Re: [PATCH v2] imagebuilder: add package signature verification
On Tue Sep 15, 2020 at 3:24 PM HST, Paul Spooren wrote:
> The ImageBuilder downloads pre-built packages and adds them to images.
> This process uses `opkg` which has the capability to verify package list
> signatures via `usign`, as enabled per default on running OpenWrt
> devices.
>
> Until now this was disabled for ImageBuilders because neither the `opkg`
> keys nor the `opkg-add` script was present during first packagelist
> update.
>
> To harden the ImageBuilder against *drive-by-download-attacks* both keys
> and verification script are added to the ImageBuilder allowing `opkg` to
> verify downloaded package indices.
>
> This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys
> folder is added to ImageBuilder $TOPDIR to have an obvious place for
> users to
> store their own keys. The `option check_signature` is appended to the
> repositories.conf file. All of the above only happens if the Buildbot
> runs with the SIGNATURE_CHECK option.
>
> The keys stored in the ImageBuilder keys/ folder are the same as stored
> within images in `/etc/opkg/keys`.
>
> To allow a local package feed in which the user can add additional
> packages, the local *imagebuilder* feed is set to `src/trusted` which
> skips signature verification only on this particular feed.
>
> Signed-off-by: Paul Spooren
I chose a different approach: Generating `usign` keys via the
ImageBuilder, which doesn't require any `opkg` modificatons
(e.g. src/trusted).
This time it's a PR on GitHub:
https://github.com/openwrt/openwrt/pull/3477
> ---
> target/imagebuilder/Makefile | 10 +-
> target/imagebuilder/files/Makefile | 2 ++
> 2 files changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/target/imagebuilder/Makefile b/target/imagebuilder/Makefile
> index ad19ab2b53..0cdc1f4d93 100644
> --- a/target/imagebuilder/Makefile
> +++ b/target/imagebuilder/Makefile
> @@ -42,7 +42,7 @@ endif
>
> echo '' >> $(PKG_BUILD_DIR)/repositories.conf
> echo '## This is the local package repository, do not remove!' >>
> $(PKG_BUILD_DIR)/repositories.conf
> - echo 'src imagebuilder file:packages' >>
> $(PKG_BUILD_DIR)/repositories.conf
> + echo 'src/trusted imagebuilder file:packages' >>
> $(PKG_BUILD_DIR)/repositories.conf
>
> $(VERSION_SED_SCRIPT) $(PKG_BUILD_DIR)/repositories.conf
>
> @@ -57,6 +57,14 @@ else
> find $(wildcard $(PACKAGE_SUBDIRS)) -type f -name '*.ipk' -exec $(CP) {}
> $(PKG_BUILD_DIR)/packages/ \;
> endif
>
> +ifneq ($(CONFIG_SIGNATURE_CHECK),)
> + echo '' >> $(PKG_BUILD_DIR)/repositories.conf
> + echo 'option check_signature' >> $(PKG_BUILD_DIR)/repositories.conf
> + $(INSTALL_DIR) $(PKG_BUILD_DIR)/keys
> + $(CP) -L $(STAGING_DIR_ROOT)/etc/opkg/keys/ $(PKG_BUILD_DIR)/
> + $(CP) -L $(STAGING_DIR_ROOT)/usr/sbin/opkg-key
> $(PKG_BUILD_DIR)/scripts/
> +endif
> +
> $(CP) $(TOPDIR)/target/linux $(PKG_BUILD_DIR)/target/
> if [ -d $(TOPDIR)/staging_dir/host/lib/grub ]; then \
> $(CP) $(TOPDIR)/staging_dir/host/lib/grub/
> $(PKG_BUILD_DIR)/staging_dir/host/lib; \
> diff --git a/target/imagebuilder/files/Makefile
> b/target/imagebuilder/files/Makefile
> index 27d3cfa8df..56b70f16b5 100644
> --- a/target/imagebuilder/files/Makefile
> +++ b/target/imagebuilder/files/Makefile
> @@ -64,8 +64,10 @@ help: FORCE
> # override variables from rules.mk
> PACKAGE_DIR:=$(TOPDIR)/packages
> LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst
> /,$(space),$(TARGET_DIR$(DL_DIR)
> +export OPKG_KEYS:=$(TOPDIR)/keys
> OPKG:=$(call opkg,$(TARGET_DIR)) \
> -f $(TOPDIR)/repositories.conf \
> + --verify-program $(SCRIPT_DIR)/opkg-key \
> --cache $(DL_DIR) \
> --lists-dir $(LISTS_DIR)
>
> --
> 2.25.1
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] ipq40xx: use upstream DTS files for IPQ4019/AP-DK04.1
Upstream provides DTS(I) files for IPQ4019/AP-DK04.1, but we overwrite
them with local versions so far.
Remove the local files and use patches to be closer to upstream.
We already do the same for IPQ40xx/AP-DK01.1-C1.
Technically, this changes the compatible from "qcom,ipq4019" to
"qcom,ipq4019-dk04.1-c1", but it has never been implemented correctly
beforehand anyway.
Signed-off-by: Adrian Schmutzler
---
.../boot/dts/qcom-ipq4019-ap.dk04.1-c1.dts| 21 --
.../arm/boot/dts/qcom-ipq4019-ap.dk04.1.dtsi | 181 --
.../902-dts-ipq4019-ap-dk04.1.patch | 150 +++
3 files changed, 150 insertions(+), 202 deletions(-)
delete mode 100644
target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1-c1.dts
delete mode 100644
target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1.dtsi
create mode 100644
target/linux/ipq40xx/patches-5.4/902-dts-ipq4019-ap-dk04.1.patch
diff --git
a/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1-c1.dts
b/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1-c1.dts
deleted file mode 100644
index 47202d28fe..00
--- a/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1-c1.dts
+++ /dev/null
@@ -1,21 +0,0 @@
-/* Copyright (c) 2015, The Linux Foundation. All rights reserved.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- */
-
-#include "qcom-ipq4019-ap.dk04.1.dtsi"
-
-/ {
- model = "Qualcomm Technologies, Inc. IPQ40xx/AP-DK04.1-C1";
-};
diff --git
a/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1.dtsi
b/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1.dtsi
deleted file mode 100644
index 9801354625..00
--- a/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1.dtsi
+++ /dev/null
@@ -1,181 +0,0 @@
-/* Copyright (c) 2015, The Linux Foundation. All rights reserved.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- */
-
-#include "qcom-ipq4019.dtsi"
-#include
-
-/ {
- model = "Qualcomm Technologies, Inc. IPQ4019/AP-DK04.1";
- compatible = "qcom,ipq4019";
-
- soc {
- rng@22000 {
- status = "okay";
- };
-
- pinctrl@100 {
- serial_0_pins: serial_pinmux {
- mux {
- pins = "gpio16", "gpio17";
- function = "blsp_uart0";
- bias-disable;
- };
- };
-
- serial_1_pins: serial1_pinmux {
- mux {
- pins = "gpio8", "gpio9";
- function = "blsp_uart1";
- bias-disable;
- };
- };
-
- spi_0_pins: spi_0_pinmux {
- pinmux {
- function = "blsp_spi0";
- pins = "gpio13", "gpio14", "gpio15";
- };
- pinmux_cs {
- function = "gpio";
- pins = "gpio12";
- };
- pinconf {
- pins = "gpio13", "gpio14", "gpio15";
- drive-strength = <12>;
-
Re: [PATCH] mac80211: fix regression in sta connection monitor
Hi Felix! I can confirm that the original regression is now fully resolved in v3 of your patch. Further testing showed that the second issue: group key handshake failed (RSN) after 4 tries is unrelated. Apparently OpenWRT does not support group rekeying when WDS is used, so it always fails and should be disabled: option wpa_group_rekey ‘0’. Please excuse me for taking your time with the unrelated issue. There was no way for me to know that, since the disconnect remained, and it may take up to 24 hours to detect. Thank you for your help! Georgi > On 2020-09-22, at 11:56 AM, Felix Fietkau wrote: > > On 2020-09-22 09:28, Georgi Valkov wrote: >> Hi Felix! >> >> In the original code before the regression, as well as in the fix I >> proposed, probe_send_count was always reset if ack is true, while in >> your fix it will not be reset when non-null frames are received. The >> connection failed again after 10 hours and the STA remained offline for >> two minutes instead of two seconds. I should also note that I spent >> multiple days testing the fix I proposed and I had no disconnects. >> Please revise your fix again! > Thanks for the info. Handling non-null frames in that function is > incomplete, because it does not cover the 802.3 tx status path. > I'll make v2 patch that checks the timestamp of the last ACK in > ieee80211_sta_work instead. > > - Felix > ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
