diff options
author | Bjørn Mork <bjorn@mork.no> | 2019-05-11 23:54:57 +0200 |
---|---|---|
committer | Bjørn Mork <bjorn@mork.no> | 2019-05-11 23:55:02 +0200 |
commit | 2cedabbd4107ac085310567356c21f27f786afc8 (patch) | |
tree | a61fa07d5c4dbcd2628b31f3f03be21cb0373e79 | |
parent | 0922d41d55d509b71e8e73505ed265f49f531863 (diff) |
WiP: producing a verifiable image
Assuming we have the correct key to verify with...
Signed-off-by: Bjørn Mork <bjorn@mork.no>
-rw-r--r-- | Makefile | 41 | ||||
-rwxr-xr-x | dcs8000lh-configure.py | 3 |
2 files changed, 42 insertions, 2 deletions
@@ -1,12 +1,49 @@ # SPDX-License-Identifier: GPL-2.0 # Copyright(c) 2019 Bjørn Mork <bjorn@mork.no> -FILES=version opt.local +FILES=version opt.local +PRIKEY=PriKey.pem +SIGNKEY=signkey.pem -all: opt.squashfs +all: fw.tar version: dcs8000lh-configure.py sed -ne 's/"//g' -e 's/^VERSION *= *//p' dcs8000lh-configure.py >$@ opt.squashfs: $(FILES) mksquashfs $(FILES) $@ -all-root -comp xz + +aes.key: + openssl rand 16 > $@ + +aes.key.rsa: aes.key $(PRIKEY) + openssl rsautl -encrypt -in aes.key -inkey $(PRIKEY) -out $@ + +### FIXME: This is verified using the pubkey in /etc/db/verify.key, which will fail +sign.sha1.rsa: sign.sha1 $(SIGNKEY) + openssl rsautl -sign -inkey $(SIGNKEY) -out sign.sha1.rsa -in sign.sha1 + +$(SIGNKEY): + openssl genrsa -out $(SIGNKEY) + +sign.sha1: update.bin.aes aes.key.rsa certificate.info update.sha1 + cat $^ | openssl dgst -sha1 | cut -d' ' -f2 > $@ + +fw.tar: certificate.info aes.key.rsa sign.sha1.rsa update.aes update.bin.aes + tar cvf $@ $^ + +update.sha1: update.aes + openssl dgst -sha1 $^ | cut -d' ' -f2 > $@ + +update.aes: aes.key opt.squashfs + openssl aes-128-cbc -md md5 -kfile aes.key -nosalt -e -out $@ -in opt.squashfs + +update.bin.aes: aes.key update.bin + openssl aes-128-cbc -md md5 -kfile aes.key -nosalt -e -out $@ -in update.bin + +clean: + rm *.rsa *.aes opt.squashfs sign.sha1 + +distclean: clean + rm aes.key + diff --git a/dcs8000lh-configure.py b/dcs8000lh-configure.py index 8f223d1..fff7e9d 100755 --- a/dcs8000lh-configure.py +++ b/dcs8000lh-configure.py @@ -124,6 +124,7 @@ if __name__ == '__main__': parser.add_argument("--command", help="Run command on IPCam") parser.add_argument("--telnetd", help="Start telnet server on IPCam", action="store_true") parser.add_argument("--lighttpd", help="Start web server on IPCam", action="store_true") + parser.add_argument("--unsignedfw", help="Allow unsigned firmware", action="store_true") parser.add_argument("--attrs", help="Dump IPCam GATT characteristics", action="store_true") parser.add_argument("-V", "--version", action="version", version="%(prog)s " + VERSION) args = parser.parse_args() @@ -147,6 +148,8 @@ if __name__ == '__main__': cam.run_command("pidof telnetd||telnetd") if args.lighttpd: cam.run_command("/etc/rc.d/init.d/extra_lighttpd.sh start") + if args.unsignedfw: + cam.run_command("tdb set SecureFW _TrustLevel_byte=0") if args.attrs: cam.dumpchars() |