[LEDE-DEV] automated signed firmware upgrades / hide a secret in image
bb at npl.de
Fri Feb 24 00:40:07 PST 2017
* Michael Richardson <mcr at sandelman.ca> [24.02.2017 09:03]:
> > large random primenumbers. On the serverside, we store the product
> > (aka: solution) of these 2 numbers. This is repeated for each generated
> > image. (sorry, it breaks reproducable builds for now)
> Anyone can multiply two large prime numbers to get the solution.
oh, i was thinking that when you have a large number, e.g.
you can not easily say what the 2 prime factors are to get this result?
Or is this really a "fast" cumputation?
> So I can't understand what you are doing.
> You can't hide things in binaries. That's total snake oil.
It is, it's only about having a proof, that the image runs.
If several people "say" that the image runs, other routers start
to automatically flash it. I want to make sure, that nobody can
fake that information it easily.
> I thought from the subject line and explanation that it was to permit a
> firmware image to be validated as being uncorrupted/tained. One might do
> this before flashing a device with it.
how should this be done before flashing?
if there is a mistake (e.g. forgotten package during build) the
image itself is fine, but not "good".
> Now I get the impression that the idea for a user to be able to prove
> which firmware image they actually used?
yes, if the image boots fine the user/a script will send
the 'secret' and an sha256_signature if the image-hash.
These hashes are added to the info.json:
Other users have installed my public.key and can so check the signature.
Also to flag "firmware_manually_checked" is changed to 'true'.
More information about the Lede-dev