Create installation limit for the OpenWrt bin file

I want to restrict OpenWrt to install the bin file so that only the files that I build myself on openwrt are installed.
What should I do for this?

Please better explain your goal, including what "installed" means.

If I've got root access to a device running your build, I can install anything I want from anywhere, pretty much no matter what you might try for signing to prevent it.


I mean, in the sysupgrade section
On the webpage
To install the file (bin file)
Only the file I have created from the openwrt source can be installed

Depending on your "level of security", changing the feeds configuration would mean that the LuCI page would access a repo that you hosted.

Going past that, removal of the ability to change/add repos from LuCI would be the next steps, if that were needed.

1 Like

I did not catch
Is this level of security to be determined in the source?
Can you explain more fully?
I want the ability to upgrade, but only the file that I create can be installed, I do not want to delete this feature.

You need to describe how secure you need this.

I can change the repo sources in "stock" LuCI.

I can change them with access to the file system.

I can flash any image I want through LuCI or the command line.

1 Like

I know all this
I need to setup (in the source or in menuconfig) to just get my file on the webpage.
You imagine there is no access to the command line and there is only a web page

distfeeds.conf for packages

It's still not clear what you mean by this. Since you understand what you want, you probably should look at the LuCI source and edit appropriately.

1 Like

no . i dont want limit onpacakge install
i want set limit for .bin upgrade file . sysupgrade from webpage
i want just upgrade modem with my builede file from openwrt source

Is this compatible with GPL?

1 Like

I surmise you could write something to:

  • When compiling, place your own signature at the beginning of the BIN
  • Write code for sysupgrade to check that header and skip/strip it

I surmise you could just jump to step 2 only; and add any header yourself prior to flashing. Since you have to code anyways, I surmise that you'd also perform step 1 to "self-create" the needed BIN file.

Be advised, if the device has bootloader access (i.e. via serial or interrupt-boot), this can be circumvented anyway. Also, I haven't though much into how a low RAM device may do the strip step (as software like dd makes a second copy in an output file).

1 Like

The sysupgrade process handles "big files" using shell pipelines.

As a result, since there is no pipefail or PIPESTATUS in sh and a pipe returns the last command's status, error detection and reporting in the sysupgrade process is more complex that I had hoped, when I started looking into that recently.

1 Like

I saw recently in the openwrt commit history a commit that added the feature for signing sysugrade images... If i´m right it should be first enabled for the testing ath79 target...

@komeilkma Are you looking for something like this?

This is probably a start for your planned sysupgrade restriction.

hi dear friends
i can check whick refrence for hoe set CHECK_IMAGE_SIGNARURE for bin file and set on sysupgrade ?

i write this code on javascript
but i want a standard way for this

I do not understand what you want to say with this...?

With this code every image that you build is signed by your self signed ucert certificate that is auto generated on first build...
So if you add your file with your fingerprint as name to /etc/opkg/keys, you can verify your self build image with your self signed public build key...

You have to modify the existing code to only accept your own ucert certificate and not all other ucert files from /etc/opkg/keys and to enforce the verification.

1 Like