[OpenWrt-Devel] RFI: OpenWRT Upgrade System; ENH,SEC suggestions

Wes Turner wes.turner at gmail.com
Sat Feb 1 11:39:45 EST 2020

Saw this post and thought I'd forward it along here.

It's definitely an issue that the sha256 checksum check was broken.
But, can someone explain why a person who is MITM'ing ipk downloads
would change the package and not the checksum?
Are there GPG signatures of the package checksums signed with a key
that ships with the release?
Are package repos downloaded over HTTPS? Is there a CA bundle in the
release with which repo x.509 certs are validated?
I installed newest version OpenWRT on a popular brand, recently
manufactured wireless router last week.

The OpenWRT firmware couldn't access https sites without installing
multiple packages first. Then they had me install all the root certs
over an unencrypted connection. The opkg repos and install files are
all downloaded over http.

With full seriousness, I really hope nobody expects operational
security using these routers.

There's likely some misunderstanding here.
Is there a wiki page or similar describing how package repo catalogs,
packages, and firmware image updates are

- https://en.wikipedia.org/wiki/The_Update_Framework_(TUF) is a great read.
  - https://theupdateframework.io/
  - https://github.com/theupdateframework/specification/blob/master/tuf-spec.md
re: "Thandy"
- "PEP 458 -- Secure PyPI downloads with package signing"
- "PEP 480 -- Surviving a Compromise of PyPI: The Maximum Security Model"

Side note: something like these would be great to have; IDK which
repos are appropriate for possible new issues to be owned by someone
who knows what is going on:

ENH: CDN for package repos and latest version file
ENH,SEC: firmware update check script
ENH,SEC: send an email when the firmware is out of date
ENH,SEC: luci: display firmware update check result and link to latest firmware

ENH,SEC: add package repo (and firmware?) signing key to keyring

ENH,SEC: include ca-certificates and/or openwrt-certificates in builds?

Thought I'd forward this along,
It seemed deserving of review for something with time to review

openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list