Message ID | 20191112100420.28117-1-mail@aparcar.org |
---|---|
State | Superseded |
Headers | show |
Series | [OpenWrt-Devel,v3] build: separate signing logic | expand |
Bump On 11/12/19 12:04 AM, Paul Spooren wrote: > This separates the options for signature creation and verification > > * SIGNED_PACKAGES create Packages.sig > * SIGNED_IMAGES add ucert signature to created images > * CHECK_SIGNATURE add verification capabilities to images > * INSTALL_LOCAL_KEY add local key-build to /etc/opkg/keys > > Right now the buildbot.git contains some hacks to create images that > have signature verification capabilities while not storing private keys > on buildbot slaves. This commit allows to disable these steps for the > buildbots and only perform signing on the master. > > Signed-off-by: Paul Spooren <mail@aparcar.org> > --- > v3: set "y if !BUILDBOT" to all new options > > config/Config-build.in | 12 ++++++++++-- > include/image-commands.mk | 13 ++++++++----- > package/base-files/Makefile | 18 ++++++++++-------- > 3 files changed, 28 insertions(+), 15 deletions(-) > > diff --git a/config/Config-build.in b/config/Config-build.in > index 872e5c12ab..af5de42ac6 100644 > --- a/config/Config-build.in > +++ b/config/Config-build.in > @@ -37,13 +37,21 @@ menu "Global build settings" > - Enabling per-device rootfs support > ... > > + config INSTALL_LOCAL_KEY > + bool "Install local usign key into image" > + default y if !BUILDBOT > + > config SIGNED_PACKAGES > bool "Cryptographically signed package lists" > - default y > + default y if !BUILDBOT > + > + config SIGNED_IMAGES > + bool "Cryptographically signed firmware images" > + default y if !BUILDBOT > > config SIGNATURE_CHECK > bool "Enable signature checking in opkg" > - default SIGNED_PACKAGES > + default y > > comment "General build options" > > diff --git a/include/image-commands.mk b/include/image-commands.mk > index 5dfd6a2c2f..3d10b18bc8 100644 > --- a/include/image-commands.mk > +++ b/include/image-commands.mk > @@ -373,11 +373,14 @@ metadata_json = \ > > define Build/append-metadata > $(if $(SUPPORTED_DEVICES),-echo $(call metadata_json,$(SUPPORTED_DEVICES)) | fwtool -I - $@) > - [ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \ > - cp "$(BUILD_KEY).ucert" "$@.ucert" ;\ > - usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\ > - ucert -A -c "$@.ucert" -x "$@.sig" ;\ > - fwtool -S "$@.ucert" "$@" ;\ > + [ -z "$(SIGNED_IMAGES)" \ > + -o ! -s "$(BUILD_KEY)" \ > + -o ! -s "$(BUILD_KEY).ucert" \ > + -o ! -s "$@" ] || { \ > + cp "$(BUILD_KEY).ucert" "$@.ucert" ;\ > + usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\ > + ucert -A -c "$@.ucert" -x "$@.sig" ;\ > + fwtool -S "$@.ucert" "$@" ;\ > } > endef > > diff --git a/package/base-files/Makefile b/package/base-files/Makefile > index addbac8664..3625f1320d 100644 > --- a/package/base-files/Makefile > +++ b/package/base-files/Makefile > @@ -37,7 +37,7 @@ endif > define Package/base-files > SECTION:=base > CATEGORY:=Base system > - DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNED_PACKAGES:usign +SIGNED_PACKAGES:openwrt-keyring +NAND_SUPPORT:ubi-utils +fstools +fwtool > + DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNATURE_CHECK:usign +SIGNATURE_CHECK:openwrt-keyring +NAND_SUPPORT:ubi-utils +fstools +fwtool > TITLE:=Base filesystem for OpenWrt > URL:=http://openwrt.org/ > VERSION:=$(PKG_RELEASE)-$(REVISION) > @@ -116,12 +116,6 @@ ifdef CONFIG_SIGNED_PACKAGES > $(STAGING_DIR_HOST)/bin/ucert -I -c $(BUILD_KEY).ucert -p $(BUILD_KEY).pub -s $(BUILD_KEY) > > endef > - > - define Package/base-files/install-key > - mkdir -p $(1)/etc/opkg/keys > - $(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub` > - > - endef > endif > > ifeq ($(CONFIG_NAND_SUPPORT),) > @@ -130,9 +124,17 @@ ifeq ($(CONFIG_NAND_SUPPORT),) > endef > endif > > +ifdef CONFIG_INSTALL_LOCAL_KEY > + define Package/base-files/install-local-key > + mkdir -p $(1)/etc/opkg/keys > + $(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign \ > + -F -p $(BUILD_KEY).pub` > + endef > +endif > + > define Package/base-files/install > $(CP) ./files/* $(1)/ > - $(Package/base-files/install-key) > + $(Package/base-files/install-local-key) > $(Package/base-files/nand-support) > if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \ > $(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \
diff --git a/config/Config-build.in b/config/Config-build.in index 872e5c12ab..af5de42ac6 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -37,13 +37,21 @@ menu "Global build settings" - Enabling per-device rootfs support ... + config INSTALL_LOCAL_KEY + bool "Install local usign key into image" + default y if !BUILDBOT + config SIGNED_PACKAGES bool "Cryptographically signed package lists" - default y + default y if !BUILDBOT + + config SIGNED_IMAGES + bool "Cryptographically signed firmware images" + default y if !BUILDBOT config SIGNATURE_CHECK bool "Enable signature checking in opkg" - default SIGNED_PACKAGES + default y comment "General build options" diff --git a/include/image-commands.mk b/include/image-commands.mk index 5dfd6a2c2f..3d10b18bc8 100644 --- a/include/image-commands.mk +++ b/include/image-commands.mk @@ -373,11 +373,14 @@ metadata_json = \ define Build/append-metadata $(if $(SUPPORTED_DEVICES),-echo $(call metadata_json,$(SUPPORTED_DEVICES)) | fwtool -I - $@) - [ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \ - cp "$(BUILD_KEY).ucert" "$@.ucert" ;\ - usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\ - ucert -A -c "$@.ucert" -x "$@.sig" ;\ - fwtool -S "$@.ucert" "$@" ;\ + [ -z "$(SIGNED_IMAGES)" \ + -o ! -s "$(BUILD_KEY)" \ + -o ! -s "$(BUILD_KEY).ucert" \ + -o ! -s "$@" ] || { \ + cp "$(BUILD_KEY).ucert" "$@.ucert" ;\ + usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\ + ucert -A -c "$@.ucert" -x "$@.sig" ;\ + fwtool -S "$@.ucert" "$@" ;\ } endef diff --git a/package/base-files/Makefile b/package/base-files/Makefile index addbac8664..3625f1320d 100644 --- a/package/base-files/Makefile +++ b/package/base-files/Makefile @@ -37,7 +37,7 @@ endif define Package/base-files SECTION:=base CATEGORY:=Base system - DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNED_PACKAGES:usign +SIGNED_PACKAGES:openwrt-keyring +NAND_SUPPORT:ubi-utils +fstools +fwtool + DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNATURE_CHECK:usign +SIGNATURE_CHECK:openwrt-keyring +NAND_SUPPORT:ubi-utils +fstools +fwtool TITLE:=Base filesystem for OpenWrt URL:=http://openwrt.org/ VERSION:=$(PKG_RELEASE)-$(REVISION) @@ -116,12 +116,6 @@ ifdef CONFIG_SIGNED_PACKAGES $(STAGING_DIR_HOST)/bin/ucert -I -c $(BUILD_KEY).ucert -p $(BUILD_KEY).pub -s $(BUILD_KEY) endef - - define Package/base-files/install-key - mkdir -p $(1)/etc/opkg/keys - $(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub` - - endef endif ifeq ($(CONFIG_NAND_SUPPORT),) @@ -130,9 +124,17 @@ ifeq ($(CONFIG_NAND_SUPPORT),) endef endif +ifdef CONFIG_INSTALL_LOCAL_KEY + define Package/base-files/install-local-key + mkdir -p $(1)/etc/opkg/keys + $(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign \ + -F -p $(BUILD_KEY).pub` + endef +endif + define Package/base-files/install $(CP) ./files/* $(1)/ - $(Package/base-files/install-key) + $(Package/base-files/install-local-key) $(Package/base-files/nand-support) if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \ $(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \
This separates the options for signature creation and verification * SIGNED_PACKAGES create Packages.sig * SIGNED_IMAGES add ucert signature to created images * CHECK_SIGNATURE add verification capabilities to images * INSTALL_LOCAL_KEY add local key-build to /etc/opkg/keys Right now the buildbot.git contains some hacks to create images that have signature verification capabilities while not storing private keys on buildbot slaves. This commit allows to disable these steps for the buildbots and only perform signing on the master. Signed-off-by: Paul Spooren <mail@aparcar.org> --- v3: set "y if !BUILDBOT" to all new options config/Config-build.in | 12 ++++++++++-- include/image-commands.mk | 13 ++++++++----- package/base-files/Makefile | 18 ++++++++++-------- 3 files changed, 28 insertions(+), 15 deletions(-)