Re: [PATCH] imagebuilder: add package signature verification
Hi, On Tue Aug 25, 2020 at 10:24 PM HST, Paul Spooren wrote: > The ImageBuilder downloads pre-built packages and adds them to images. > This process uses `opkg` which has the capability to verify package list > signatures, as enabled per default on running OpenWrt devices. > > Until now this was disabled for ImageBuilders because neither the OPKG > keys nor the `opkg-add` script was present during first packagelist > update. > > To harden the ImageBuilder against *drive-by-download-attacks* both keys > and verification script are added to the ImageBuilder allowing OPKG to > verify downloaded package indices. > > This commit adds `opkg-add` to the IB scripts folder, as it is just a > shell script. The keys folder is added to IBs TOPDIR to have an obvious > place for users to store their own keys. The `option check_signature` is > appended to the repositories.conf file. All of the above only happens if > the Buildbot runs with the SIGNED_PACKAGES option. > > Signed-off-by: Paul Spooren > --- > This patch requires the following two patches: > > * opkg: allow to configure the path to the signature verification script > https://patchwork.ozlabs.org/project/openwrt/patch/20200824150740.450363-1-bapti...@bitsofnetworks.org/ Merged > > * build: opkg-key variable key folder > https://patchwork.ozlabs.org/project/openwrt/patch/20200826005527.2696524-1-m...@aparcar.org/ Merged Please somebody review this, the dependencies are all merged. This is a "blocker" for 20.x (based on the goals site and my opinion). Best, Paul > > In combination this should resolve the following 20.x goal: > * Improve security of ImageBuilder - Check signatures > > I'm shaken by the fact that ImageBuilders downloaded packages via HTTP > and without OPKG signature checks by default - fun > > target/imagebuilder/Makefile | 6 ++ > target/imagebuilder/files/Makefile | 2 ++ > 2 files changed, 8 insertions(+) > > diff --git a/target/imagebuilder/Makefile b/target/imagebuilder/Makefile > index ad19ab2b53..2a4e9263db 100644 > --- a/target/imagebuilder/Makefile > +++ b/target/imagebuilder/Makefile > @@ -43,6 +43,12 @@ endif > echo '' >> $(PKG_BUILD_DIR)/repositories.conf > echo '## This is the local package repository, do not remove!' >> > $(PKG_BUILD_DIR)/repositories.conf > echo 'src imagebuilder file:packages' >> > $(PKG_BUILD_DIR)/repositories.conf > +ifneq ($(CONFIG_SIGNED_PACKAGES),) > + echo 'option check_signature' >> $(PKG_BUILD_DIR)/repositories.conf > + $(INSTALL_DIR) $(PKG_BUILD_DIR)/keys > + $(CP) -L $(STAGING_DIR_ROOT)/etc/opkg/keys/ $(PKG_BUILD_DIR)/ > + $(CP) -L $(STAGING_DIR_ROOT)/usr/sbin/opkg-key > $(PKG_BUILD_DIR)/scripts/ > +endif > > $(VERSION_SED_SCRIPT) $(PKG_BUILD_DIR)/repositories.conf > > diff --git a/target/imagebuilder/files/Makefile > b/target/imagebuilder/files/Makefile > index 326dd2ba2f..98769d93de 100644 > --- a/target/imagebuilder/files/Makefile > +++ b/target/imagebuilder/files/Makefile > @@ -64,8 +64,10 @@ help: FORCE > # override variables from rules.mk > PACKAGE_DIR:=$(TOPDIR)/packages > LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst > /,$(space),$(TARGET_DIR$(DL_DIR) > +export OPKG_KEYS:=$(TOPDIR)/keys > OPKG:=$(call opkg,$(TARGET_DIR)) \ > -f $(TOPDIR)/repositories.conf \ > + --verify-program $(SCRIPT_DIR)/opkg-key \ > --cache $(DL_DIR) \ > --lists-dir $(LISTS_DIR) > > -- > 2.25.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] bpftools: fix compilation under powerpc
On Sun, Sep 13, 2020 at 1:56 PM Rosen Penev wrote: > > asm/errno.h must be included before errno.h under powerpc. https://downloads.openwrt.org/snapshots/faillogs/powerpc_464fp/base/bpftools/full/compile.txt > > Fixes: > > In file included from tools/arch/powerpc/include/uapi/asm/errno.h:5, > from tools/include/linux/err.h:8, > from libbpf.c:29: > tools/include/uapi/asm-generic/errno.h:40: error: "EDEADLOCK" redefined > [-Werror] > #define EDEADLOCK EDEADLK > > In file included from > toolchain-powerpc_8540_gcc-8.4.0_musl/include/errno.h:10, > from libbpf.c:26: > toolchain-powerpc_8540_gcc-8.4.0_musl/include/bits/errno.h:58: note: this > is the location of the previous definition > #define EDEADLOCK 58 > > Signed-off-by: Rosen Penev > --- > package/network/utils/bpftools/Makefile | 2 +- > .../utils/bpftools/patches/010-powerpc.patch | 50 +++ > 2 files changed, 51 insertions(+), 1 deletion(-) > create mode 100644 package/network/utils/bpftools/patches/010-powerpc.patch > > diff --git a/package/network/utils/bpftools/Makefile > b/package/network/utils/bpftools/Makefile > index 156dc8a4fa..8e40654ca6 100644 > --- a/package/network/utils/bpftools/Makefile > +++ b/package/network/utils/bpftools/Makefile > @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk > > PKG_NAME:=bpftools > PKG_VERSION:=5.8.3 > -PKG_RELEASE:=1 > +PKG_RELEASE:=2 > > PKG_SOURCE:=linux-$(PKG_VERSION).tar.xz > PKG_SOURCE_URL:=@KERNEL/linux/kernel/v5.x > diff --git a/package/network/utils/bpftools/patches/010-powerpc.patch > b/package/network/utils/bpftools/patches/010-powerpc.patch > new file mode 100644 > index 00..c2a11f9a2e > --- /dev/null > +++ b/package/network/utils/bpftools/patches/010-powerpc.patch > @@ -0,0 +1,50 @@ > +--- a/tools/lib/bpf/btf.c > b/tools/lib/bpf/btf.c > +@@ -7,6 +7,7 @@ > + #include > + #include > + #include > ++#include > + #include > + #include > + #include > +--- a/tools/lib/bpf/btf_dump.c > b/tools/lib/bpf/btf_dump.c > +@@ -10,6 +10,7 @@ > + #include > + #include > + #include > ++#include > + #include > + #include > + #include > +--- a/tools/lib/bpf/hashmap.c > b/tools/lib/bpf/hashmap.c > +@@ -8,6 +8,7 @@ > + #include > + #include > + #include > ++#include > + #include > + #include > + #include "hashmap.h" > +--- a/tools/lib/bpf/libbpf.c > b/tools/lib/bpf/libbpf.c > +@@ -23,6 +23,7 @@ > + #include > + #include > + #include > ++#include > + #include > + #include > + #include > +--- a/tools/lib/bpf/ringbuf.c > b/tools/lib/bpf/ringbuf.c > +@@ -9,6 +9,7 @@ > + #endif > + #include > + #include > ++#include > + #include > + #include > + #include > -- > 2.26.2 > ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] bpftools: fix compilation under powerpc
asm/errno.h must be included before errno.h under powerpc. Fixes: In file included from tools/arch/powerpc/include/uapi/asm/errno.h:5, from tools/include/linux/err.h:8, from libbpf.c:29: tools/include/uapi/asm-generic/errno.h:40: error: "EDEADLOCK" redefined [-Werror] #define EDEADLOCK EDEADLK In file included from toolchain-powerpc_8540_gcc-8.4.0_musl/include/errno.h:10, from libbpf.c:26: toolchain-powerpc_8540_gcc-8.4.0_musl/include/bits/errno.h:58: note: this is the location of the previous definition #define EDEADLOCK 58 Signed-off-by: Rosen Penev --- package/network/utils/bpftools/Makefile | 2 +- .../utils/bpftools/patches/010-powerpc.patch | 50 +++ 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 package/network/utils/bpftools/patches/010-powerpc.patch diff --git a/package/network/utils/bpftools/Makefile b/package/network/utils/bpftools/Makefile index 156dc8a4fa..8e40654ca6 100644 --- a/package/network/utils/bpftools/Makefile +++ b/package/network/utils/bpftools/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=bpftools PKG_VERSION:=5.8.3 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=linux-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@KERNEL/linux/kernel/v5.x diff --git a/package/network/utils/bpftools/patches/010-powerpc.patch b/package/network/utils/bpftools/patches/010-powerpc.patch new file mode 100644 index 00..c2a11f9a2e --- /dev/null +++ b/package/network/utils/bpftools/patches/010-powerpc.patch @@ -0,0 +1,50 @@ +--- a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c +@@ -7,6 +7,7 @@ + #include + #include + #include ++#include + #include + #include + #include +--- a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + #include +--- a/tools/lib/bpf/hashmap.c b/tools/lib/bpf/hashmap.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + #include "hashmap.h" +--- a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include + #include +--- a/tools/lib/bpf/ringbuf.c b/tools/lib/bpf/ringbuf.c +@@ -9,6 +9,7 @@ + #endif + #include + #include ++#include + #include + #include + #include -- 2.26.2 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[sdwalker/sdwalker.github.io] dbbb5a: This week's update
Branch: refs/heads/master Home: https://github.com/sdwalker/sdwalker.github.io Commit: dbbb5ad886a73db6b5a7d30c61d272eccc0e96c8 https://github.com/sdwalker/sdwalker.github.io/commit/dbbb5ad886a73db6b5a7d30c61d272eccc0e96c8 Author: Stephen Walker Date: 2020-09-13 (Sun, 13 Sep 2020) Changed paths: M uscan/index-18.06.html M uscan/index-19.07.html M uscan/index.html Log Message: --- This week's update ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] ath79: use common device definition for Buffalo devices
The Buffalo devices in ath79 share their image generation code, so let's create a shared Device definition for them. Since most of them use BUFFALO_HWVER := 3, this is moved as default to the shared definition as well. Signed-off-by: Adrian Schmutzler --- target/linux/ath79/image/common-buffalo.mk | 15 + target/linux/ath79/image/generic.mk| 39 ++ target/linux/ath79/image/tiny.mk | 9 ++--- 3 files changed, 27 insertions(+), 36 deletions(-) diff --git a/target/linux/ath79/image/common-buffalo.mk b/target/linux/ath79/image/common-buffalo.mk index d62b7eea94..31936b8234 100644 --- a/target/linux/ath79/image/common-buffalo.mk +++ b/target/linux/ath79/image/common-buffalo.mk @@ -1,3 +1,5 @@ +DEVICE_VARS += BUFFALO_PRODUCT BUFFALO_HWVER + define Build/buffalo-tag $(eval product=$(word 1,$(1))) $(eval hwver=$(word 2,$(1))) @@ -17,3 +19,16 @@ define Build/buffalo-tftp-header ) > $@.new mv $@.new $@ endef + + +define Device/buffalo_common + DEVICE_VENDOR := Buffalo + BUFFALO_PRODUCT := + BUFFALO_HWVER := 3 + IMAGES += factory.bin tftp.bin + IMAGE/default := append-kernel | pad-to (BLOCKSIZE) | append-rootfs | \ + pad-rootfs | check-size + IMAGE/factory.bin := $$(IMAGE/default) | buffalo-enc (BUFFALO_PRODUCT) 1.99 | \ + buffalo-tag (BUFFALO_PRODUCT) (BUFFALO_HWVER) + IMAGE/tftp.bin := $$(IMAGE/default) | buffalo-tftp-header +endef diff --git a/target/linux/ath79/image/generic.mk b/target/linux/ath79/image/generic.mk index 7a00bae287..4b6cdaa826 100644 --- a/target/linux/ath79/image/generic.mk +++ b/target/linux/ath79/image/generic.mk @@ -315,17 +315,12 @@ endef TARGET_DEVICES += avm_fritzdvbc define Device/buffalo_bhr-4grv + $(Device/buffalo_common) SOC := ar7242 - DEVICE_VENDOR := Buffalo DEVICE_MODEL := BHR-4GRV + BUFFALO_PRODUCT := BHR-4GRV DEVICE_PACKAGES := kmod-usb2 kmod-usb-ledtrig-usbport IMAGE_SIZE := 32256k - IMAGES += factory.bin tftp.bin - IMAGE/default := append-kernel | pad-to (BLOCKSIZE) | append-rootfs | \ - pad-rootfs | check-size - IMAGE/factory.bin := $$(IMAGE/default) | buffalo-enc BHR-4GRV 1.99 | \ - buffalo-tag BHR-4GRV 3 - IMAGE/tftp.bin := $$(IMAGE/default) | buffalo-tftp-header SUPPORTED_DEVICES += wzr-hp-g450h endef TARGET_DEVICES += buffalo_bhr-4grv @@ -339,51 +334,37 @@ endef TARGET_DEVICES += buffalo_bhr-4grv2 define Device/buffalo_wzr-hp-ag300h + $(Device/buffalo_common) SOC := ar7161 - DEVICE_VENDOR := Buffalo DEVICE_MODEL := WZR-HP-AG300H - IMAGE_SIZE := 32320k - IMAGES += factory.bin tftp.bin - IMAGE/default := append-kernel | pad-to (BLOCKSIZE) | append-rootfs | \ - pad-rootfs | check-size - IMAGE/factory.bin := $$(IMAGE/default) | buffalo-enc WZR-HP-AG300H 1.99 | \ - buffalo-tag WZR-HP-AG300H 3 - IMAGE/tftp.bin := $$(IMAGE/default) | buffalo-tftp-header + BUFFALO_PRODUCT := WZR-HP-AG300H DEVICE_PACKAGES := kmod-usb-ohci kmod-usb2 kmod-usb-ledtrig-usbport \ kmod-leds-reset kmod-owl-loader + IMAGE_SIZE := 32320k SUPPORTED_DEVICES += wzr-hp-ag300h endef TARGET_DEVICES += buffalo_wzr-hp-ag300h define Device/buffalo_wzr-hp-g302h-a1a0 + $(Device/buffalo_common) SOC := ar7242 - DEVICE_VENDOR := Buffalo DEVICE_MODEL := WZR-HP-G302H DEVICE_VARIANT := A1A0 + BUFFALO_PRODUCT := WZR-HP-G302H + BUFFALO_HWVER := 4 DEVICE_PACKAGES := kmod-usb2 kmod-usb-ledtrig-usbport IMAGE_SIZE := 32128k - IMAGES += factory.bin tftp.bin - IMAGE/default := append-kernel | pad-to (BLOCKSIZE) | append-rootfs | \ - pad-rootfs | check-size - IMAGE/factory.bin := $$(IMAGE/default) | buffalo-enc WZR-HP-G302H 1.99 | \ - buffalo-tag WZR-HP-G302H 4 - IMAGE/tftp.bin := $$(IMAGE/default) | buffalo-tftp-header SUPPORTED_DEVICES += wzr-hp-g300nh2 endef TARGET_DEVICES += buffalo_wzr-hp-g302h-a1a0 define Device/buffalo_wzr-hp-g450h + $(Device/buffalo_common) SOC := ar7242 - DEVICE_VENDOR := Buffalo DEVICE_MODEL := WZR-HP-G450H/WZR-450HP + BUFFALO_PRODUCT := WZR-HP-G450H DEVICE_PACKAGES := kmod-usb2 kmod-usb-ledtrig-usbport IMAGE_SIZE := 32256k - IMAGES += factory.bin tftp.bin - IMAGE/default := append-kernel | pad-to (BLOCKSIZE) | append-rootfs | \ - pad-rootfs | check-size - IMAGE/factory.bin := $$(IMAGE/default) | buffalo-enc WZR-HP-G450H 1.99 | \ - buffalo-tag WZR-HP-G450H 3 - IMAGE/tftp.bin := $$(IMAGE/default) | buffalo-tftp-header SUPPORTED_DEVICES += wzr-hp-g450h endef TARGET_DEVICES += buffalo_wzr-hp-g450h diff --git a/target/linux/ath79/image/tiny.mk b/target/linux/ath79/image/tiny.mk index 9f4f89bd9a..83c34d718b 100644 --- a/target/linux/ath79/image/tiny.mk +++ b/target/linux/ath79/image/tiny.mk @@ -1,16 +1,11 @@ include ./common-buffalo.mk define Device/buffalo_whr-g301n + $(Device/buffalo_common) SOC := ar7240 - DEVICE_VENDOR := Buffalo DEVICE_MODEL := WHR-G301N + BUFFALO_PRODUCT := WHR-G301N IM
Re: [PATCH opkg 0/5] Purge packages from cache when they have incorrect checksum
Hi, Any feedback on this patch series? It fixes this annoying bug in the imagebuilder: https://bugs.openwrt.org/index.php?do=details&task_id=2690 Since the changes are somewhat significant, I would like some exposure in master for a few weeks/months before it can be backported to 18.06 and 19.07. Thanks, Baptiste On 25-08-20, Baptiste Jonglez wrote: > From: Baptiste Jonglez > > The motivation of this patch series is to fix FS#2690. Because packages > are continuously rebuilt, the ImageBuilder ends up with old packages in > its cache, and fails because checksums don't match with the new package > index from the download server. > > The approach to solve this problem is the following. Before using a package > from the cache, verify its size and checksum against the package index, and > delete the package from the cache if they don't match. The install process > will then proceed to download the "fixed" package as usual. > > The main patch is "download: purge cached packages that have incorrect > checksum". The other ones are either cleanup or refactoring to prepare > for the main change. > > Baptiste Jonglez (5): > download: remove compatibility with old cache naming scheme > libopkg: factor out checksum and size verification > download: factor out the logic for building cache filenames > download: purge cached packages that have incorrect checksum > opkg_verify_integrity: better logging and error conditions > > libopkg/opkg_download.c | 123 > libopkg/opkg_download.h | 1 + > libopkg/opkg_install.c | 76 +++-- > 3 files changed, 108 insertions(+), 92 deletions(-) signature.asc Description: PGP signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH opkg] libopkg: fix md5sum calculation
From: Alexander Ryzhov This regression prevents MD5 checksums from being checked. Packages are still installed, but this raises several issues: - if only MD5 checksums are provided in the package list, it is trivial for an attacker to modify the content of a package, since checksum verification is bypassed. If both MD5 and SHA256 checksums are provided, then SHA256 is correctly verified and the attack is not possible. - future efforts to harden checksum verification would prevent package installation. Note that OpenWrt has switched to SHA256 for all its packages several years ago. As a result, this bug does not affect OpenWrt packages from the official package feeds. However, custom package repositories that only use MD5 are affected. Initially submitted at https://github.com/openwrt/openwrt/pull/3087 Fixes: 33f7b80aa325 ("libopkg: drop custom md5 implementation, unconditionally enable sha256 support") Signed-off-by: Alexander Ryzhov [Add commit description] Signed-off-by: Baptiste Jonglez --- libopkg/file_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libopkg/file_util.c b/libopkg/file_util.c index 3a1761e..8e698cc 100644 --- a/libopkg/file_util.c +++ b/libopkg/file_util.c @@ -153,7 +153,7 @@ char *file_md5sum_alloc(const char *file_name) len = md5sum(file_name, md5sum_bin); - if (len) { + if (len < 0) { opkg_msg(ERROR, "Could't compute md5sum for %s.\n", file_name); return NULL; } -- 2.27.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel