Hi, On Tue Aug 25, 2020 at 10:24 PM HST, Paul Spooren wrote: > The ImageBuilder downloads pre-built packages and adds them to images. > This process uses `opkg` which has the capability to verify package list > signatures, as enabled per default on running OpenWrt devices. > > Until now this was disabled for ImageBuilders because neither the OPKG > keys nor the `opkg-add` script was present during first packagelist > update. > > To harden the ImageBuilder against *drive-by-download-attacks* both keys > and verification script are added to the ImageBuilder allowing OPKG to > verify downloaded package indices. > > This commit adds `opkg-add` to the IB scripts folder, as it is just a > shell script. The keys folder is added to IBs TOPDIR to have an obvious > place for users to store their own keys. The `option check_signature` is > appended to the repositories.conf file. All of the above only happens if > the Buildbot runs with the SIGNED_PACKAGES option. > > Signed-off-by: Paul Spooren <m...@aparcar.org> > --- > This patch requires the following two patches: > > * opkg: allow to configure the path to the signature verification script > https://patchwork.ozlabs.org/project/openwrt/patch/20200824150740.450363-1-bapti...@bitsofnetworks.org/
Merged > > * build: opkg-key variable key folder > https://patchwork.ozlabs.org/project/openwrt/patch/20200826005527.2696524-1-m...@aparcar.org/ Merged Please somebody review this, the dependencies are all merged. This is a "blocker" for 20.x (based on the goals site and my opinion). Best, Paul > > In combination this should resolve the following 20.x goal: > * Improve security of ImageBuilder - Check signatures > > I'm shaken by the fact that ImageBuilders downloaded packages via HTTP > and without OPKG signature checks by default - fun > > target/imagebuilder/Makefile | 6 ++++++ > target/imagebuilder/files/Makefile | 2 ++ > 2 files changed, 8 insertions(+) > > diff --git a/target/imagebuilder/Makefile b/target/imagebuilder/Makefile > index ad19ab2b53..2a4e9263db 100644 > --- a/target/imagebuilder/Makefile > +++ b/target/imagebuilder/Makefile > @@ -43,6 +43,12 @@ endif > echo '' >> $(PKG_BUILD_DIR)/repositories.conf > echo '## This is the local package repository, do not remove!' >> > $(PKG_BUILD_DIR)/repositories.conf > echo 'src imagebuilder file:packages' >> > $(PKG_BUILD_DIR)/repositories.conf > +ifneq ($(CONFIG_SIGNED_PACKAGES),) > + echo 'option check_signature' >> $(PKG_BUILD_DIR)/repositories.conf > + $(INSTALL_DIR) $(PKG_BUILD_DIR)/keys > + $(CP) -L $(STAGING_DIR_ROOT)/etc/opkg/keys/ $(PKG_BUILD_DIR)/ > + $(CP) -L $(STAGING_DIR_ROOT)/usr/sbin/opkg-key > $(PKG_BUILD_DIR)/scripts/ > +endif > > $(VERSION_SED_SCRIPT) $(PKG_BUILD_DIR)/repositories.conf > > diff --git a/target/imagebuilder/files/Makefile > b/target/imagebuilder/files/Makefile > index 326dd2ba2f..98769d93de 100644 > --- a/target/imagebuilder/files/Makefile > +++ b/target/imagebuilder/files/Makefile > @@ -64,8 +64,10 @@ help: FORCE > # override variables from rules.mk > PACKAGE_DIR:=$(TOPDIR)/packages > LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst > /,$(space),$(TARGET_DIR))))$(DL_DIR) > +export OPKG_KEYS:=$(TOPDIR)/keys > OPKG:=$(call opkg,$(TARGET_DIR)) \ > -f $(TOPDIR)/repositories.conf \ > + --verify-program $(SCRIPT_DIR)/opkg-key \ > --cache $(DL_DIR) \ > --lists-dir $(LISTS_DIR) > > -- > 2.25.1 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel