est_client: prevent downgrades to FW not supporting EST

Fixes: WIFI-14694 Signed-off-by: John Crispin <john@phrozen.org>
2025-10-29 09:32:34 +00:00 · 2025-06-13 14:28:02 +02:00
parent a375b9f774
commit f75a36f89f
2 changed files with 71 additions and 0 deletions
--- a/feeds/tip/cloud_discovery/files/usr/bin/est_client
+++ b/feeds/tip/cloud_discovery/files/usr/bin/est_client
@@ -126,6 +126,31 @@ function load_operational_ca() {
 	return 0;
 }

+function fwtool() {
+	let pipe = fs.popen(`openssl x509 -in /etc/ucentral/cert.pem -noout -issuer`);
+	let issuer = pipe.read("all");
+	pipe.close();
+
+	if (!(match(issuer, /OpenLAN/) && match(issuer, /Birth CA/)))
+		return 0;
+
+	ulog(LOG_INFO, 'The issuer is insta\n');
+
+	let metadata = fs.readfile('/tmp/sysupgrade.meta');
+	if (metadata)
+		metadata = json(metadata);
+	if (!metadata)
+		return 0;
+
+	if (!metadata.est_supported) {
+		ulog(LOG_INFO, 'The image does not support EST\n');
+		return 1;
+	}
+	ulog(LOG_INFO, 'The image supports EST\n');
+
+	return 0;
+}
+
 switch(ARGV[0]) {
 case 'enroll':
 	if (simpleenroll())
@@ -140,4 +165,7 @@ case 'reenroll':
 	if (simplereenroll())
 		exit(1);
 	exit(0);
+
+case 'fwtool':
+	exit(fwtool());
 }
--- a/patches/0091-fwtool-check-for-EST-support-if-the-cert-was-issued-.patch
+++ b/patches/0091-fwtool-check-for-EST-support-if-the-cert-was-issued-.patch
@@ -0,0 +1,43 @@
+From 8e70ae7c71fb0a31b3b95f156b2d865ba8a07ae8 Mon Sep 17 00:00:00 2001
+From: John Crispin <john@phrozen.org>
+Date: Fri, 13 Jun 2025 12:06:48 +0200
+Subject: [PATCH] fwtool: check for EST support if the cert was issued by insta
+
+Signed-off-by: John Crispin <john@phrozen.org>
+---
+ include/image-commands.mk                      | 3 ++-
+ package/base-files/files/lib/upgrade/fwtool.sh | 4 ++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/include/image-commands.mk b/include/image-commands.mk
+index d3c9cea293..b7a0d98d3d 100644
+--- a/include/image-commands.mk
+++ b/include/image-commands.mk
+@@ -85,7 +85,8 @@ metadata_json = \
+ 			"revision": "$(call json_quote,$(REVISION))", \
+ 			"target": "$(call json_quote,$(TARGETID))", \
+ 			"board": "$(call json_quote,$(if $(BOARD_NAME),$(BOARD_NAME),$(DEVICE_NAME)))" \
+-		} \
+		}, \
+		"est_supported": 1 \
+ 	}'
+ 
+ define Build/append-metadata
+diff --git a/package/base-files/files/lib/upgrade/fwtool.sh b/package/base-files/files/lib/upgrade/fwtool.sh
+index 8bd00a3332..a84eb96baf 100644
+--- a/package/base-files/files/lib/upgrade/fwtool.sh
+++ b/package/base-files/files/lib/upgrade/fwtool.sh
+@@ -51,6 +51,10 @@ fwtool_check_image() {
+ 	json_get_var compatmessage compat_message
+ 	[ -n "$imagecompat" ] || imagecompat="1.0"
+ 
+	if ! est_client fwtool; then
+		return 1
+	fi
+
+ 	# select correct supported list based on compat_version
+ 	# (using this ensures that compatibility check works for devices
+ 	#  not knowing about compat-version)
+-- 
+2.34.1
+