[PATCH] imagebuilder: add package signature verification
Paul Spooren
mail at aparcar.org
Mon Sep 14 01:36:12 EDT 2020
Hi,
On Tue Aug 25, 2020 at 10:24 PM HST, Paul Spooren wrote:
> The ImageBuilder downloads pre-built packages and adds them to images.
> This process uses `opkg` which has the capability to verify package list
> signatures, as enabled per default on running OpenWrt devices.
>
> Until now this was disabled for ImageBuilders because neither the OPKG
> keys nor the `opkg-add` script was present during first packagelist
> update.
>
> To harden the ImageBuilder against *drive-by-download-attacks* both keys
> and verification script are added to the ImageBuilder allowing OPKG to
> verify downloaded package indices.
>
> This commit adds `opkg-add` to the IB scripts folder, as it is just a
> shell script. The keys folder is added to IBs TOPDIR to have an obvious
> place for users to store their own keys. The `option check_signature` is
> appended to the repositories.conf file. All of the above only happens if
> the Buildbot runs with the SIGNED_PACKAGES option.
>
> Signed-off-by: Paul Spooren <mail at aparcar.org>
> ---
> This patch requires the following two patches:
>
> * opkg: allow to configure the path to the signature verification script
> https://patchwork.ozlabs.org/project/openwrt/patch/20200824150740.450363-1-baptiste@bitsofnetworks.org/
Merged
>
> * build: opkg-key variable key folder
> https://patchwork.ozlabs.org/project/openwrt/patch/20200826005527.2696524-1-mail@aparcar.org/
Merged
Please somebody review this, the dependencies are all merged. This is a
"blocker" for 20.x (based on the goals site and my opinion).
Best,
Paul
>
> In combination this should resolve the following 20.x goal:
> * Improve security of ImageBuilder - Check signatures
>
> I'm shaken by the fact that ImageBuilders downloaded packages via HTTP
> and without OPKG signature checks by default - fun
>
> target/imagebuilder/Makefile | 6 ++++++
> target/imagebuilder/files/Makefile | 2 ++
> 2 files changed, 8 insertions(+)
>
> diff --git a/target/imagebuilder/Makefile b/target/imagebuilder/Makefile
> index ad19ab2b53..2a4e9263db 100644
> --- a/target/imagebuilder/Makefile
> +++ b/target/imagebuilder/Makefile
> @@ -43,6 +43,12 @@ endif
> echo '' >> $(PKG_BUILD_DIR)/repositories.conf
> echo '## This is the local package repository, do not remove!' >>
> $(PKG_BUILD_DIR)/repositories.conf
> echo 'src imagebuilder file:packages' >>
> $(PKG_BUILD_DIR)/repositories.conf
> +ifneq ($(CONFIG_SIGNED_PACKAGES),)
> + echo 'option check_signature' >> $(PKG_BUILD_DIR)/repositories.conf
> + $(INSTALL_DIR) $(PKG_BUILD_DIR)/keys
> + $(CP) -L $(STAGING_DIR_ROOT)/etc/opkg/keys/ $(PKG_BUILD_DIR)/
> + $(CP) -L $(STAGING_DIR_ROOT)/usr/sbin/opkg-key
> $(PKG_BUILD_DIR)/scripts/
> +endif
>
> $(VERSION_SED_SCRIPT) $(PKG_BUILD_DIR)/repositories.conf
>
> diff --git a/target/imagebuilder/files/Makefile
> b/target/imagebuilder/files/Makefile
> index 326dd2ba2f..98769d93de 100644
> --- a/target/imagebuilder/files/Makefile
> +++ b/target/imagebuilder/files/Makefile
> @@ -64,8 +64,10 @@ help: FORCE
> # override variables from rules.mk
> PACKAGE_DIR:=$(TOPDIR)/packages
> LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst
> /,$(space),$(TARGET_DIR))))$(DL_DIR)
> +export OPKG_KEYS:=$(TOPDIR)/keys
> OPKG:=$(call opkg,$(TARGET_DIR)) \
> -f $(TOPDIR)/repositories.conf \
> + --verify-program $(SCRIPT_DIR)/opkg-key \
> --cache $(DL_DIR) \
> --lists-dir $(LISTS_DIR)
>
> --
> 2.25.1
More information about the openwrt-devel
mailing list