openwrt/target/imagebuilder/Makefile
Paul Spooren 418362b1cc imagebuilder: add package signature verification
The ImageBuilder downloads pre-built packages and adds them to images.
This process uses `opkg` which has the capability to verify package list
signatures via `usign`, as enabled per default on running OpenWrt
devices.

Until now this was disabled for ImageBuilders because neither the `opkg`
keys nor the `opkg-add` script was present during first packagelist
update.

To harden the ImageBuilder against *drive-by-download-attacks* both keys
and verification script are added to the ImageBuilder allowing `opkg` to
verify downloaded package indices.

This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys
folder is added to ImageBuilder $TOPDIR to have an obvious place for users to
store their own keys. The `option check_signature` is appended to the
repositories.conf file. All of the above only happens if the Buildbot
runs with the SIGNATURE_CHECK option.

The keys stored in the ImageBuilder keys/ are the same as included in
the openwrt-keyring package. To avoid the chicken-egg problem of
downloading and verifying a package, containing signing keys, the keys
are added during the ImageBuilder generation. They are same as in
shipped images (stored at `/etc/opkg/keys/`).

To allow a local package feed in which the user can add additional
packages, a local set of `usign` and `ucert` keys is generated, same as
building OpenWrt from source. The private key signs the local repository
inside the packages/ folder. The local public key is added to the keys/
folder to be considered by `opkg` when updating repositories. This way a
local package feed can be modified while requiring `opkg` to check
signatures for remote feed, making HTTPS optional.

The new option `ADD_LOCAL_KEY` allows to add the local key inside the
created images, adding the advantage that sysupgrades can validate the
ImageBuilders local key.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-11-19 22:15:00 +00:00

114 lines
4.6 KiB
Makefile

#
# Copyright (C) 2006-2015 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/kernel.mk
include $(INCLUDE_DIR)/version.mk
include $(INCLUDE_DIR)/feeds.mk
override MAKEFLAGS=
IB_NAME:=$(VERSION_DIST_SANITIZED)-imagebuilder-$(if $(CONFIG_VERSION_FILENAMES),$(VERSION_NUMBER)-)$(BOARD)$(if $(SUBTARGET),-$(SUBTARGET)).$(HOST_OS)-$(HOST_ARCH)
PKG_BUILD_DIR:=$(BUILD_DIR)/$(IB_NAME)
IB_KDIR:=$(patsubst $(TOPDIR)/%,$(PKG_BUILD_DIR)/%,$(KERNEL_BUILD_DIR))
IB_LDIR:=$(patsubst $(TOPDIR)/%,$(PKG_BUILD_DIR)/%,$(LINUX_DIR))
IB_DTSDIR:=$(patsubst $(TOPDIR)/%,$(PKG_BUILD_DIR)/%,$(LINUX_DIR))/arch/$(LINUX_KARCH)/boot/dts/
IB_IDIR:=$(patsubst $(TOPDIR)/%,$(PKG_BUILD_DIR)/%,$(STAGING_DIR_IMAGE))
all: compile
$(BIN_DIR)/$(IB_NAME).tar.xz: clean
rm -rf $(PKG_BUILD_DIR)
mkdir -p $(IB_KDIR) $(IB_LDIR) $(PKG_BUILD_DIR)/staging_dir/host/lib \
$(PKG_BUILD_DIR)/target $(PKG_BUILD_DIR)/scripts $(IB_DTSDIR)
-cp $(TOPDIR)/.config $(PKG_BUILD_DIR)/.config
$(CP) -L \
$(INCLUDE_DIR) $(SCRIPT_DIR) \
$(TOPDIR)/rules.mk \
./files/Makefile \
./files/repositories.conf \
$(TMP_DIR)/.targetinfo \
$(TMP_DIR)/.packageinfo \
$(PKG_BUILD_DIR)/
ifeq ($(CONFIG_IB_STANDALONE),)
echo '## Remote package repositories' >> $(PKG_BUILD_DIR)/repositories.conf
$(call FeedSourcesAppend,$(PKG_BUILD_DIR)/repositories.conf)
$(VERSION_SED_SCRIPT) $(PKG_BUILD_DIR)/repositories.conf
endif
ifeq ($(CONFIG_BUILDBOT),)
$(INSTALL_DIR) $(PKG_BUILD_DIR)/packages
echo '' >> $(PKG_BUILD_DIR)/repositories.conf
echo '## This is the local package repository, do not remove!' >> $(PKG_BUILD_DIR)/repositories.conf
echo 'src imagebuilder file:packages' >> $(PKG_BUILD_DIR)/repositories.conf
ifeq ($(CONFIG_IB_STANDALONE),)
$(FIND) $(call FeedPackageDir,libc) -type f \
\( -name 'libc_*.ipk' -or -name 'kernel_*.ipk' -or -name 'kmod-*.ipk' \) \
-exec $(CP) -t $(PKG_BUILD_DIR)/packages {} +
else
$(FIND) $(wildcard $(PACKAGE_SUBDIRS)) -type f -name '*.ipk' \
-exec $(CP) -t $(PKG_BUILD_DIR)/packages/ {} +
endif
else
$(FIND) $(call FeedPackageDir,libc) -type f \
\( -name 'libc_*.ipk' -or -name 'kernel_*.ipk' \) \
-exec $(CP) -t $(IB_LDIR)/ {} +
endif
ifneq ($(CONFIG_SIGNATURE_CHECK),)
echo '' >> $(PKG_BUILD_DIR)/repositories.conf
echo 'option check_signature' >> $(PKG_BUILD_DIR)/repositories.conf
$(INSTALL_DIR) $(PKG_BUILD_DIR)/keys
$(CP) -L $(STAGING_DIR_ROOT)/etc/opkg/keys/ $(PKG_BUILD_DIR)/
$(CP) -L $(STAGING_DIR_ROOT)/usr/sbin/opkg-key $(PKG_BUILD_DIR)/scripts/
endif
$(CP) $(TOPDIR)/target/linux $(PKG_BUILD_DIR)/target/
if [ -d $(TOPDIR)/staging_dir/host/lib/grub ]; then \
$(CP) $(TOPDIR)/staging_dir/host/lib/grub/ $(PKG_BUILD_DIR)/staging_dir/host/lib; \
fi
rm -rf \
$(PKG_BUILD_DIR)/target/linux/*/files{,-*} \
$(PKG_BUILD_DIR)/target/linux/*/patches{,-*} \
$(PKG_BUILD_DIR)/target/linux/generic/{pending,backport,hack}{,-*}
-cp $(KERNEL_BUILD_DIR)/* $(IB_KDIR)/ # don't copy subdirectories here
-cp $(LINUX_DIR)/.config $(IB_LDIR)/
rm -f $(IB_KDIR)/root.*
rm -f $(IB_KDIR)/vmlinux.debug
if [ -x $(LINUX_DIR)/scripts/dtc/dtc ]; then \
$(INSTALL_DIR) $(IB_LDIR)/scripts/dtc; \
$(INSTALL_BIN) $(LINUX_DIR)/scripts/dtc/dtc $(IB_LDIR)/scripts/dtc/dtc; \
fi
if [ -d $(LINUX_DIR)/arch/$(LINUX_KARCH)/boot/dts ]; then \
$(CP) -L $(LINUX_DIR)/arch/$(LINUX_KARCH)/boot/dts/* $(IB_DTSDIR); \
fi
$(SED) 's,^# REVISION:=.*,REVISION:=$(REVISION),g' $(PKG_BUILD_DIR)/include/version.mk
find $(PKG_BUILD_DIR) -name CVS -o -name .git -o -name .svn \
| $(XARGS) rm -rf
$(INSTALL_DIR) $(IB_IDIR)
-$(CP) $(STAGING_DIR_IMAGE)/* $(IB_IDIR)/
$(INSTALL_DIR) $(PKG_BUILD_DIR)/staging_dir/host/bin
$(CP) $(STAGING_DIR_HOST)/bin/* $(PKG_BUILD_DIR)/staging_dir/host/bin/
(cd $(PKG_BUILD_DIR); find staging_dir/host/bin/ $(IB_LDIR)/scripts/dtc/ -type f | \
$(XARGS) $(SCRIPT_DIR)/bundle-libraries.sh $(PKG_BUILD_DIR)/staging_dir/host)
$(CP) $(TOPDIR)/staging_dir/host/lib/libfakeroot* $(PKG_BUILD_DIR)/staging_dir/host/lib
STRIP=$(STAGING_DIR_HOST)/bin/sstrip $(SCRIPT_DIR)/rstrip.sh $(PKG_BUILD_DIR)/staging_dir/host/bin/
(cd $(BUILD_DIR); \
tar -I '$(STAGING_DIR_HOST)/bin/xz -7e -T$(if $(filter 1,$(NPROC)),2,0)' -cf $@ $(IB_NAME) \
--mtime="$(shell date --date=@$(SOURCE_DATE_EPOCH))"; \
)
download:
prepare:
compile: $(BIN_DIR)/$(IB_NAME).tar.xz
install: compile
clean: FORCE
rm -rf $(PKG_BUILD_DIR) $(BIN_DIR)/$(IB_NAME).tar.xz