The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures, as enabled per default on running OpenWrt devices.
Until now this was disabled for ImageBuilders because neither the OPKG keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing OPKG to verify downloaded package indices. This commit adds `opkg-add` to the IB scripts folder, as it is just a shell script. The keys folder is added to IBs TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNED_PACKAGES option. Signed-off-by: Paul Spooren <m...@aparcar.org> --- This patch requires the following two patches: * opkg: allow to configure the path to the signature verification script https://patchwork.ozlabs.org/project/openwrt/patch/20200824150740.450363-1-bapti...@bitsofnetworks.org/ * build: opkg-key variable key folder https://patchwork.ozlabs.org/project/openwrt/patch/20200826005527.2696524-1-m...@aparcar.org/ In combination this should resolve the following 20.x goal: * Improve security of ImageBuilder - Check signatures I'm shaken by the fact that ImageBuilders downloaded packages via HTTP and without OPKG signature checks by default - fun target/imagebuilder/Makefile | 6 ++++++ target/imagebuilder/files/Makefile | 2 ++ 2 files changed, 8 insertions(+) diff --git a/target/imagebuilder/Makefile b/target/imagebuilder/Makefile index ad19ab2b53..2a4e9263db 100644 --- a/target/imagebuilder/Makefile +++ b/target/imagebuilder/Makefile @@ -43,6 +43,12 @@ endif echo '' >> $(PKG_BUILD_DIR)/repositories.conf echo '## This is the local package repository, do not remove!' >> $(PKG_BUILD_DIR)/repositories.conf echo 'src imagebuilder file:packages' >> $(PKG_BUILD_DIR)/repositories.conf +ifneq ($(CONFIG_SIGNED_PACKAGES),) + echo 'option check_signature' >> $(PKG_BUILD_DIR)/repositories.conf + $(INSTALL_DIR) $(PKG_BUILD_DIR)/keys + $(CP) -L $(STAGING_DIR_ROOT)/etc/opkg/keys/ $(PKG_BUILD_DIR)/ + $(CP) -L $(STAGING_DIR_ROOT)/usr/sbin/opkg-key $(PKG_BUILD_DIR)/scripts/ +endif $(VERSION_SED_SCRIPT) $(PKG_BUILD_DIR)/repositories.conf diff --git a/target/imagebuilder/files/Makefile b/target/imagebuilder/files/Makefile index 326dd2ba2f..98769d93de 100644 --- a/target/imagebuilder/files/Makefile +++ b/target/imagebuilder/files/Makefile @@ -64,8 +64,10 @@ help: FORCE # override variables from rules.mk PACKAGE_DIR:=$(TOPDIR)/packages LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst /,$(space),$(TARGET_DIR))))$(DL_DIR) +export OPKG_KEYS:=$(TOPDIR)/keys OPKG:=$(call opkg,$(TARGET_DIR)) \ -f $(TOPDIR)/repositories.conf \ + --verify-program $(SCRIPT_DIR)/opkg-key \ --cache $(DL_DIR) \ --lists-dir $(LISTS_DIR) -- 2.25.1 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel