imagebuilder: add package signature verification

The ImageBuilder downloads pre-built packages and adds them to images.
This process uses `opkg` which has the capability to verify package list
signatures via `usign`, as enabled per default on running OpenWrt
devices.

Until now this was disabled for ImageBuilders because neither the `opkg`
keys nor the `opkg-add` script was present during first packagelist
update.

To harden the ImageBuilder against *drive-by-download-attacks* both keys
and verification script are added to the ImageBuilder allowing `opkg` to
verify downloaded package indices.

This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys
folder is added to ImageBuilder $TOPDIR to have an obvious place for users to
store their own keys. The `option check_signature` is appended to the
repositories.conf file. All of the above only happens if the Buildbot
runs with the SIGNATURE_CHECK option.

The keys stored in the ImageBuilder keys/ are the same as included in
the openwrt-keyring package. To avoid the chicken-egg problem of
downloading and verifying a package, containing signing keys, the keys
are added during the ImageBuilder generation. They are same as in
shipped images (stored at `/etc/opkg/keys/`).

To allow a local package feed in which the user can add additional
packages, a local set of `usign` and `ucert` keys is generated, same as
building OpenWrt from source. The private key signs the local repository
inside the packages/ folder. The local public key is added to the keys/
folder to be considered by `opkg` when updating repositories. This way a
local package feed can be modified while requiring `opkg` to check
signatures for remote feed, making HTTPS optional.

The new option `ADD_LOCAL_KEY` allows to add the local key inside the
created images, adding the advantage that sysupgrades can validate the
ImageBuilders local key.

Signed-off-by: Paul Spooren <mail@aparcar.org>

2 files changed, 39 insertions, 2 deletions

diff --git a/target/imagebuilder/Makefile b/target/imagebuilder/Makefile
index 8b2f4e5af6..a96f8618e8 100644
--- a/target/imagebuilder/Makefile
+++ b/target/imagebuilder/Makefile
@@ -61,6 +61,14 @@ else
 		-exec $(CP) -t $(IB_LDIR)/ {} +
 endif
 
+ifneq ($(CONFIG_SIGNATURE_CHECK),)
+	echo ''                                                        >> $(PKG_BUILD_DIR)/repositories.conf
+	echo 'option check_signature'                                  >> $(PKG_BUILD_DIR)/repositories.conf
+	$(INSTALL_DIR) $(PKG_BUILD_DIR)/keys
+	$(CP) -L $(STAGING_DIR_ROOT)/etc/opkg/keys/ $(PKG_BUILD_DIR)/
+	$(CP) -L $(STAGING_DIR_ROOT)/usr/sbin/opkg-key $(PKG_BUILD_DIR)/scripts/
+endif
+
 	$(CP) $(TOPDIR)/target/linux $(PKG_BUILD_DIR)/target/
 	if [ -d $(TOPDIR)/staging_dir/host/lib/grub ]; then \
 		$(CP) $(TOPDIR)/staging_dir/host/lib/grub/ $(PKG_BUILD_DIR)/staging_dir/host/lib; \
diff --git a/target/imagebuilder/files/Makefile b/target/imagebuilder/files/Makefile
index 0ce5f8b39b..65cba92b32 100644
--- a/target/imagebuilder/files/Makefile
+++ b/target/imagebuilder/files/Makefile
@@ -46,6 +46,7 @@ Building images:
 	make image BIN_DIR="<path>" # alternative output directory for the images
 	make image EXTRA_IMAGE_NAME="<string>" # Add this to the output image filename (sanitized)
 	make image DISABLED_SERVICES="<svc1> [<svc2> [<svc3> ..]]" # Which services in /etc/init.d/ should be disabled
+	make image ADD_LOCAL_KEY=1 # store locally generated signing key in built images
 
 Print manifest:
 	List "all" packages which get installed into the image.
@@ -64,8 +65,10 @@ help: FORCE
 # override variables from rules.mk
 PACKAGE_DIR:=$(TOPDIR)/packages
 LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst /,$(space),$(TARGET_DIR))))$(DL_DIR)
+export OPKG_KEYS:=$(TOPDIR)/keys
 OPKG:=$(call opkg,$(TARGET_DIR)) \
 	-f $(TOPDIR)/repositories.conf \
+	--verify-program $(SCRIPT_DIR)/opkg-key \
 	--cache $(DL_DIR) \
 	--lists-dir $(LISTS_DIR)
 
@@ -133,7 +136,9 @@ package_index: FORCE
 	@echo Building package index... >&2
 	@mkdir -p $(TMP_DIR) $(TARGET_DIR)/tmp
 	(cd $(PACKAGE_DIR); $(SCRIPT_DIR)/ipkg-make-index.sh . > Packages && \
-		gzip -9nc Packages > Packages.gz \
+		gzip -9nc Packages > Packages.gz; \
+		$(if $(CONFIG_SIGNATURE_CHECK), \
+			$(STAGING_DIR_HOST)/bin/usign -S -m Packages -s $(BUILD_KEY)); \
 	) >/dev/null 2>/dev/null
 	$(OPKG) update >&2 || true
 
@@ -165,9 +170,14 @@ prepare_rootfs: FORCE
 	@echo Finalizing root filesystem...
 
 	$(CP) $(TARGET_DIR) $(TARGET_DIR_ORIG)
+	$(if $(CONFIG_SIGNATURE_CHECK), \
+		$(if $(ADD_LOCAL_KEY), \
+			OPKG_KEYS=$(TARGET_DIR)/etc/opkg/keys/ \
+			$(SCRIPT_DIR)/opkg-key add $(BUILD_KEY).pub \
+		) \
+	)
 	$(call prepare_rootfs,$(TARGET_DIR),$(USER_FILES),$(DISABLED_SERVICES))
 
-
 build_image: FORCE
 	@echo
 	@echo Building images...
@@ -206,8 +216,26 @@ ifneq ($(PROFILE),)
   endif
 endif
 
+_check_keys: FORCE
+ifneq ($(CONFIG_SIGNATURE_CHECK),)
+	@if [ ! -s $(BUILD_KEY) -o ! -s $(BUILD_KEY).pub ]; then \
+		echo Generate local signing keys... >&2; \
+		$(STAGING_DIR_HOST)/bin/usign -G \
+			-s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key"; \
+		$(SCRIPT_DIR)/opkg-key add $(BUILD_KEY).pub; \
+	fi
+	if [ ! -s $(BUILD_KEY).ucert ]; then \
+		echo Generate local certificate... >&2; \
+		$(STAGING_DIR_HOST)/bin/ucert -I \
+			-c $(BUILD_KEY).ucert \
+			-p $(BUILD_KEY).pub \
+			-s $(BUILD_KEY); \
+	fi
+endif
+
 image:
 	$(MAKE) -s _check_profile
+	$(MAKE) -s _check_keys
 	(unset PROFILE FILES PACKAGES MAKEFLAGS; \
 	$(MAKE) -s _call_image \
 		$(if $(PROFILE),USER_PROFILE="$(PROFILE_FILTER)") \
@@ -218,6 +246,7 @@ image:
 
 manifest: FORCE
 	$(MAKE) -s _check_profile
+	$(MAKE) -s _check_keys
 	(unset PROFILE FILES PACKAGES MAKEFLAGS; \
 	$(MAKE) -s _call_manifest \
 		$(if $(PROFILE),USER_PROFILE="$(PROFILE_FILTER)") \