KumiSystems/openwrtv4
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
openwrtv4/package/base-files/files/lib/upgrade/fwtool.sh
Daniel Golle 8174853c78 base-files: introduce sysupgrade signature chain verification 
Verify ucert signature chains in sysupgrade images in case ucert is
installed and $CHECK_IMAGE_SIGNARURE = 1.
Also make sure ucert host binary is present and generate a self-signed
ucert in case $TOPDIR/key-build.ucert is missing.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-08-08 02:22:54 +02:00

64 lines
1.4 KiB
Bash
Raw Blame History

fwtool_check_signature() {
[ $# -gt 1 ] && return 1
[ ! -x /usr/bin/ucert ] && {
if [ "$REQUIRE_IMAGE_SIGNATURE" = 1 ]; then
return 1
else
return 0
fi
}
if ! fwtool -q -t -s /tmp/sysupgrade.ucert "$1"; then
echo "Image signature not found"
[ "$REQUIRE_IMAGE_SIGNATURE" = 1 -a "$FORCE" != 1 ] && {
echo "Use sysupgrade -F to override this check when downgrading or flashing to vendor firmware"
}
[ "$REQUIRE_IMAGE_SIGNATURE" = 1 ] && return 1
return 0
fi
ucert -V -m "$1" -c "/tmp/sysupgrade.ucert" -P /etc/opkg/keys
return $?
}
fwtool_check_image() {
[ $# -gt 1 ] && return 1
. /usr/share/libubox/jshn.sh
if ! fwtool -q -i /tmp/sysupgrade.meta "$1"; then
echo "Image metadata not found"
[ "$REQUIRE_IMAGE_METADATA" = 1 -a "$FORCE" != 1 ] && {
echo "Use sysupgrade -F to override this check when downgrading or flashing to vendor firmware"
}
[ "$REQUIRE_IMAGE_METADATA" = 1 ] && return 1
return 0
fi
json_load "$(cat /tmp/sysupgrade.meta)" || {
echo "Invalid image metadata"
return 1
}
device="$(cat /tmp/sysinfo/board_name)"
json_select supported_devices || return 1
json_get_keys dev_keys
for k in $dev_keys; do
json_get_var dev "$k"
[ "$dev" = "$device" ] && return 0
done
echo "Device $device not supported by this image"
echo -n "Supported devices:"
for k in $dev_keys; do
json_get_var dev "$k"
echo -n " $dev"
done
echo
return 1
}
Reference in a new issue View git blame Copy permalink