[LEDE-DEV] automated signed firmware upgrades / hide a secret in image

Bastian Bittorf bb at npl.de
Fri Feb 24 00:40:07 PST 2017

* Michael Richardson <mcr at sandelman.ca> [24.02.2017 09:03]:
>     > large random primenumbers. On the serverside, we store the product
>     > (aka: solution) of these 2 numbers. This is repeated for each generated
>     > image. (sorry, it breaks reproducable builds for now)
> Anyone can multiply two large prime numbers to get the solution.

oh, i was thinking that when you have a large number, e.g.

you can not easily say what the 2 prime factors are to get this result?
Or is this really a "fast" cumputation?

> So I can't understand what you are doing.
> You can't hide things in binaries.  That's total snake oil.

It is, it's only about having a proof, that the image runs.
If several people "say" that the image runs, other routers start
to automatically flash it. I want to make sure, that nobody can
fake that information it easily.

> I thought from the subject line and explanation that it was to permit a
> firmware image to be validated as being uncorrupted/tained.  One might do
> this before flashing a device with it.

how should this be done before flashing?
if there is a mistake (e.g. forgotten package during build) the
image itself is fine, but not "good".

> Now I get the impression that the idea for a user to be able to prove
> which firmware image they actually used?

yes, if the image boots fine the user/a script will send
the 'secret' and an sha256_signature if the image-hash.
These hashes are added to the info.json:
(see: 'bittorf').

Other users have installed my public.key and can so check the signature.
Also to flag "firmware_manually_checked" is changed to 'true'.

bye, bastian

More information about the Lede-dev mailing list