update not signed firmware with signed swu
360 views
Skip to first unread message
Piotr Łobacz
Sep 22, 2023, 4:31:33 AM9/22/23
to swupdate
As in the subject is this even possible? From my persperctive this is a backdoor but unfortunately we can so many devices on the field that getting them back would be problematic...
James Hilliard
Sep 22, 2023, 4:41:37 AM9/22/23
to Piotr Łobacz, swupdate
On Fri, Sep 22, 2023 at 2:31 AM Piotr Łobacz <pio.l...@gmail.com> wrote:
>
> As in the subject is this even possible? From my persperctive this is a backdoor but unfortunately we can so many devices on the field that getting them back would be problematic...
Why would this be an issue? There's nothing preventing you from
>
> As in the subject is this even possible? From my persperctive this is a backdoor but unfortunately we can so many devices on the field that getting them back would be problematic...
flashing firmware that enforces signatures for updates over firmware
that doesn't.
>
> --
> You received this message because you are subscribed to the Google Groups "swupdate" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to swupdate+u...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/swupdate/cf43537c-e56a-4f3e-94cd-49d74a84dff9n%40googlegroups.com.
Stefano Babic
Sep 22, 2023, 4:41:38 AM9/22/23
to Piotr Łobacz, swupdate
On 22.09.23 10:31, Piotr Łobacz wrote:
> As in the subject is this even possible? From my persperctive this is a
> backdoor
It is not: you have running firmware in field that allows to be upgraded
> As in the subject is this even possible? From my persperctive this is a
> backdoor
with not signed firmware. You already allow to update with any firmware
because the verification is turned off. There is no backdoor, you have
just security to low level.
> but unfortunately we can so many devices on the field that
> getting them back would be problematic...
a signed SWU won't be verified and will be installed, exactly as any not
signed SWU.
If the new firmware has activated Signed Images, from that point the
device will just accept signed images. That means this is a one way
update, and downgrading won't be possible anymore.
Best regards,
Stefano Babic
James Hilliard
Sep 22, 2023, 4:44:59 AM9/22/23
to Stefano Babic, Piotr Łobacz, swupdate
needed to sign firmware as you could sign a firmware update that doesn't
enforce signatures.
>
> Best regards,
> Stefano Babic
>
>
> --
> You received this message because you are subscribed to the Google Groups "swupdate" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to swupdate+u...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/swupdate/88aaaf7a-c279-47c6-a00e-d36852bffdeb%40swupdate.org.
>
> --
> You received this message because you are subscribed to the Google Groups "swupdate" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to swupdate+u...@googlegroups.com.
Stefano Babic
Sep 22, 2023, 5:46:07 AM9/22/23
to James Hilliard, Piotr Łobacz, swupdate
On 22.09.23 10:44, James Hilliard wrote:
> On Fri, Sep 22, 2023 at 2:41 AM Stefano Babic
> <stefan...@swupdate.org> wrote:
>>
>> On 22.09.23 10:31, Piotr Łobacz wrote:
>>> As in the subject is this even possible? From my persperctive this is a
>>> backdoor
>>
>> It is not: you have running firmware in field that allows to be upgraded
>> with not signed firmware. You already allow to update with any firmware
>> because the verification is turned off. There is no backdoor, you have
>> just security to low level.
>>
>>> but unfortunately we can so many devices on the field that
>>> getting them back would be problematic...
>>
>> It works, why shouldn't ? Your fw in field does not verify - that means
>> a signed SWU won't be verified and will be installed, exactly as any not
>> signed SWU.
>>
>> If the new firmware has activated Signed Images, from that point the
>> device will just accept signed images. That means this is a one way
>> update, and downgrading won't be possible anymore.
>
> Technically downgrading would be possible, if you have the private key
> needed to sign firmware as you could sign a firmware update that doesn't
> enforce signatures.
Yes, you can resign the old software. I think it is just a theoretical
> On Fri, Sep 22, 2023 at 2:41 AM Stefano Babic
> <stefan...@swupdate.org> wrote:
>>
>> On 22.09.23 10:31, Piotr Łobacz wrote:
>>> As in the subject is this even possible? From my persperctive this is a
>>> backdoor
>>
>> It is not: you have running firmware in field that allows to be upgraded
>> with not signed firmware. You already allow to update with any firmware
>> because the verification is turned off. There is no backdoor, you have
>> just security to low level.
>>
>>> but unfortunately we can so many devices on the field that
>>> getting them back would be problematic...
>>
>> It works, why shouldn't ? Your fw in field does not verify - that means
>> a signed SWU won't be verified and will be installed, exactly as any not
>> signed SWU.
>>
>> If the new firmware has activated Signed Images, from that point the
>> device will just accept signed images. That means this is a one way
>> update, and downgrading won't be possible anymore.
>
> Technically downgrading would be possible, if you have the private key
> needed to sign firmware as you could sign a firmware update that doesn't
> enforce signatures.
case because the old software will have signed images disable and will
still allow everything, surely not wanted.
Stefano
Piotr Łobacz
Sep 22, 2023, 5:49:32 AM9/22/23
to swupdate
OK so I should be able to install not signed firmware but with verification turned on and after that install signed firmware?
Piotr Łobacz
Sep 22, 2023, 5:58:42 AM9/22/23
to swupdate
piątek, 22 września 2023 o 11:46:07 UTC+2 Stefano Babic napisał(a):
On 22.09.23 10:44, James Hilliard wrote:
> On Fri, Sep 22, 2023 at 2:41 AM Stefano Babic
> <stefan...@swupdate.org> wrote:
>>
>> On 22.09.23 10:31, Piotr Łobacz wrote:
>>> As in the subject is this even possible? From my persperctive this is a
>>> backdoor
>>
>> It is not: you have running firmware in field that allows to be upgraded
>> with not signed firmware. You already allow to update with any firmware
>> because the verification is turned off. There is no backdoor, you have
>> just security to low level.
>>
>>> but unfortunately we can so many devices on the field that
>>> getting them back would be problematic...
>>
>> It works, why shouldn't ? Your fw in field does not verify - that means
>> a signed SWU won't be verified and will be installed, exactly as any not
>> signed SWU.
Because I have this error?
root@eg /home/admins/admin> swupdate -v -i qemu-eg600.swu
SWUpdate v2023.05
Licensed under GPLv2. See source distribution for detailed copyright notices.
[TRACE] : SWUPDATE running : [print_registered_bootloaders] : Registered bootloaders:
[TRACE] : SWUPDATE running : [print_registered_bootloaders] : none loaded.
[INFO ] : SWUPDATE running : [main] : Using default bootloader interface: none
[INFO ] : SWUPDATE running : [main] : Running on MPA Revision qemu-eg600
[INFO ] : SWUPDATE running : [print_registered_handlers] : Registered handlers:
[INFO ] : SWUPDATE running : [print_registered_handlers] : dummy
[INFO ] : SWUPDATE running : [print_registered_handlers] : archive
[INFO ] : SWUPDATE running : [print_registered_handlers] : tar
[INFO ] : SWUPDATE running : [print_registered_handlers] : raw
[INFO ] : SWUPDATE running : [print_registered_handlers] : rawfile
[INFO ] : SWUPDATE running : [print_registered_handlers] : shellscript
[INFO ] : SWUPDATE running : [print_registered_handlers] : preinstall
[INFO ] : SWUPDATE running : [print_registered_handlers] : postinstall
[DEBUG] : SWUPDATE running : [read_module_settings] : No config settings found for module versions
[TRACE] : SWUPDATE running : [listener_create] : got no socket at /tmp/swupdateprog from systemd
[TRACE] : SWUPDATE running : [listener_create] : creating socket at /tmp/swupdateprog
[TRACE] : SWUPDATE running : [network_initializer] : Main loop daemon
[TRACE] : SWUPDATE running : [listener_create] : got no socket at /tmp/sockinstctrl from systemd
[TRACE] : SWUPDATE running : [listener_create] : creating socket at /tmp/sockinstctrl
[TRACE] : SWUPDATE running : [network_thread] : Incoming network request: processing...
[INFO ] : SWUPDATE started : Software Update started !
[TRACE] : SWUPDATE running : [network_initializer] : Software update started
[TRACE] : SWUPDATE running : [extract_file_to_tmp] : Found file
[TRACE] : SWUPDATE running : [extract_file_to_tmp] : filename sw-description
[TRACE] : SWUPDATE running : [extract_file_to_tmp] : size 2109
[DEBUG] : SWUPDATE running : [parse_cfg] : Parsing config file /tmp/sw-description
[TRACE] : SWUPDATE running : [get_common_fields] : Version 1.0
[TRACE] : SWUPDATE running : [parse_hw_compatibility] : Accepted Hw Revision : qemu-eg600
[TRACE] : SWUPDATE running : [_parse_files] : Found File: boot-scripts-image-qemu-eg600.tar.gz --> /boot/boot_scripts.tar.gz (/dev/update)
[TRACE] : SWUPDATE running : [_parse_files] : Found File: bzImage-initramfs-qemu-eg600.bin --> /bzImage (/dev/update)
[TRACE] : SWUPDATE running : [_parse_images] : Found compressed Image: welotec-base-image-qemu-eg600.tar.gz in device : / for handler archive
[TRACE] : SWUPDATE running : [_parse_scripts] : Found Script: update_ids.py
[TRACE] : SWUPDATE running : [_parse_scripts] : Found Script: save_ids.py
[TRACE] : SWUPDATE running : [_parse_scripts] : Found Script: sw-update-script.sh
[WARN ] : SWUPDATE running : [check_field_string] : Configuration Key is empty!
[TRACE] : SWUPDATE running : [_parse_scripts] : Found Script: check_os_version.py
[ERROR] : SWUPDATE failed [0] ERROR parser.c : check_hash_absent : 52 : hash verification not enabled but hash supplied for welotec-base-image-qemu-eg600.tar.gz
[TRACE] : SWUPDATE running : [parse] : Number of found artifacts: 3
[TRACE] : SWUPDATE running : [parse] : Number of scripts: 4
[TRACE] : SWUPDATE running : [parse] : Number of steps to be run: 11
[ERROR] : SWUPDATE failed [0] ERROR stream_interface.c : extract_files : 183 : Compatible SW not found
[ERROR] : SWUPDATE failed [1] Image invalid or corrupted. Not installing ...
swupdate_image_write failed: Connection reset by peer
[ERROR] : SWUPDATE failed [0] ERROR install_from_file.c : endupdate : 55 : SWUpdate *failed* !
[TRACE] : SWUPDATE running : [network_initializer] : Main thread sleep again !
[INFO ] : No SWUPDATE running : Waiting for requests..
SWUpdate v2023.05
Licensed under GPLv2. See source distribution for detailed copyright notices.
[TRACE] : SWUPDATE running : [print_registered_bootloaders] : Registered bootloaders:
[TRACE] : SWUPDATE running : [print_registered_bootloaders] : none loaded.
[INFO ] : SWUPDATE running : [main] : Using default bootloader interface: none
[INFO ] : SWUPDATE running : [main] : Running on MPA Revision qemu-eg600
[INFO ] : SWUPDATE running : [print_registered_handlers] : Registered handlers:
[INFO ] : SWUPDATE running : [print_registered_handlers] : dummy
[INFO ] : SWUPDATE running : [print_registered_handlers] : archive
[INFO ] : SWUPDATE running : [print_registered_handlers] : tar
[INFO ] : SWUPDATE running : [print_registered_handlers] : raw
[INFO ] : SWUPDATE running : [print_registered_handlers] : rawfile
[INFO ] : SWUPDATE running : [print_registered_handlers] : shellscript
[INFO ] : SWUPDATE running : [print_registered_handlers] : preinstall
[INFO ] : SWUPDATE running : [print_registered_handlers] : postinstall
[DEBUG] : SWUPDATE running : [read_module_settings] : No config settings found for module versions
[TRACE] : SWUPDATE running : [listener_create] : got no socket at /tmp/swupdateprog from systemd
[TRACE] : SWUPDATE running : [listener_create] : creating socket at /tmp/swupdateprog
[TRACE] : SWUPDATE running : [network_initializer] : Main loop daemon
[TRACE] : SWUPDATE running : [listener_create] : got no socket at /tmp/sockinstctrl from systemd
[TRACE] : SWUPDATE running : [listener_create] : creating socket at /tmp/sockinstctrl
[TRACE] : SWUPDATE running : [network_thread] : Incoming network request: processing...
[INFO ] : SWUPDATE started : Software Update started !
[TRACE] : SWUPDATE running : [network_initializer] : Software update started
[TRACE] : SWUPDATE running : [extract_file_to_tmp] : Found file
[TRACE] : SWUPDATE running : [extract_file_to_tmp] : filename sw-description
[TRACE] : SWUPDATE running : [extract_file_to_tmp] : size 2109
[DEBUG] : SWUPDATE running : [parse_cfg] : Parsing config file /tmp/sw-description
[TRACE] : SWUPDATE running : [get_common_fields] : Version 1.0
[TRACE] : SWUPDATE running : [parse_hw_compatibility] : Accepted Hw Revision : qemu-eg600
[TRACE] : SWUPDATE running : [_parse_files] : Found File: boot-scripts-image-qemu-eg600.tar.gz --> /boot/boot_scripts.tar.gz (/dev/update)
[TRACE] : SWUPDATE running : [_parse_files] : Found File: bzImage-initramfs-qemu-eg600.bin --> /bzImage (/dev/update)
[TRACE] : SWUPDATE running : [_parse_images] : Found compressed Image: welotec-base-image-qemu-eg600.tar.gz in device : / for handler archive
[TRACE] : SWUPDATE running : [_parse_scripts] : Found Script: update_ids.py
[TRACE] : SWUPDATE running : [_parse_scripts] : Found Script: save_ids.py
[TRACE] : SWUPDATE running : [_parse_scripts] : Found Script: sw-update-script.sh
[WARN ] : SWUPDATE running : [check_field_string] : Configuration Key is empty!
[TRACE] : SWUPDATE running : [_parse_scripts] : Found Script: check_os_version.py
[ERROR] : SWUPDATE failed [0] ERROR parser.c : check_hash_absent : 52 : hash verification not enabled but hash supplied for welotec-base-image-qemu-eg600.tar.gz
[TRACE] : SWUPDATE running : [parse] : Number of found artifacts: 3
[TRACE] : SWUPDATE running : [parse] : Number of scripts: 4
[TRACE] : SWUPDATE running : [parse] : Number of steps to be run: 11
[ERROR] : SWUPDATE failed [0] ERROR stream_interface.c : extract_files : 183 : Compatible SW not found
[ERROR] : SWUPDATE failed [1] Image invalid or corrupted. Not installing ...
swupdate_image_write failed: Connection reset by peer
[ERROR] : SWUPDATE failed [0] ERROR install_from_file.c : endupdate : 55 : SWUpdate *failed* !
[TRACE] : SWUPDATE running : [network_initializer] : Main thread sleep again !
[INFO ] : No SWUPDATE running : Waiting for requests..
>> If the new firmware has activated Signed Images, from that point the
>> device will just accept signed images. That means this is a one way
>> update, and downgrading won't be possible anymore.
>
> Technically downgrading would be possible, if you have the private key
> needed to sign firmware as you could sign a firmware update that doesn't
> enforce signatures.
Yes, you can resign the old software. I think it is just a theoretical
case because the old software will have signed images disable and will
still allow everything, surely not wanted.
Stefano
Piotr
Stefano Babic
Sep 22, 2023, 6:03:48 AM9/22/23
to Piotr Łobacz, swupdate
SWUpdate (the version running in field), that means CONFIG_HASH_VERIFY=n
In such as way, you have to drop the sha256 attributes in
sw-description. The update will then install a version with signed
images activated into swupdate, and for next updates will work.
Regards,
Stefano
--
Piotr Łobacz
Sep 22, 2023, 6:06:40 AM9/22/23
to swupdate
OK so it is the way as I have written previously to add this feature in SWUPDATE without siging the firmware than all next updates must be signed :) thx Stefan
BR
Piotr
Reply all
Reply to author
Forward
0 new messages