| Message ID | 20200916012457.1748220-1-mail@aparcar.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v2] imagebuilder: add package signature verification | expand |
On Tue Sep 15, 2020 at 3:24 PM HST, Paul Spooren wrote: > The ImageBuilder downloads pre-built packages and adds them to images. > This process uses `opkg` which has the capability to verify package list > signatures via `usign`, as enabled per default on running OpenWrt > devices. > > Until now this was disabled for ImageBuilders because neither the `opkg` > keys nor the `opkg-add` script was present during first packagelist > update. > > To harden the ImageBuilder against *drive-by-download-attacks* both keys > and verification script are added to the ImageBuilder allowing `opkg` to > verify downloaded package indices. > > This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys > folder is added to ImageBuilder $TOPDIR to have an obvious place for > users to > store their own keys. The `option check_signature` is appended to the > repositories.conf file. All of the above only happens if the Buildbot > runs with the SIGNATURE_CHECK option. > > The keys stored in the ImageBuilder keys/ folder are the same as stored > within images in `/etc/opkg/keys`. > > To allow a local package feed in which the user can add additional > packages, the local *imagebuilder* feed is set to `src/trusted` which > skips signature verification only on this particular feed. > > Signed-off-by: Paul Spooren <mail@aparcar.org> I chose a different approach: Generating `usign` keys via the ImageBuilder, which doesn't require any `opkg` modificatons (e.g. src/trusted). This time it's a PR on GitHub: https://github.com/openwrt/openwrt/pull/3477 > --- > target/imagebuilder/Makefile | 10 +++++++++- > target/imagebuilder/files/Makefile | 2 ++ > 2 files changed, 11 insertions(+), 1 deletion(-) > > diff --git a/target/imagebuilder/Makefile b/target/imagebuilder/Makefile > index ad19ab2b53..0cdc1f4d93 100644 > --- a/target/imagebuilder/Makefile > +++ b/target/imagebuilder/Makefile > @@ -42,7 +42,7 @@ endif > > echo '' >> $(PKG_BUILD_DIR)/repositories.conf > echo '## This is the local package repository, do not remove!' >> > $(PKG_BUILD_DIR)/repositories.conf > - echo 'src imagebuilder file:packages' >> > $(PKG_BUILD_DIR)/repositories.conf > + echo 'src/trusted imagebuilder file:packages' >> > $(PKG_BUILD_DIR)/repositories.conf > > $(VERSION_SED_SCRIPT) $(PKG_BUILD_DIR)/repositories.conf > > @@ -57,6 +57,14 @@ else > find $(wildcard $(PACKAGE_SUBDIRS)) -type f -name '*.ipk' -exec $(CP) {} > $(PKG_BUILD_DIR)/packages/ \; > endif > > +ifneq ($(CONFIG_SIGNATURE_CHECK),) > + echo '' >> $(PKG_BUILD_DIR)/repositories.conf > + echo 'option check_signature' >> $(PKG_BUILD_DIR)/repositories.conf > + $(INSTALL_DIR) $(PKG_BUILD_DIR)/keys > + $(CP) -L $(STAGING_DIR_ROOT)/etc/opkg/keys/ $(PKG_BUILD_DIR)/ > + $(CP) -L $(STAGING_DIR_ROOT)/usr/sbin/opkg-key > $(PKG_BUILD_DIR)/scripts/ > +endif > + > $(CP) $(TOPDIR)/target/linux $(PKG_BUILD_DIR)/target/ > if [ -d $(TOPDIR)/staging_dir/host/lib/grub ]; then \ > $(CP) $(TOPDIR)/staging_dir/host/lib/grub/ > $(PKG_BUILD_DIR)/staging_dir/host/lib; \ > diff --git a/target/imagebuilder/files/Makefile > b/target/imagebuilder/files/Makefile > index 27d3cfa8df..56b70f16b5 100644 > --- a/target/imagebuilder/files/Makefile > +++ b/target/imagebuilder/files/Makefile > @@ -64,8 +64,10 @@ help: FORCE > # override variables from rules.mk > PACKAGE_DIR:=$(TOPDIR)/packages > LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst > /,$(space),$(TARGET_DIR))))$(DL_DIR) > +export OPKG_KEYS:=$(TOPDIR)/keys > OPKG:=$(call opkg,$(TARGET_DIR)) \ > -f $(TOPDIR)/repositories.conf \ > + --verify-program $(SCRIPT_DIR)/opkg-key \ > --cache $(DL_DIR) \ > --lists-dir $(LISTS_DIR) > > -- > 2.25.1
diff --git a/target/imagebuilder/Makefile b/target/imagebuilder/Makefile index ad19ab2b53..0cdc1f4d93 100644 --- a/target/imagebuilder/Makefile +++ b/target/imagebuilder/Makefile @@ -42,7 +42,7 @@ endif echo '' >> $(PKG_BUILD_DIR)/repositories.conf echo '## This is the local package repository, do not remove!' >> $(PKG_BUILD_DIR)/repositories.conf - echo 'src imagebuilder file:packages' >> $(PKG_BUILD_DIR)/repositories.conf + echo 'src/trusted imagebuilder file:packages' >> $(PKG_BUILD_DIR)/repositories.conf $(VERSION_SED_SCRIPT) $(PKG_BUILD_DIR)/repositories.conf @@ -57,6 +57,14 @@ else find $(wildcard $(PACKAGE_SUBDIRS)) -type f -name '*.ipk' -exec $(CP) {} $(PKG_BUILD_DIR)/packages/ \; endif +ifneq ($(CONFIG_SIGNATURE_CHECK),) + echo '' >> $(PKG_BUILD_DIR)/repositories.conf + echo 'option check_signature' >> $(PKG_BUILD_DIR)/repositories.conf + $(INSTALL_DIR) $(PKG_BUILD_DIR)/keys + $(CP) -L $(STAGING_DIR_ROOT)/etc/opkg/keys/ $(PKG_BUILD_DIR)/ + $(CP) -L $(STAGING_DIR_ROOT)/usr/sbin/opkg-key $(PKG_BUILD_DIR)/scripts/ +endif + $(CP) $(TOPDIR)/target/linux $(PKG_BUILD_DIR)/target/ if [ -d $(TOPDIR)/staging_dir/host/lib/grub ]; then \ $(CP) $(TOPDIR)/staging_dir/host/lib/grub/ $(PKG_BUILD_DIR)/staging_dir/host/lib; \ diff --git a/target/imagebuilder/files/Makefile b/target/imagebuilder/files/Makefile index 27d3cfa8df..56b70f16b5 100644 --- a/target/imagebuilder/files/Makefile +++ b/target/imagebuilder/files/Makefile @@ -64,8 +64,10 @@ help: FORCE # override variables from rules.mk PACKAGE_DIR:=$(TOPDIR)/packages LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst /,$(space),$(TARGET_DIR))))$(DL_DIR) +export OPKG_KEYS:=$(TOPDIR)/keys OPKG:=$(call opkg,$(TARGET_DIR)) \ -f $(TOPDIR)/repositories.conf \ + --verify-program $(SCRIPT_DIR)/opkg-key \ --cache $(DL_DIR) \ --lists-dir $(LISTS_DIR)
The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures via `usign`, as enabled per default on running OpenWrt devices. Until now this was disabled for ImageBuilders because neither the `opkg` keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing `opkg` to verify downloaded package indices. This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys folder is added to ImageBuilder $TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNATURE_CHECK option. The keys stored in the ImageBuilder keys/ folder are the same as stored within images in `/etc/opkg/keys`. To allow a local package feed in which the user can add additional packages, the local *imagebuilder* feed is set to `src/trusted` which skips signature verification only on this particular feed. Signed-off-by: Paul Spooren <mail@aparcar.org> --- target/imagebuilder/Makefile | 10 +++++++++- target/imagebuilder/files/Makefile | 2 ++ 2 files changed, 11 insertions(+), 1 deletion(-)