mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-19 13:48:06 +00:00
base-files: introduce sysupgrade signature chain verification
Verify ucert signature chains in sysupgrade images in case ucert is installed and $CHECK_IMAGE_SIGNARURE = 1. Also make sure ucert host binary is present and generate a self-signed ucert in case $TOPDIR/key-build.ucert is missing. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This commit is contained in:
Daniel Golle
parent
ec78f03de5
commit
8174853c78
@ -12,11 +12,11 @@ include $(INCLUDE_DIR)/version.mk
|
|||||||
include $(INCLUDE_DIR)/feeds.mk
|
include $(INCLUDE_DIR)/feeds.mk
|
||||||
|
|
||||||
PKG_NAME:=base-files
|
PKG_NAME:=base-files
|
||||||
PKG_RELEASE:=194
|
PKG_RELEASE:=195
|
||||||
PKG_FLAGS:=nonshared
|
PKG_FLAGS:=nonshared
|
||||||
|
|
||||||
PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
|
PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
|
||||||
PKG_BUILD_DEPENDS:=usign/host
|
PKG_BUILD_DEPENDS:=usign/host ucert/host
|
||||||
PKG_LICENSE:=GPL-2.0
|
PKG_LICENSE:=GPL-2.0
|
||||||
|
|
||||||
# Extend depends from version.mk
|
# Extend depends from version.mk
|
||||||
@ -102,6 +102,9 @@ ifdef CONFIG_SIGNED_PACKAGES
|
|||||||
[ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \
|
[ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \
|
||||||
$(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key"
|
$(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key"
|
||||||
|
|
||||||
|
[ -s $(BUILD_KEY).ucert ] || \
|
||||||
|
$(STAGING_DIR_HOST)/bin/ucert -I -c $(BUILD_KEY).ucert -p $(BUILD_KEY).pub -s $(BUILD_KEY)
|
||||||
|
|
||||||
endef
|
endef
|
||||||
|
|
||||||
define Package/base-files/install-key
|
define Package/base-files/install-key
|
||||||
|
|||||||
@ -1,3 +1,28 @@
|
|||||||
|
fwtool_check_signature() {
|
||||||
|
[ $# -gt 1 ] && return 1
|
||||||
|
|
||||||
|
[ ! -x /usr/bin/ucert ] && {
|
||||||
|
if [ "$REQUIRE_IMAGE_SIGNATURE" = 1 ]; then
|
||||||
|
return 1
|
||||||
|
else
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
if ! fwtool -q -t -s /tmp/sysupgrade.ucert "$1"; then
|
||||||
|
echo "Image signature not found"
|
||||||
|
[ "$REQUIRE_IMAGE_SIGNATURE" = 1 -a "$FORCE" != 1 ] && {
|
||||||
|
echo "Use sysupgrade -F to override this check when downgrading or flashing to vendor firmware"
|
||||||
|
}
|
||||||
|
[ "$REQUIRE_IMAGE_SIGNATURE" = 1 ] && return 1
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
ucert -V -m "$1" -c "/tmp/sysupgrade.ucert" -P /etc/opkg/keys
|
||||||
|
|
||||||
|
return $?
|
||||||
|
}
|
||||||
|
|
||||||
fwtool_check_image() {
|
fwtool_check_image() {
|
||||||
[ $# -gt 1 ] && return 1
|
[ $# -gt 1 ] && return 1
|
||||||
|
|
||||||
|
|||||||
@ -136,7 +136,7 @@ add_overlayfiles() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# hooks
|
# hooks
|
||||||
sysupgrade_image_check="fwtool_check_image platform_check_image"
|
sysupgrade_image_check="fwtool_check_signature fwtool_check_image platform_check_image"
|
||||||
|
|
||||||
if [ $SAVE_OVERLAY = 1 ]; then
|
if [ $SAVE_OVERLAY = 1 ]; then
|
||||||
[ ! -d /overlay/upper/etc ] && {
|
[ ! -d /overlay/upper/etc ] && {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user