Re: OpenWRT (ucert) signature check during upgrade
On 07/08/2020 09:47, Andrii Voloshyn wrote: I'd like to use signature verification during sysupgrade, but at the moment I get "Image check failed" message. Similar to what guys mentioned here: https://forum.openwrt.org/t/possible-bug-in-ucert/57704 Keep in mind that, for security purposes, optional signatures are useless. You will have to change things so that your firmware *requires* the signature to be always present. No backwards compatibility with unsigned images is possible. As a rule, an optional metadata field at the *end* of an image is useless for either security or corruption checking purposes. All it takes is the most common download issue of them all: truncation. The end of the file isn't there (because it was truncated early enough), the *optional* metadata isn't there, but enough of the headers made it through to look like a valid image to sysupgrade. The corrupt (incomplete) file is accepted and used, despise the fact that the original had checksum metadata and signatures. Not Good[tm]. Prepending the metadata allows it to protect properly against download truncation, but if the presence of signature metadata is still optional, prepended or not it will still be useless as far as *security* goes. The proper answer is *requiring* the metadata and signature to be present. It resolves both issues, regardless of whether the metadata is prepended or appended to the image. What you're going to do about "sysupgrade -F" and direct flashing is another angle to think about, as well... -- Henrique de Moraes Holschuh ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: OpenWRT (ucert) signature check during upgrade
On Fri, Aug 07, 2020 at 03:47:57PM +0300, Andrii Voloshyn wrote: > Hi there, > > I'd like to use signature verification during sysupgrade, but at the moment I > get "Image check failed" message. > Similar to what guys mentioned here: > https://forum.openwrt.org/t/possible-bug-in-ucert/57704 > By digging around, I found out that: > > fwtool -q -T -s /dev/null /tmp/sysupgrade.bin | ucert -V -m - -c > "/tmp/sysupgrade.ucert" -P /etc/opkg/keys > > command fails, with the following message "cert_verify: cannot parse cert". > My assumption is that it is because of a signature of the upgrade file that > we add at the end of the certificate, while appending metadata to the upgrade > file. line below (ucert -A -c "$@.ucert" -x "$@.sig") > > define Build/append-metadata > >---$(if $(SUPPORTED_DEVICES),-echo $(call > >metadata_json,$(SUPPORTED_DEVICES)) | fwtool -I - $@) > >---[ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \ > >--->---cp "$(BUILD_KEY).ucert" "$@.ucert" ;\ > >--->---usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\ > >--->---ucert -A -c "$@.ucert" -x "$@.sig" ;\ > >--->---fwtool -S "$@.ucert" "$@" ;\ > >---} > endef > > Would (ucert -V -m) expect appended upgrade image file signature in the > certificate passed with -c? > Or this functionality has not been implemented yet? > In other words how to check upgtade file signature prior to upgrade with > ucert tool? Yes, this is exactly how it is supposed to work. There has been a bug caused by libubox security improvements which made ucert always fail to parse certificates, it should have been fixed by commit 96c42c5ed3207b8ad1ce836a4426c8700c13b655 Author: Matthias Schiffer Date: Sat May 16 22:29:24 2020 +0200 Fix length checks in cert_load() Please verify manually if ucert can parse the certificate, ie. extract it into a file /tmp/sysupgrade.ucert using fwtool, then install ucert-full and use `ucert -D -c /tmp/sysupgrade.ucert` and see what happends. Cheers Daniel > > > Cheers, > Andrew > > > > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
OpenWRT (ucert) signature check during upgrade
Hi there, I'd like to use signature verification during sysupgrade, but at the moment I get "Image check failed" message. Similar to what guys mentioned here: https://forum.openwrt.org/t/possible-bug-in-ucert/57704 By digging around, I found out that: fwtool -q -T -s /dev/null /tmp/sysupgrade.bin | ucert -V -m - -c "/tmp/sysupgrade.ucert" -P /etc/opkg/keys command fails, with the following message "cert_verify: cannot parse cert". My assumption is that it is because of a signature of the upgrade file that we add at the end of the certificate, while appending metadata to the upgrade file. line below (ucert -A -c "$@.ucert" -x "$@.sig") define Build/append-metadata >---$(if $(SUPPORTED_DEVICES),-echo $(call metadata_json,$(SUPPORTED_DEVICES)) >| fwtool -I - $@) >---[ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \ >--->---cp "$(BUILD_KEY).ucert" "$@.ucert" ;\ >--->---usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\ >--->---ucert -A -c "$@.ucert" -x "$@.sig" ;\ >--->---fwtool -S "$@.ucert" "$@" ;\ >---} endef Would (ucert -V -m) expect appended upgrade image file signature in the certificate passed with -c? Or this functionality has not been implemented yet? In other words how to check upgtade file signature prior to upgrade with ucert tool? Cheers, Andrew ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel