a local set of `usign` and `ucert` keys is generated, same as building OpenWrt from source. The private key signs the local repository inside the packages/ folder. The local public key is added to the keys/ folder to be considered by `opkg` when updating repositories. This way a local package feed can be modified while requiring `opkg` to check signatures for remote feed, making HTTPS optional. The new option `ADD_LOCAL_KEY` allows to add the local key inside the created images, adding the advantage that sysupgrades can validate the ImageBuilders local key. Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-11-02 22:15:05 +00:00
gzip -9nc Packages > Packages.gz; \
$(if $(CONFIG_SIGNATURE_CHECK), \
$(STAGING_DIR_HOST)/bin/usign -S -m Packages -s $(BUILD_KEY)) \
) >/dev/null 2>/dev/null
$(OPKG) update >&2 || true
else
$(APK) add --initdb
(cd $(PACKAGE_DIR); $(APK) mkndx \
$(if $(CONFIG_SIGNATURE_CHECK), --keys-dir $(APK_KEYS) --sign $(BUILD_KEY_APK_SEC)) \
--allow-untrusted --output packages.adb *.apk) >/dev/null 2>/dev/null || true
$(APK) update >&2 || true
endif
package_reload:
ifeq ($(CONFIG_USE_APK),)
if [ -d "$(PACKAGE_DIR)" ] && ( \
[ ! -f "$(PACKAGE_DIR)/Packages" ] || \
[ ! -f "$(PACKAGE_DIR)/Packages.gz" ] || \
[ "`find $(PACKAGE_DIR) -cnewer $(PACKAGE_DIR)/Packages.gz`" ] ); then \
echo "Package list missing or not up-to-date, generating it." >&2 ;\
$(MAKE) package_index; \
else \
mkdir -p $(TARGET_DIR)/tmp; \
$(OPKG) update >&2 || true; \
fi
else
if [ -d "$(PACKAGE_DIR)" ] && ( \
[ ! -f "$(PACKAGE_DIR)/packages.adb" ] || \
[ "`find $(PACKAGE_DIR) -cnewer $(PACKAGE_DIR)/packages.adb`" ] ); then \
echo "Package list missing or not up-to-date, generating it." >&2 ;\
$(MAKE) package_index; \
else \
mkdir -p $(TARGET_DIR)/tmp; \
$(APK) update >&2 || true; \
fi
endif
package_list: FORCE
@$(MAKE) -s package_reload
ifeq ($(CONFIG_USE_APK),)
@$(OPKG) list --size 2>/dev/null
else
@$(APK) list --size 2>/dev/null
endif
package_install: FORCE
@echo
@echo Installing packages...
ifeq ($(CONFIG_USE_APK),)
$(OPKG) install $(firstword $(wildcard $(LINUX_DIR)/libc_*.ipk $(PACKAGE_DIR)/libc_*.ipk))
$(OPKG) install $(firstword $(wildcard $(LINUX_DIR)/kernel_*.ipk $(PACKAGE_DIR)/kernel_*.ipk))
$(OPKG) install $(BUILD_PACKAGES)
else
$(APK) add --no-scripts $(firstword $(wildcard $(LINUX_DIR)/libc-*.apk $(PACKAGE_DIR)/libc_*.apk))
$(APK) add --no-scripts $(firstword $(wildcard $(LINUX_DIR)/kernel-*.apk $(PACKAGE_DIR)/kernel_*.apk))
$(APK) add --no-scripts $(BUILD_PACKAGES)
endif
prepare_rootfs: FORCE
@echo
@echo Finalizing root filesystem...
$(CP) $(TARGET_DIR) $(TARGET_DIR_ORIG)
ifeq ($(CONFIG_USE_APK),)
imagebuilder: add package signature verification The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures via `usign`, as enabled per default on running OpenWrt devices. Until now this was disabled for ImageBuilders because neither the `opkg` keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing `opkg` to verify downloaded package indices. This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys folder is added to ImageBuilder $TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNATURE_CHECK option. The keys stored in the ImageBuilder keys/ are the same as included in the openwrt-keyring package. To avoid the chicken-egg problem of downloading and verifying a package, containing signing keys, the keys are added during the ImageBuilder generation. They are same as in shipped images (stored at `/etc/opkg/keys/`). To allow a local package feed in which the user can add additional packages, a local set of `usign` and `ucert` keys is generated, same as building OpenWrt from source. The private key signs the local repository inside the packages/ folder. The local public key is added to the keys/ folder to be considered by `opkg` when updating repositories. This way a local package feed can be modified while requiring `opkg` to check signatures for remote feed, making HTTPS optional. The new option `ADD_LOCAL_KEY` allows to add the local key inside the created images, adding the advantage that sysupgrades can validate the ImageBuilders local key. Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-11-02 22:15:05 +00:00
$(if $(CONFIG_SIGNATURE_CHECK), \
$(if $(ADD_LOCAL_KEY), \
OPKG_KEYS=$(TARGET_DIR)/etc/opkg/keys/ \
$(SCRIPT_DIR)/opkg-key add $(BUILD_KEY).pub \
) \
)
else
$(if $(CONFIG_SIGNATURE_CHECK), \
$(if $(ADD_LOCAL_KEY), \
mkdir -p $(TARGET_DIR)/etc/opkg/keys/; \
cp $(BUILD_KEY_APK_PUB) $(TARGET_DIR)/etc/apk/keys/; \
) \
)
endif
$(call prepare_rootfs,$(TARGET_DIR),$(USER_FILES),$(DISABLED_SERVICES))
build_image: FORCE
@echo
@echo Building images...
rm -rf $(BUILD_DIR)/json_info_files/
if [ -d "target/linux/feeds/$(BOARD)" ]; then \
$(NO_TRACE_MAKE) -C target/linux/feeds/$(BOARD)/image install TARGET_BUILD=1 IB=1 EXTRA_IMAGE_NAME="$(EXTRA_IMAGE_NAME)" \
$(if $(USER_PROFILE),PROFILE="$(USER_PROFILE)"); \
else \
$(NO_TRACE_MAKE) -C target/linux/$(BOARD)/image install TARGET_BUILD=1 IB=1 EXTRA_IMAGE_NAME="$(EXTRA_IMAGE_NAME)" \
$(if $(USER_PROFILE),PROFILE="$(USER_PROFILE)"); \
fi
$(BIN_DIR)/profiles.json: FORCE
$(if $(CONFIG_JSON_OVERVIEW_IMAGE_INFO), \
WORK_DIR=$(BUILD_DIR)/json_info_files \
$(SCRIPT_DIR)/json_overview_image_info.py $@ \
)
json_overview_image_info: $(BIN_DIR)/profiles.json
checksum: FORCE
@echo
@echo Calculating checksums...
@$(call sha256sums,$(BIN_DIR))
clean:
rm -rf $(TMP_DIR) $(DL_DIR) $(TARGET_DIR) $(BIN_DIR)
info:
(unset PROFILE FILES PACKAGES MAKEFLAGS; $(MAKE) -s _call_info)
PROFILE_FILTER = $(filter DEVICE_$(PROFILE) $(PROFILE),$(PROFILE_NAMES))
_check_profile: FORCE
ifneq ($(PROFILE),)
ifeq ($(PROFILE_FILTER),)
@echo 'Profile "$(PROFILE)" does not exist!'
@echo 'Use "make info" to get a list of available profile names.'
@exit 1
endif
endif
imagebuilder: add package signature verification The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures via `usign`, as enabled per default on running OpenWrt devices. Until now this was disabled for ImageBuilders because neither the `opkg` keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing `opkg` to verify downloaded package indices. This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys folder is added to ImageBuilder $TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNATURE_CHECK option. The keys stored in the ImageBuilder keys/ are the same as included in the openwrt-keyring package. To avoid the chicken-egg problem of downloading and verifying a package, containing signing keys, the keys are added during the ImageBuilder generation. They are same as in shipped images (stored at `/etc/opkg/keys/`). To allow a local package feed in which the user can add additional packages, a local set of `usign` and `ucert` keys is generated, same as building OpenWrt from source. The private key signs the local repository inside the packages/ folder. The local public key is added to the keys/ folder to be considered by `opkg` when updating repositories. This way a local package feed can be modified while requiring `opkg` to check signatures for remote feed, making HTTPS optional. The new option `ADD_LOCAL_KEY` allows to add the local key inside the created images, adding the advantage that sysupgrades can validate the ImageBuilders local key. Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-11-02 22:15:05 +00:00
_check_keys: FORCE
ifneq ($(CONFIG_SIGNATURE_CHECK),)
ifeq ($(CONFIG_USE_APK),)
imagebuilder: add package signature verification The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures via `usign`, as enabled per default on running OpenWrt devices. Until now this was disabled for ImageBuilders because neither the `opkg` keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing `opkg` to verify downloaded package indices. This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys folder is added to ImageBuilder $TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNATURE_CHECK option. The keys stored in the ImageBuilder keys/ are the same as included in the openwrt-keyring package. To avoid the chicken-egg problem of downloading and verifying a package, containing signing keys, the keys are added during the ImageBuilder generation. They are same as in shipped images (stored at `/etc/opkg/keys/`). To allow a local package feed in which the user can add additional packages, a local set of `usign` and `ucert` keys is generated, same as building OpenWrt from source. The private key signs the local repository inside the packages/ folder. The local public key is added to the keys/ folder to be considered by `opkg` when updating repositories. This way a local package feed can be modified while requiring `opkg` to check signatures for remote feed, making HTTPS optional. The new option `ADD_LOCAL_KEY` allows to add the local key inside the created images, adding the advantage that sysupgrades can validate the ImageBuilders local key. Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-11-02 22:15:05 +00:00
@if [ ! -s $(BUILD_KEY) -o ! -s $(BUILD_KEY).pub ]; then \
echo Generate local signing keys... >&2; \
$(STAGING_DIR_HOST)/bin/usign -G \
-s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key"; \
$(SCRIPT_DIR)/opkg-key add $(BUILD_KEY).pub; \
fi
if [ ! -s $(BUILD_KEY).ucert ]; then \
echo Generate local certificate... >&2; \
$(STAGING_DIR_HOST)/bin/ucert -I \
-c $(BUILD_KEY).ucert \
-p $(BUILD_KEY).pub \
-s $(BUILD_KEY); \
fi
else
@if [ ! -s $(BUILD_KEY_APK_SEC) -o ! -s $(BUILD_KEY_APK_PUB) ]; then \
echo Generate local signing keys... >&2; \
$(STAGING_DIR_HOST)/bin/openssl ecparam -name prime256v1 -genkey -noout -out $(BUILD_KEY_APK_SEC); \
sed -i '1s/^/untrusted comment: Local build key\n/' $(BUILD_KEY_APK_SEC); \
$(STAGING_DIR_HOST)/bin/openssl ec -in $(BUILD_KEY_APK_SEC) -pubout > $(BUILD_KEY_APK_PUB); \
sed -i '1s/^/untrusted comment: Local build key\n/' $(BUILD_KEY_APK_PUB); \
fi
endif
endif
imagebuilder: add package signature verification The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures via `usign`, as enabled per default on running OpenWrt devices. Until now this was disabled for ImageBuilders because neither the `opkg` keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing `opkg` to verify downloaded package indices. This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys folder is added to ImageBuilder $TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNATURE_CHECK option. The keys stored in the ImageBuilder keys/ are the same as included in the openwrt-keyring package. To avoid the chicken-egg problem of downloading and verifying a package, containing signing keys, the keys are added during the ImageBuilder generation. They are same as in shipped images (stored at `/etc/opkg/keys/`). To allow a local package feed in which the user can add additional packages, a local set of `usign` and `ucert` keys is generated, same as building OpenWrt from source. The private key signs the local repository inside the packages/ folder. The local public key is added to the keys/ folder to be considered by `opkg` when updating repositories. This way a local package feed can be modified while requiring `opkg` to check signatures for remote feed, making HTTPS optional. The new option `ADD_LOCAL_KEY` allows to add the local key inside the created images, adding the advantage that sysupgrades can validate the ImageBuilders local key. Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-11-02 22:15:05 +00:00
image:
$(MAKE) -s _check_profile
imagebuilder: add package signature verification The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures via `usign`, as enabled per default on running OpenWrt devices. Until now this was disabled for ImageBuilders because neither the `opkg` keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing `opkg` to verify downloaded package indices. This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys folder is added to ImageBuilder $TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNATURE_CHECK option. The keys stored in the ImageBuilder keys/ are the same as included in the openwrt-keyring package. To avoid the chicken-egg problem of downloading and verifying a package, containing signing keys, the keys are added during the ImageBuilder generation. They are same as in shipped images (stored at `/etc/opkg/keys/`). To allow a local package feed in which the user can add additional packages, a local set of `usign` and `ucert` keys is generated, same as building OpenWrt from source. The private key signs the local repository inside the packages/ folder. The local public key is added to the keys/ folder to be considered by `opkg` when updating repositories. This way a local package feed can be modified while requiring `opkg` to check signatures for remote feed, making HTTPS optional. The new option `ADD_LOCAL_KEY` allows to add the local key inside the created images, adding the advantage that sysupgrades can validate the ImageBuilders local key. Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-11-02 22:15:05 +00:00
$(MAKE) -s _check_keys
(unset PROFILE FILES PACKAGES MAKEFLAGS; \
$(MAKE) -s _call_image \
$(if $(PROFILE),USER_PROFILE="$(PROFILE_FILTER)") \
$(if $(FILES),USER_FILES="$(FILES)") \
$(if $(PACKAGES),USER_PACKAGES="$(PACKAGES)") \
$(if $(BIN_DIR),BIN_DIR="$(BIN_DIR)") \
$(if $(DISABLED_SERVICES),DISABLED_SERVICES="$(DISABLED_SERVICES)") \
$(if $(ROOTFS_PARTSIZE),CONFIG_TARGET_ROOTFS_PARTSIZE="$(ROOTFS_PARTSIZE)"))
manifest: FORCE
$(MAKE) -s _check_profile
imagebuilder: add package signature verification The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures via `usign`, as enabled per default on running OpenWrt devices. Until now this was disabled for ImageBuilders because neither the `opkg` keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing `opkg` to verify downloaded package indices. This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys folder is added to ImageBuilder $TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNATURE_CHECK option. The keys stored in the ImageBuilder keys/ are the same as included in the openwrt-keyring package. To avoid the chicken-egg problem of downloading and verifying a package, containing signing keys, the keys are added during the ImageBuilder generation. They are same as in shipped images (stored at `/etc/opkg/keys/`). To allow a local package feed in which the user can add additional packages, a local set of `usign` and `ucert` keys is generated, same as building OpenWrt from source. The private key signs the local repository inside the packages/ folder. The local public key is added to the keys/ folder to be considered by `opkg` when updating repositories. This way a local package feed can be modified while requiring `opkg` to check signatures for remote feed, making HTTPS optional. The new option `ADD_LOCAL_KEY` allows to add the local key inside the created images, adding the advantage that sysupgrades can validate the ImageBuilders local key. Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-11-02 22:15:05 +00:00
$(MAKE) -s _check_keys
(unset PROFILE FILES PACKAGES MAKEFLAGS; \
$(MAKE) -s _call_manifest \
$(if $(PROFILE),USER_PROFILE="$(PROFILE_FILTER)") \
$(if $(PACKAGES),USER_PACKAGES="$(PACKAGES)"))
package_whatdepends: FORCE
ifeq ($(PACKAGE),)
@echo 'Variable `PACKAGE` is not set but required by `whatdepends`'
@exit 1
endif
@$(MAKE) -s package_reload
ifeq ($(CONFIG_USE_APK),)
@$(OPKG) list --depends $(PACKAGE)
else
@$(APK) list --depends $(PACKAGE)
endif
package_depends: FORCE
ifeq ($(PACKAGE),)
@echo 'Variable `PACKAGE` is not set but required by `package_depends`'
@exit 1
endif
@$(MAKE) -s package_reload
ifeq ($(CONFIG_USE_APK),)
@$(OPKG) depends -A $(PACKAGE)
else
@$(OPKG) whatdepends -A $(PACKAGE)
endif
.SILENT: help info image manifest package_whatdepends package_depends