From 381da58672dc39ba4542a31ca4a21b41e06ca204 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Wed, 27 Sep 2023 15:28:06 +0200 Subject: [PATCH 1/2] flatcar-postinst: In addition to SHA1, also check SHA256 hash for OEMs The newer Omaha 3.1 hash_sha256 attribute is now supported by Nebraska and should be used for OEM payloads. Up to now we only checked the regular "hash" attribute for download integrity. It's not really security critical because the payload has its own signature but it's good to migrate all hashsum usage away from SHA1. Find the hash and hash_sha256 attributes and require at least one to be set for the OEM packages. Check the found hash attributes. --- flatcar-postinst | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/flatcar-postinst b/flatcar-postinst index 73e7fa5..9b49722 100644 --- a/flatcar-postinst +++ b/flatcar-postinst @@ -71,19 +71,28 @@ sysext_download() { entries=$(grep -m 1 -o "]*" "${from}") url="${base}/${name}" size=$(echo "${entries}" | grep -o 'size="[0-9]*' | cut -d '"' -f 2) - hash=$(echo "${entries}" | grep -o -P 'hash="[^"]*' | cut -d '"' -f 2) # openssl dgst -binary -sha1 < "$PAYLOAD" | base64 + hash=$(echo "${entries}" | { grep -o -P 'hash="[^"]*' || true ; } | cut -d '"' -f 2) # openssl dgst -binary -sha1 < "$PAYLOAD" | base64 + hash_sha256=$(echo "${entries}" | { grep -o -P 'hash_sha256="[^"]*' || true ; } | cut -d '"' -f 2) # sha256sum -b "$PAYLOAD" | cut -d " " -f 1 fi rm -f "${target}.tmp" curl -fsSL --retry-delay 1 --retry 60 --retry-connrefused --retry-max-time 60 --connect-timeout 20 -o "${target}.tmp" "${url}" - if [ "${size}" != "" ] && [ "${hash}" != "" ]; then + if [ "${base}" != "" ]; then if [ "$(stat --printf='%s' "${target}.tmp")" != "${size}" ]; then echo "Size mismatch for ${name}" >&2 return 1 # jump to ret= fi - if [ "$(openssl dgst -binary -sha1 < "${target}.tmp" | base64)" != "${hash}" ]; then + if [ "${hash}" = "" ] && [ "${hash_sha256}" = "" ]; then + echo "At least one hash is expected, found none in Omaha package for ${name}" >&2 + return 1 # jump to ret= + fi + if [ "${hash}" != "" ] && [ "$(openssl dgst -binary -sha1 < "${target}.tmp" | base64)" != "${hash}" ]; then echo "Hash mismatch for ${name}" >&2 return 1 # jump to ret= fi + if [ "${hash_sha256}" != "" ] && [ "$(sha256sum -b "${target}.tmp" | cut -d " " -f 1)" != "${hash_sha256}" ]; then + echo "Hash SHA256 mismatch for ${name}" >&2 + return 1 # jump to ret= + fi fi # Using "${INSTALL_MNT}" here is ok because it was verified first by update-engine PROTOPATH="${INSTALL_MNT}"/share/update_engine/ "${INSTALL_MNT}"/share/update_engine/decode_payload /usr/share/update_engine/update-payload-key.pub.pem "${target}.tmp" "${target}" From d7d9d520d6bb9c805cbc56040f092d2b71187f09 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Thu, 28 Sep 2023 11:41:20 +0200 Subject: [PATCH 2/2] flatcar-postinst: Note for tweaking download logic later Once update-engine can download OEM payloads we should use them as is instead of overwriting them in the postinst hook. --- flatcar-postinst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/flatcar-postinst b/flatcar-postinst index 9b49722..4d74575 100644 --- a/flatcar-postinst +++ b/flatcar-postinst @@ -127,7 +127,8 @@ if [ "${OEMID}" != "" ] && { [ -e "${INSTALL_MNT}/share/flatcar/oems/${OEMID}" ] fi done # Note that in the case of VERSION=NEXT_VERSION we will replace the running sysext and maybe it's better - # to do so than not because it allows to recover from a corrupted file (where the corruption happened on disk) + # to do so than not because it allows to recover from a corrupted file (where the corruption happened on disk). + # However, as soon as update-engine would already download the payload, we should skip the overwriting. SUCCESS=false # Preferred is to download from the location given by the Omaha response # which only works with a new update-engine client that creates "full-response",