OpenWRT (ucert) signature check during upgrade

Henrique de Moraes Holschuh henrique at
Fri Aug 7 15:31:01 EDT 2020

On 07/08/2020 09:47, Andrii Voloshyn wrote:
> I'd like to use signature verification during sysupgrade, but at the moment I get "Image check failed" message.
> Similar to what guys mentioned here:

Keep in mind that, for security purposes, optional signatures are useless.

You will have to change things so that your firmware *requires* the 
signature to be always present.  No backwards compatibility with 
unsigned images is possible.

As a rule, an optional metadata field at the *end* of an image is 
useless for either security or corruption checking purposes.  All it 
takes is the most common download issue of them all: truncation. The end 
of the file isn't there (because it was truncated early enough), the 
*optional* metadata isn't there, but enough of the headers made it 
through to look like a valid image to sysupgrade.  The corrupt 
(incomplete) file is accepted and used, despise the fact that the 
original had checksum metadata and signatures.  Not Good[tm].

Prepending the metadata allows it to protect properly against download 
truncation, but if the presence of signature metadata is still optional, 
prepended or not it will still be useless as far as *security* goes.

The proper answer is *requiring* the metadata and signature to be 
present.  It resolves both issues, regardless of whether the metadata is 
prepended or appended to the image.

What you're going to do about "sysupgrade -F" and direct flashing is 
another angle to think about, as well...

Henrique de Moraes Holschuh

More information about the openwrt-devel mailing list