From patchwork Wed Aug 26 08:24:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Spooren X-Patchwork-Id: 1351706 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=aparcar.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=WdvVEMro; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BbzVk3Zvmz9sSP for ; Wed, 26 Aug 2020 18:27:10 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=cmYG+n9Zlvsa1HrpJnJK4hlbptR7ID5gBoJIPubt/fM=; b=WdvVEMrolwirW52wMBWzgTcaah h66y9M1nopGssxnXi9ZIMC5EL56xQLAlVCNn4VKlaAm10EGIN6VBw0R3sJ52SQSmYKsaVEAsyOdVk BrPlwba3lDL6V0GfOR3Zgr2yC/Dy6gnvlsjq6/0xSkcv0F4xsKD5mNwkjO0PxS2lKPOGQe2tvbUmS sXt+mnPB5iRbF/WMvf78FwTFQf0WLlWWFFQRMamHNWpBw6oxXa9ufHIqrWNuvEUWKq1X8xV3dCT4p DpGBhTWCUOvypGrikEzaoRrdOLJrQgcKIAWlMXB5hymJ9EWToq/VamBi/KnjNfcD8B66mIa0ngZ8R OHkvZ+gg==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kAqjy-0005F3-9k; Wed, 26 Aug 2020 08:25:06 +0000 Received: from relay7-d.mail.gandi.net ([217.70.183.200]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kAqjv-0005Ec-A4 for openwrt-devel@lists.openwrt.org; Wed, 26 Aug 2020 08:25:04 +0000 X-Originating-IP: 72.234.141.215 Received: from dawn.lan (udp224251uds.hawaiiantel.net [72.234.141.215]) (Authenticated sender: mail@aparcar.org) by relay7-d.mail.gandi.net (Postfix) with ESMTPA id 49C212000E; Wed, 26 Aug 2020 08:24:58 +0000 (UTC) From: Paul Spooren To: openwrt-devel@lists.openwrt.org Subject: [PATCH] imagebuilder: add package signature verification Date: Tue, 25 Aug 2020 22:24:55 -1000 Message-Id: <20200826082455.82021-1-mail@aparcar.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200826_042503_495570_604F4391 X-CRM114-Status: GOOD ( 12.26 ) X-Spam-Score: -0.7 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [217.70.183.200 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Paul Spooren Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures, as enabled per default on running OpenWrt devices. Until now this was disabled for ImageBuilders because neither the OPKG keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing OPKG to verify downloaded package indices. This commit adds `opkg-add` to the IB scripts folder, as it is just a shell script. The keys folder is added to IBs TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNED_PACKAGES option. Signed-off-by: Paul Spooren --- This patch requires the following two patches: * opkg: allow to configure the path to the signature verification script https://patchwork.ozlabs.org/project/openwrt/patch/20200824150740.450363-1-baptiste@bitsofnetworks.org/ * build: opkg-key variable key folder https://patchwork.ozlabs.org/project/openwrt/patch/20200826005527.2696524-1-mail@aparcar.org/ In combination this should resolve the following 20.x goal: * Improve security of ImageBuilder - Check signatures I'm shaken by the fact that ImageBuilders downloaded packages via HTTP and without OPKG signature checks by default - fun target/imagebuilder/Makefile | 6 ++++++ target/imagebuilder/files/Makefile | 2 ++ 2 files changed, 8 insertions(+) diff --git a/target/imagebuilder/Makefile b/target/imagebuilder/Makefile index ad19ab2b53..2a4e9263db 100644 --- a/target/imagebuilder/Makefile +++ b/target/imagebuilder/Makefile @@ -43,6 +43,12 @@ endif echo '' >> $(PKG_BUILD_DIR)/repositories.conf echo '## This is the local package repository, do not remove!' >> $(PKG_BUILD_DIR)/repositories.conf echo 'src imagebuilder file:packages' >> $(PKG_BUILD_DIR)/repositories.conf +ifneq ($(CONFIG_SIGNED_PACKAGES),) + echo 'option check_signature' >> $(PKG_BUILD_DIR)/repositories.conf + $(INSTALL_DIR) $(PKG_BUILD_DIR)/keys + $(CP) -L $(STAGING_DIR_ROOT)/etc/opkg/keys/ $(PKG_BUILD_DIR)/ + $(CP) -L $(STAGING_DIR_ROOT)/usr/sbin/opkg-key $(PKG_BUILD_DIR)/scripts/ +endif $(VERSION_SED_SCRIPT) $(PKG_BUILD_DIR)/repositories.conf diff --git a/target/imagebuilder/files/Makefile b/target/imagebuilder/files/Makefile index 326dd2ba2f..98769d93de 100644 --- a/target/imagebuilder/files/Makefile +++ b/target/imagebuilder/files/Makefile @@ -64,8 +64,10 @@ help: FORCE # override variables from rules.mk PACKAGE_DIR:=$(TOPDIR)/packages LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst /,$(space),$(TARGET_DIR))))$(DL_DIR) +export OPKG_KEYS:=$(TOPDIR)/keys OPKG:=$(call opkg,$(TARGET_DIR)) \ -f $(TOPDIR)/repositories.conf \ + --verify-program $(SCRIPT_DIR)/opkg-key \ --cache $(DL_DIR) \ --lists-dir $(LISTS_DIR)