From 8174853c78f88b854ac66a3f0a5380d36ededa9a Mon Sep 17 00:00:00 2001
From: Daniel Golle <daniel@makrotopia.org>
Date: Mon, 15 Jan 2018 03:37:17 +0100
Subject: base-files: introduce sysupgrade signature chain verification

Verify ucert signature chains in sysupgrade images in case ucert is
installed and $CHECK_IMAGE_SIGNARURE = 1.
Also make sure ucert host binary is present and generate a self-signed
ucert in case $TOPDIR/key-build.ucert is missing.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
---
 package/base-files/files/lib/upgrade/fwtool.sh | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

(limited to 'package/base-files/files/lib/upgrade')

diff --git a/package/base-files/files/lib/upgrade/fwtool.sh b/package/base-files/files/lib/upgrade/fwtool.sh
index aa2ac79..3f28fcc 100644
--- a/package/base-files/files/lib/upgrade/fwtool.sh
+++ b/package/base-files/files/lib/upgrade/fwtool.sh
@@ -1,3 +1,28 @@
+fwtool_check_signature() {
+	[ $# -gt 1 ] && return 1
+
+	[ ! -x /usr/bin/ucert ] && {
+		if [ "$REQUIRE_IMAGE_SIGNATURE" = 1 ]; then
+			return 1
+		else
+			return 0
+		fi
+	}
+
+	if ! fwtool -q -t -s /tmp/sysupgrade.ucert "$1"; then
+		echo "Image signature not found"
+		[ "$REQUIRE_IMAGE_SIGNATURE" = 1 -a "$FORCE" != 1 ] && {
+			echo "Use sysupgrade -F to override this check when downgrading or flashing to vendor firmware"
+		}
+		[ "$REQUIRE_IMAGE_SIGNATURE" = 1 ] && return 1
+		return 0
+	fi
+
+	ucert -V -m "$1" -c "/tmp/sysupgrade.ucert" -P /etc/opkg/keys
+
+	return $?
+}
+
 fwtool_check_image() {
 	[ $# -gt 1 ] && return 1
 
-- 
cgit v1.1