diff options
| author | Daniel Golle | 2025-03-29 05:09:09 +0000 |
|---|---|---|
| committer | Daniel Golle | 2025-04-21 15:12:42 +0000 |
| commit | 29ec74b8c7b775debeda7f32fd1f2601dd9b082f (patch) | |
| tree | 442527c13ce04eae97761d97f4a08629c7a317ff | |
| parent | 5175d0a62301ebb2fec6fa83b04946026ce91475 (diff) | |
| download | openwrt-29ec74b8c7b775debeda7f32fd1f2601dd9b082f.tar.gz | |
treewide: validate unified uImage.FIT images before flashing
Prevent flashing truncated or otherwise corrupted uImage.FIT images
by verifying checksums and hashes of all sub-images before flashing
using the newly packaged fit_check_sign tool.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
6 files changed, 19 insertions, 15 deletions
diff --git a/package/utils/fitblk/Makefile b/package/utils/fitblk/Makefile index 325963d8e2..b8f881937e 100644 --- a/package/utils/fitblk/Makefile +++ b/package/utils/fitblk/Makefile @@ -16,6 +16,7 @@ define Package/fitblk SECTION:=base CATEGORY:=Base system TITLE:=fitblk firmware release tool + DEPENDS:=+fit-check-sign endef define Package/fitblk/description diff --git a/package/utils/fitblk/files/fit.sh b/package/utils/fitblk/files/fit.sh index b715a15ddf..839389bed4 100644 --- a/package/utils/fitblk/files/fit.sh +++ b/package/utils/fitblk/files/fit.sh @@ -61,3 +61,13 @@ fit_do_upgrade() { ;; esac } + +fit_check_image() { + local magic="$(get_magic_long "$1")" + [ "$magic" != "d00dfeed" ] && { + echo "Invalid image type." + return 74 + } + + fit_check_sign -f "$1" >/dev/null || return 74 +} diff --git a/target/linux/mediatek/filogic/base-files/lib/upgrade/platform.sh b/target/linux/mediatek/filogic/base-files/lib/upgrade/platform.sh index 622f880604..01753c0a03 100755 --- a/target/linux/mediatek/filogic/base-files/lib/upgrade/platform.sh +++ b/target/linux/mediatek/filogic/base-files/lib/upgrade/platform.sh @@ -1,5 +1,5 @@ REQUIRE_IMAGE_METADATA=1 -RAMFS_COPY_BIN='fitblk' +RAMFS_COPY_BIN='fitblk fit_check_sign' asus_initial_setup() { @@ -224,11 +224,8 @@ platform_check_image() { xiaomi,redmi-router-ax6000-ubootmod|\ xiaomi,mi-router-wr30u-ubootmod|\ zyxel,ex5601-t0-ubootmod) - [ "$magic" != "d00dfeed" ] && { - echo "Invalid image type." - return 1 - } - return 0 + fit_check_image "$1" + return $? ;; nradio,c8-668gl) # tar magic `ustar` diff --git a/target/linux/mediatek/mt7622/base-files/lib/upgrade/platform.sh b/target/linux/mediatek/mt7622/base-files/lib/upgrade/platform.sh index f017509637..9019eb6900 100755 --- a/target/linux/mediatek/mt7622/base-files/lib/upgrade/platform.sh +++ b/target/linux/mediatek/mt7622/base-files/lib/upgrade/platform.sh @@ -1,5 +1,5 @@ REQUIRE_IMAGE_METADATA=1 -RAMFS_COPY_BIN='fitblk' +RAMFS_COPY_BIN='fitblk fit_check_sign' platform_do_upgrade() { local board=$(board_name) diff --git a/target/linux/mediatek/mt7623/base-files/lib/upgrade/platform.sh b/target/linux/mediatek/mt7623/base-files/lib/upgrade/platform.sh index bce6709a58..ce40e26afb 100755 --- a/target/linux/mediatek/mt7623/base-files/lib/upgrade/platform.sh +++ b/target/linux/mediatek/mt7623/base-files/lib/upgrade/platform.sh @@ -1,5 +1,5 @@ REQUIRE_IMAGE_METADATA=1 -RAMFS_COPY_BIN='fitblk' +RAMFS_COPY_BIN='fitblk fit_check_sign' # Legacy full system upgrade including preloader for MediaTek SoCs on eMMC or SD legacy_mtk_mmc_full_upgrade() { diff --git a/target/linux/siflower/sf21/base-files/lib/upgrade/platform.sh b/target/linux/siflower/sf21/base-files/lib/upgrade/platform.sh index ac90f253b4..72f35f6925 100644 --- a/target/linux/siflower/sf21/base-files/lib/upgrade/platform.sh +++ b/target/linux/siflower/sf21/base-files/lib/upgrade/platform.sh @@ -1,5 +1,5 @@ REQUIRE_IMAGE_METADATA=1 -RAMFS_COPY_BIN='fitblk' +RAMFS_COPY_BIN='fitblk fit_check_sign' platform_do_upgrade() { local board=$(board_name) @@ -18,17 +18,13 @@ PART_NAME=firmware platform_check_image() { local board=$(board_name) - local magic="$(get_magic_long "$1")" [ "$#" -gt 1 ] && return 1 case "$board" in *) - [ "$magic" != "d00dfeed" ] && { - echo "Invalid image type." - return 1 - } - return 0 + fit_check_image "$1" + return $? ;; esac |