aboutsummaryrefslogtreecommitdiffstats
path: root/target/imagebuilder/files
diff options
context:
space:
mode:
authorPaul Spooren <mail@aparcar.org>2020-11-02 12:15:05 -1000
committerDaniel Golle <daniel@makrotopia.org>2020-11-19 22:15:00 +0000
commit418362b1cc106b9aca3905150199f60548906fff (patch)
tree2d47ae0121e3c893975359dc9bc214d29ed597f5 /target/imagebuilder/files
parent2127accd441b1c979c8f3f56f3ad5264542e185a (diff)
downloadupstream-418362b1cc106b9aca3905150199f60548906fff.tar.gz
upstream-418362b1cc106b9aca3905150199f60548906fff.tar.bz2
upstream-418362b1cc106b9aca3905150199f60548906fff.zip
imagebuilder: add package signature verification
The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures via `usign`, as enabled per default on running OpenWrt devices. Until now this was disabled for ImageBuilders because neither the `opkg` keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing `opkg` to verify downloaded package indices. This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys folder is added to ImageBuilder $TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNATURE_CHECK option. The keys stored in the ImageBuilder keys/ are the same as included in the openwrt-keyring package. To avoid the chicken-egg problem of downloading and verifying a package, containing signing keys, the keys are added during the ImageBuilder generation. They are same as in shipped images (stored at `/etc/opkg/keys/`). To allow a local package feed in which the user can add additional packages, a local set of `usign` and `ucert` keys is generated, same as building OpenWrt from source. The private key signs the local repository inside the packages/ folder. The local public key is added to the keys/ folder to be considered by `opkg` when updating repositories. This way a local package feed can be modified while requiring `opkg` to check signatures for remote feed, making HTTPS optional. The new option `ADD_LOCAL_KEY` allows to add the local key inside the created images, adding the advantage that sysupgrades can validate the ImageBuilders local key. Signed-off-by: Paul Spooren <mail@aparcar.org>
Diffstat (limited to 'target/imagebuilder/files')
-rw-r--r--target/imagebuilder/files/Makefile33
1 files changed, 31 insertions, 2 deletions
diff --git a/target/imagebuilder/files/Makefile b/target/imagebuilder/files/Makefile
index 0ce5f8b39b..65cba92b32 100644
--- a/target/imagebuilder/files/Makefile
+++ b/target/imagebuilder/files/Makefile
@@ -46,6 +46,7 @@ Building images:
make image BIN_DIR="<path>" # alternative output directory for the images
make image EXTRA_IMAGE_NAME="<string>" # Add this to the output image filename (sanitized)
make image DISABLED_SERVICES="<svc1> [<svc2> [<svc3> ..]]" # Which services in /etc/init.d/ should be disabled
+ make image ADD_LOCAL_KEY=1 # store locally generated signing key in built images
Print manifest:
List "all" packages which get installed into the image.
@@ -64,8 +65,10 @@ help: FORCE
# override variables from rules.mk
PACKAGE_DIR:=$(TOPDIR)/packages
LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst /,$(space),$(TARGET_DIR))))$(DL_DIR)
+export OPKG_KEYS:=$(TOPDIR)/keys
OPKG:=$(call opkg,$(TARGET_DIR)) \
-f $(TOPDIR)/repositories.conf \
+ --verify-program $(SCRIPT_DIR)/opkg-key \
--cache $(DL_DIR) \
--lists-dir $(LISTS_DIR)
@@ -133,7 +136,9 @@ package_index: FORCE
@echo Building package index... >&2
@mkdir -p $(TMP_DIR) $(TARGET_DIR)/tmp
(cd $(PACKAGE_DIR); $(SCRIPT_DIR)/ipkg-make-index.sh . > Packages && \
- gzip -9nc Packages > Packages.gz \
+ gzip -9nc Packages > Packages.gz; \
+ $(if $(CONFIG_SIGNATURE_CHECK), \
+ $(STAGING_DIR_HOST)/bin/usign -S -m Packages -s $(BUILD_KEY)); \
) >/dev/null 2>/dev/null
$(OPKG) update >&2 || true
@@ -165,9 +170,14 @@ prepare_rootfs: FORCE
@echo Finalizing root filesystem...
$(CP) $(TARGET_DIR) $(TARGET_DIR_ORIG)
+ $(if $(CONFIG_SIGNATURE_CHECK), \
+ $(if $(ADD_LOCAL_KEY), \
+ OPKG_KEYS=$(TARGET_DIR)/etc/opkg/keys/ \
+ $(SCRIPT_DIR)/opkg-key add $(BUILD_KEY).pub \
+ ) \
+ )
$(call prepare_rootfs,$(TARGET_DIR),$(USER_FILES),$(DISABLED_SERVICES))
-
build_image: FORCE
@echo
@echo Building images...
@@ -206,8 +216,26 @@ ifneq ($(PROFILE),)
endif
endif
+_check_keys: FORCE
+ifneq ($(CONFIG_SIGNATURE_CHECK),)
+ @if [ ! -s $(BUILD_KEY) -o ! -s $(BUILD_KEY).pub ]; then \
+ echo Generate local signing keys... >&2; \
+ $(STAGING_DIR_HOST)/bin/usign -G \
+ -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key"; \
+ $(SCRIPT_DIR)/opkg-key add $(BUILD_KEY).pub; \
+ fi
+ if [ ! -s $(BUILD_KEY).ucert ]; then \
+ echo Generate local certificate... >&2; \
+ $(STAGING_DIR_HOST)/bin/ucert -I \
+ -c $(BUILD_KEY).ucert \
+ -p $(BUILD_KEY).pub \
+ -s $(BUILD_KEY); \
+ fi
+endif
+
image:
$(MAKE) -s _check_profile
+ $(MAKE) -s _check_keys
(unset PROFILE FILES PACKAGES MAKEFLAGS; \
$(MAKE) -s _call_image \
$(if $(PROFILE),USER_PROFILE="$(PROFILE_FILTER)") \
@@ -218,6 +246,7 @@ image:
manifest: FORCE
$(MAKE) -s _check_profile
+ $(MAKE) -s _check_keys
(unset PROFILE FILES PACKAGES MAKEFLAGS; \
$(MAKE) -s _call_manifest \
$(if $(PROFILE),USER_PROFILE="$(PROFILE_FILTER)") \