diff options
author | Daniel Golle <daniel@makrotopia.org> | 2018-01-15 03:37:17 +0100 |
---|---|---|
committer | Daniel Golle <daniel@makrotopia.org> | 2018-08-08 02:22:54 +0200 |
commit | 8174853c78f88b854ac66a3f0a5380d36ededa9a (patch) | |
tree | 90db16f8c8ced86a8329cb98b87b7e593a435acc /package/base-files/files | |
parent | ec78f03de589adc9bd47a02d723d7054510601dd (diff) | |
download | upstream-8174853c78f88b854ac66a3f0a5380d36ededa9a.tar.gz upstream-8174853c78f88b854ac66a3f0a5380d36ededa9a.tar.bz2 upstream-8174853c78f88b854ac66a3f0a5380d36ededa9a.zip |
base-files: introduce sysupgrade signature chain verification
Verify ucert signature chains in sysupgrade images in case ucert is
installed and $CHECK_IMAGE_SIGNARURE = 1.
Also make sure ucert host binary is present and generate a self-signed
ucert in case $TOPDIR/key-build.ucert is missing.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Diffstat (limited to 'package/base-files/files')
-rw-r--r-- | package/base-files/files/lib/upgrade/fwtool.sh | 25 | ||||
-rwxr-xr-x | package/base-files/files/sbin/sysupgrade | 2 |
2 files changed, 26 insertions, 1 deletions
diff --git a/package/base-files/files/lib/upgrade/fwtool.sh b/package/base-files/files/lib/upgrade/fwtool.sh index aa2ac79d13..3f28fccd90 100644 --- a/package/base-files/files/lib/upgrade/fwtool.sh +++ b/package/base-files/files/lib/upgrade/fwtool.sh @@ -1,3 +1,28 @@ +fwtool_check_signature() { + [ $# -gt 1 ] && return 1 + + [ ! -x /usr/bin/ucert ] && { + if [ "$REQUIRE_IMAGE_SIGNATURE" = 1 ]; then + return 1 + else + return 0 + fi + } + + if ! fwtool -q -t -s /tmp/sysupgrade.ucert "$1"; then + echo "Image signature not found" + [ "$REQUIRE_IMAGE_SIGNATURE" = 1 -a "$FORCE" != 1 ] && { + echo "Use sysupgrade -F to override this check when downgrading or flashing to vendor firmware" + } + [ "$REQUIRE_IMAGE_SIGNATURE" = 1 ] && return 1 + return 0 + fi + + ucert -V -m "$1" -c "/tmp/sysupgrade.ucert" -P /etc/opkg/keys + + return $? +} + fwtool_check_image() { [ $# -gt 1 ] && return 1 diff --git a/package/base-files/files/sbin/sysupgrade b/package/base-files/files/sbin/sysupgrade index c9615e54c3..3cebfb68e0 100755 --- a/package/base-files/files/sbin/sysupgrade +++ b/package/base-files/files/sbin/sysupgrade @@ -136,7 +136,7 @@ add_overlayfiles() { } # hooks -sysupgrade_image_check="fwtool_check_image platform_check_image" +sysupgrade_image_check="fwtool_check_signature fwtool_check_image platform_check_image" if [ $SAVE_OVERLAY = 1 ]; then [ ! -d /overlay/upper/etc ] && { |