OpenWRT (ucert) signature check during upgrade
Henrique de Moraes Holschuh
henrique at nic.br
Fri Aug 7 15:31:01 EDT 2020
On 07/08/2020 09:47, Andrii Voloshyn wrote:
> I'd like to use signature verification during sysupgrade, but at the moment I get "Image check failed" message.
> Similar to what guys mentioned here: https://forum.openwrt.org/t/possible-bug-in-ucert/57704
Keep in mind that, for security purposes, optional signatures are useless.
You will have to change things so that your firmware *requires* the
signature to be always present. No backwards compatibility with
unsigned images is possible.
As a rule, an optional metadata field at the *end* of an image is
useless for either security or corruption checking purposes. All it
takes is the most common download issue of them all: truncation. The end
of the file isn't there (because it was truncated early enough), the
*optional* metadata isn't there, but enough of the headers made it
through to look like a valid image to sysupgrade. The corrupt
(incomplete) file is accepted and used, despise the fact that the
original had checksum metadata and signatures. Not Good[tm].
Prepending the metadata allows it to protect properly against download
truncation, but if the presence of signature metadata is still optional,
prepended or not it will still be useless as far as *security* goes.
The proper answer is *requiring* the metadata and signature to be
present. It resolves both issues, regardless of whether the metadata is
prepended or appended to the image.
What you're going to do about "sysupgrade -F" and direct flashing is
another angle to think about, as well...
--
Henrique de Moraes Holschuh
More information about the openwrt-devel
mailing list