From 2cedabbd4107ac085310567356c21f27f786afc8 Mon Sep 17 00:00:00 2001 From: Bjørn Mork Date: Sat, 11 May 2019 23:54:57 +0200 Subject: WiP: producing a verifiable image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Assuming we have the correct key to verify with... Signed-off-by: Bjørn Mork --- Makefile | 41 +++++++++++++++++++++++++++++++++++++++-- dcs8000lh-configure.py | 3 +++ 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 8a7381f..7dcd9d5 100644 --- a/Makefile +++ b/Makefile @@ -1,12 +1,49 @@ # SPDX-License-Identifier: GPL-2.0 # Copyright(c) 2019 Bjørn Mork -FILES=version opt.local +FILES=version opt.local +PRIKEY=PriKey.pem +SIGNKEY=signkey.pem -all: opt.squashfs +all: fw.tar version: dcs8000lh-configure.py sed -ne 's/"//g' -e 's/^VERSION *= *//p' dcs8000lh-configure.py >$@ opt.squashfs: $(FILES) mksquashfs $(FILES) $@ -all-root -comp xz + +aes.key: + openssl rand 16 > $@ + +aes.key.rsa: aes.key $(PRIKEY) + openssl rsautl -encrypt -in aes.key -inkey $(PRIKEY) -out $@ + +### FIXME: This is verified using the pubkey in /etc/db/verify.key, which will fail +sign.sha1.rsa: sign.sha1 $(SIGNKEY) + openssl rsautl -sign -inkey $(SIGNKEY) -out sign.sha1.rsa -in sign.sha1 + +$(SIGNKEY): + openssl genrsa -out $(SIGNKEY) + +sign.sha1: update.bin.aes aes.key.rsa certificate.info update.sha1 + cat $^ | openssl dgst -sha1 | cut -d' ' -f2 > $@ + +fw.tar: certificate.info aes.key.rsa sign.sha1.rsa update.aes update.bin.aes + tar cvf $@ $^ + +update.sha1: update.aes + openssl dgst -sha1 $^ | cut -d' ' -f2 > $@ + +update.aes: aes.key opt.squashfs + openssl aes-128-cbc -md md5 -kfile aes.key -nosalt -e -out $@ -in opt.squashfs + +update.bin.aes: aes.key update.bin + openssl aes-128-cbc -md md5 -kfile aes.key -nosalt -e -out $@ -in update.bin + +clean: + rm *.rsa *.aes opt.squashfs sign.sha1 + +distclean: clean + rm aes.key + diff --git a/dcs8000lh-configure.py b/dcs8000lh-configure.py index 8f223d1..fff7e9d 100755 --- a/dcs8000lh-configure.py +++ b/dcs8000lh-configure.py @@ -124,6 +124,7 @@ if __name__ == '__main__': parser.add_argument("--command", help="Run command on IPCam") parser.add_argument("--telnetd", help="Start telnet server on IPCam", action="store_true") parser.add_argument("--lighttpd", help="Start web server on IPCam", action="store_true") + parser.add_argument("--unsignedfw", help="Allow unsigned firmware", action="store_true") parser.add_argument("--attrs", help="Dump IPCam GATT characteristics", action="store_true") parser.add_argument("-V", "--version", action="version", version="%(prog)s " + VERSION) args = parser.parse_args() @@ -147,6 +148,8 @@ if __name__ == '__main__': cam.run_command("pidof telnetd||telnetd") if args.lighttpd: cam.run_command("/etc/rc.d/init.d/extra_lighttpd.sh start") + if args.unsignedfw: + cam.run_command("tdb set SecureFW _TrustLevel_byte=0") if args.attrs: cam.dumpchars() -- cgit v1.2.3