aboutsummaryrefslogtreecommitdiffstats
path: root/package/base-files/files
diff options
context:
space:
mode:
authorDaniel Golle <daniel@makrotopia.org>2018-01-15 03:37:17 +0100
committerDaniel Golle <daniel@makrotopia.org>2018-08-08 02:22:54 +0200
commit8174853c78f88b854ac66a3f0a5380d36ededa9a (patch)
tree90db16f8c8ced86a8329cb98b87b7e593a435acc /package/base-files/files
parentec78f03de589adc9bd47a02d723d7054510601dd (diff)
downloadupstream-8174853c78f88b854ac66a3f0a5380d36ededa9a.tar.gz
upstream-8174853c78f88b854ac66a3f0a5380d36ededa9a.tar.bz2
upstream-8174853c78f88b854ac66a3f0a5380d36ededa9a.zip
base-files: introduce sysupgrade signature chain verification
Verify ucert signature chains in sysupgrade images in case ucert is installed and $CHECK_IMAGE_SIGNARURE = 1. Also make sure ucert host binary is present and generate a self-signed ucert in case $TOPDIR/key-build.ucert is missing. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Diffstat (limited to 'package/base-files/files')
-rw-r--r--package/base-files/files/lib/upgrade/fwtool.sh25
-rwxr-xr-xpackage/base-files/files/sbin/sysupgrade2
2 files changed, 26 insertions, 1 deletions
diff --git a/package/base-files/files/lib/upgrade/fwtool.sh b/package/base-files/files/lib/upgrade/fwtool.sh
index aa2ac79d13..3f28fccd90 100644
--- a/package/base-files/files/lib/upgrade/fwtool.sh
+++ b/package/base-files/files/lib/upgrade/fwtool.sh
@@ -1,3 +1,28 @@
+fwtool_check_signature() {
+ [ $# -gt 1 ] && return 1
+
+ [ ! -x /usr/bin/ucert ] && {
+ if [ "$REQUIRE_IMAGE_SIGNATURE" = 1 ]; then
+ return 1
+ else
+ return 0
+ fi
+ }
+
+ if ! fwtool -q -t -s /tmp/sysupgrade.ucert "$1"; then
+ echo "Image signature not found"
+ [ "$REQUIRE_IMAGE_SIGNATURE" = 1 -a "$FORCE" != 1 ] && {
+ echo "Use sysupgrade -F to override this check when downgrading or flashing to vendor firmware"
+ }
+ [ "$REQUIRE_IMAGE_SIGNATURE" = 1 ] && return 1
+ return 0
+ fi
+
+ ucert -V -m "$1" -c "/tmp/sysupgrade.ucert" -P /etc/opkg/keys
+
+ return $?
+}
+
fwtool_check_image() {
[ $# -gt 1 ] && return 1
diff --git a/package/base-files/files/sbin/sysupgrade b/package/base-files/files/sbin/sysupgrade
index c9615e54c3..3cebfb68e0 100755
--- a/package/base-files/files/sbin/sysupgrade
+++ b/package/base-files/files/sbin/sysupgrade
@@ -136,7 +136,7 @@ add_overlayfiles() {
}
# hooks
-sysupgrade_image_check="fwtool_check_image platform_check_image"
+sysupgrade_image_check="fwtool_check_signature fwtool_check_image platform_check_image"
if [ $SAVE_OVERLAY = 1 ]; then
[ ! -d /overlay/upper/etc ] && {