User Tools

Site Tools


docs:guide-developer:security

Security

See Security old for the old page.

This page lists the processes, tools and mechanisms OpenWrt uses to the security of OpenWrt. This covers the OpenWrt distribution with the official package feeds hosted at https://github.com/openwrt/ and also the OpenWrt specific tools hosted at https://git.openwrt.org/ like procd, ubus and libubox

Vulnerability Reporting

Security bugs should be reported in confidentiality to contact@openwrt.org, see Reporting security bugs for details.

Security advisories

Security advisories 2019

Identifying problems

The OpenWrt project uses multiple tools to identify potential security problems. The information are normally available for everyone and we appreciate fixes for problems reported by these tools form everyone.

uscan

This report shows the version number of all packages from the base and the package repository and compares it against the recent upstream released versions. In addition the tool which generates this page also checks for existing CVEs assigned to the packages based on the Common Platform Enumeration (CPE) which is listed in the PKG_CPE_ID variable of many packages. This page is weekly regenerated for master and the active release branches. https://sdwalker.github.io/uscan/index.html

Coverity Scan

OpenWrt uses the commercial Coverity Scan tool which is available for free to open source projects to do static code analyses on the OpenWrt components. This scans one OpenWrt build per week and reports the problems found in the components developed in the OpenWrt project like procd and ubus, but not on (patched) third party components. https://scan.coverity.com/projects/openwrt

Reproducible Builds

OpenWrt releases should be reproducible to make it possible to check that the releases we produced are really matching the source code we delivered and no backdoors were introduced in the build process. The reproducible builds project checks that OpenWrt master is still reproducible and publishes the results here: https://reproducible.debian.net/openwrt/openwrt.html

deliver to users

OpenWrt operates multiple build bot instances which are building snapshots of the master and the supported release branches. See Buildbot for details.

When a change to a package is committed to the OpenWrt base repository of package feed the build bots are automatically detection this change and will rebuild this package. The new newly build package can then be installed with opkg or be integrated with the image builder by users of OpenWrt. This allows us to ship updates in about 2 days to the end users.

The kernel is normally located in its own partition and upgrades are not so easily possible. Therefore this mechanism currently doe snot work for the kernel itself and kernel modules, there a new minor release is needed to ship fixes to end users.

Hardening build options

OpenWrt activates some build hardening options at compile time for all packages build.

Source: config/Config-build.in. Note that individual packages and/or targets may ignore or otherwise not respect these settings.

.config line Enabled by Default? Notes
CONFIG_PKG_CHECK_FORMAT_SECURITY=y Yes -Wformat -Werror=format-security
CONFIG_PKG_CC_STACKPROTECTOR_REGULAR=y Yes -fstack-protector
CONFIG_PKG_CC_STACKPROTECTOR_STRONG=y -fstack-protector-strong
CONFIG_KERNEL_CC_STACKPROTECTOR_REGULAR=y Yes Kernel config CONFIG_STACKPROTECTOR
CONFIG_KERNEL_CC_STACKPROTECTOR_STRONG=y Kernel config CONFIG_STACKPROTECTOR_STRONG
CONFIG_PKG_FORTIFY_SOURCE_1=y Yes -D_FORTIFY_SOURCE=1 (Using fortify-headers for musl libc)
CONFIG_PKG_FORTIFY_SOURCE_2=y -D_FORTIFY_SOURCE=2 (Using fortify-headers for musl libc)
CONFIG_PKG_RELRO_FULL=y Yes -Wl,-z,now -Wl,-z,relro
CONFIG_PKG_ASLR_PIE=y -PIE (some own spec file)
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-developer/security.txt · Last modified: 2019/12/10 07:50 by ynezz