mirror of
git://git.openwrt.org/openwrt/openwrt.git
synced 2024-12-22 06:41:17 +00:00
418362b1cc
The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures via `usign`, as enabled per default on running OpenWrt devices. Until now this was disabled for ImageBuilders because neither the `opkg` keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing `opkg` to verify downloaded package indices. This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys folder is added to ImageBuilder $TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNATURE_CHECK option. The keys stored in the ImageBuilder keys/ are the same as included in the openwrt-keyring package. To avoid the chicken-egg problem of downloading and verifying a package, containing signing keys, the keys are added during the ImageBuilder generation. They are same as in shipped images (stored at `/etc/opkg/keys/`). To allow a local package feed in which the user can add additional packages, a local set of `usign` and `ucert` keys is generated, same as building OpenWrt from source. The private key signs the local repository inside the packages/ folder. The local public key is added to the keys/ folder to be considered by `opkg` when updating repositories. This way a local package feed can be modified while requiring `opkg` to check signatures for remote feed, making HTTPS optional. The new option `ADD_LOCAL_KEY` allows to add the local key inside the created images, adding the advantage that sysupgrades can validate the ImageBuilders local key. Signed-off-by: Paul Spooren <mail@aparcar.org>
114 lines
4.6 KiB
Makefile
114 lines
4.6 KiB
Makefile
#
|
|
# Copyright (C) 2006-2015 OpenWrt.org
|
|
#
|
|
# This is free software, licensed under the GNU General Public License v2.
|
|
# See /LICENSE for more information.
|
|
#
|
|
|
|
include $(TOPDIR)/rules.mk
|
|
include $(INCLUDE_DIR)/kernel.mk
|
|
include $(INCLUDE_DIR)/version.mk
|
|
include $(INCLUDE_DIR)/feeds.mk
|
|
|
|
override MAKEFLAGS=
|
|
|
|
IB_NAME:=$(VERSION_DIST_SANITIZED)-imagebuilder-$(if $(CONFIG_VERSION_FILENAMES),$(VERSION_NUMBER)-)$(BOARD)$(if $(SUBTARGET),-$(SUBTARGET)).$(HOST_OS)-$(HOST_ARCH)
|
|
PKG_BUILD_DIR:=$(BUILD_DIR)/$(IB_NAME)
|
|
IB_KDIR:=$(patsubst $(TOPDIR)/%,$(PKG_BUILD_DIR)/%,$(KERNEL_BUILD_DIR))
|
|
IB_LDIR:=$(patsubst $(TOPDIR)/%,$(PKG_BUILD_DIR)/%,$(LINUX_DIR))
|
|
IB_DTSDIR:=$(patsubst $(TOPDIR)/%,$(PKG_BUILD_DIR)/%,$(LINUX_DIR))/arch/$(LINUX_KARCH)/boot/dts/
|
|
IB_IDIR:=$(patsubst $(TOPDIR)/%,$(PKG_BUILD_DIR)/%,$(STAGING_DIR_IMAGE))
|
|
|
|
all: compile
|
|
|
|
$(BIN_DIR)/$(IB_NAME).tar.xz: clean
|
|
rm -rf $(PKG_BUILD_DIR)
|
|
mkdir -p $(IB_KDIR) $(IB_LDIR) $(PKG_BUILD_DIR)/staging_dir/host/lib \
|
|
$(PKG_BUILD_DIR)/target $(PKG_BUILD_DIR)/scripts $(IB_DTSDIR)
|
|
-cp $(TOPDIR)/.config $(PKG_BUILD_DIR)/.config
|
|
$(CP) -L \
|
|
$(INCLUDE_DIR) $(SCRIPT_DIR) \
|
|
$(TOPDIR)/rules.mk \
|
|
./files/Makefile \
|
|
./files/repositories.conf \
|
|
$(TMP_DIR)/.targetinfo \
|
|
$(TMP_DIR)/.packageinfo \
|
|
$(PKG_BUILD_DIR)/
|
|
|
|
ifeq ($(CONFIG_IB_STANDALONE),)
|
|
echo '## Remote package repositories' >> $(PKG_BUILD_DIR)/repositories.conf
|
|
$(call FeedSourcesAppend,$(PKG_BUILD_DIR)/repositories.conf)
|
|
$(VERSION_SED_SCRIPT) $(PKG_BUILD_DIR)/repositories.conf
|
|
endif
|
|
|
|
ifeq ($(CONFIG_BUILDBOT),)
|
|
$(INSTALL_DIR) $(PKG_BUILD_DIR)/packages
|
|
echo '' >> $(PKG_BUILD_DIR)/repositories.conf
|
|
echo '## This is the local package repository, do not remove!' >> $(PKG_BUILD_DIR)/repositories.conf
|
|
echo 'src imagebuilder file:packages' >> $(PKG_BUILD_DIR)/repositories.conf
|
|
|
|
ifeq ($(CONFIG_IB_STANDALONE),)
|
|
$(FIND) $(call FeedPackageDir,libc) -type f \
|
|
\( -name 'libc_*.ipk' -or -name 'kernel_*.ipk' -or -name 'kmod-*.ipk' \) \
|
|
-exec $(CP) -t $(PKG_BUILD_DIR)/packages {} +
|
|
else
|
|
$(FIND) $(wildcard $(PACKAGE_SUBDIRS)) -type f -name '*.ipk' \
|
|
-exec $(CP) -t $(PKG_BUILD_DIR)/packages/ {} +
|
|
endif
|
|
else
|
|
$(FIND) $(call FeedPackageDir,libc) -type f \
|
|
\( -name 'libc_*.ipk' -or -name 'kernel_*.ipk' \) \
|
|
-exec $(CP) -t $(IB_LDIR)/ {} +
|
|
endif
|
|
|
|
ifneq ($(CONFIG_SIGNATURE_CHECK),)
|
|
echo '' >> $(PKG_BUILD_DIR)/repositories.conf
|
|
echo 'option check_signature' >> $(PKG_BUILD_DIR)/repositories.conf
|
|
$(INSTALL_DIR) $(PKG_BUILD_DIR)/keys
|
|
$(CP) -L $(STAGING_DIR_ROOT)/etc/opkg/keys/ $(PKG_BUILD_DIR)/
|
|
$(CP) -L $(STAGING_DIR_ROOT)/usr/sbin/opkg-key $(PKG_BUILD_DIR)/scripts/
|
|
endif
|
|
|
|
$(CP) $(TOPDIR)/target/linux $(PKG_BUILD_DIR)/target/
|
|
if [ -d $(TOPDIR)/staging_dir/host/lib/grub ]; then \
|
|
$(CP) $(TOPDIR)/staging_dir/host/lib/grub/ $(PKG_BUILD_DIR)/staging_dir/host/lib; \
|
|
fi
|
|
rm -rf \
|
|
$(PKG_BUILD_DIR)/target/linux/*/files{,-*} \
|
|
$(PKG_BUILD_DIR)/target/linux/*/patches{,-*} \
|
|
$(PKG_BUILD_DIR)/target/linux/generic/{pending,backport,hack}{,-*}
|
|
-cp $(KERNEL_BUILD_DIR)/* $(IB_KDIR)/ # don't copy subdirectories here
|
|
-cp $(LINUX_DIR)/.config $(IB_LDIR)/
|
|
rm -f $(IB_KDIR)/root.*
|
|
rm -f $(IB_KDIR)/vmlinux.debug
|
|
if [ -x $(LINUX_DIR)/scripts/dtc/dtc ]; then \
|
|
$(INSTALL_DIR) $(IB_LDIR)/scripts/dtc; \
|
|
$(INSTALL_BIN) $(LINUX_DIR)/scripts/dtc/dtc $(IB_LDIR)/scripts/dtc/dtc; \
|
|
fi
|
|
if [ -d $(LINUX_DIR)/arch/$(LINUX_KARCH)/boot/dts ]; then \
|
|
$(CP) -L $(LINUX_DIR)/arch/$(LINUX_KARCH)/boot/dts/* $(IB_DTSDIR); \
|
|
fi
|
|
$(SED) 's,^# REVISION:=.*,REVISION:=$(REVISION),g' $(PKG_BUILD_DIR)/include/version.mk
|
|
find $(PKG_BUILD_DIR) -name CVS -o -name .git -o -name .svn \
|
|
| $(XARGS) rm -rf
|
|
$(INSTALL_DIR) $(IB_IDIR)
|
|
-$(CP) $(STAGING_DIR_IMAGE)/* $(IB_IDIR)/
|
|
$(INSTALL_DIR) $(PKG_BUILD_DIR)/staging_dir/host/bin
|
|
$(CP) $(STAGING_DIR_HOST)/bin/* $(PKG_BUILD_DIR)/staging_dir/host/bin/
|
|
(cd $(PKG_BUILD_DIR); find staging_dir/host/bin/ $(IB_LDIR)/scripts/dtc/ -type f | \
|
|
$(XARGS) $(SCRIPT_DIR)/bundle-libraries.sh $(PKG_BUILD_DIR)/staging_dir/host)
|
|
$(CP) $(TOPDIR)/staging_dir/host/lib/libfakeroot* $(PKG_BUILD_DIR)/staging_dir/host/lib
|
|
STRIP=$(STAGING_DIR_HOST)/bin/sstrip $(SCRIPT_DIR)/rstrip.sh $(PKG_BUILD_DIR)/staging_dir/host/bin/
|
|
(cd $(BUILD_DIR); \
|
|
tar -I '$(STAGING_DIR_HOST)/bin/xz -7e -T$(if $(filter 1,$(NPROC)),2,0)' -cf $@ $(IB_NAME) \
|
|
--mtime="$(shell date --date=@$(SOURCE_DATE_EPOCH))"; \
|
|
)
|
|
|
|
download:
|
|
prepare:
|
|
compile: $(BIN_DIR)/$(IB_NAME).tar.xz
|
|
install: compile
|
|
|
|
clean: FORCE
|
|
rm -rf $(PKG_BUILD_DIR) $(BIN_DIR)/$(IB_NAME).tar.xz
|