[OpenWrt-Devel] RFC: check signatures of sysupgrades via ucert

Paul Spooren mail at aparcar.org
Tue Apr 23 18:02:49 EDT 2019


Hi all,

to improve security of the router sysupgrade process, it's sane to check
firmware images for signatures of trusted parties. While this should
always be optional (aka no vendor locking), it helps *basic* users to
easily verify that they are installing the image they intended.

It is already supported via ucert[0], but neither installed by default
nor really activate able by users. An improvement is done with this[1]
pull request, adding an UCI option and installing ucert by default (+176
Bytes).

Eventually all targets should support metadata and therefore signatures
within the metadata, once there, the image verification could be turned
on by default?

Please share your opinion!

Best,
Paul

[0]: https://git.openwrt.org/?p=project/ucert.git;a=summary
[1]: https://github.com/openwrt/openwrt/pull/1992



_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list