diff options
author | mudcam <v.nieutin@live.fr> | 2017-12-07 10:31:22 +0100 |
---|---|---|
committer | ronan [iot.bzh] <ronan.lemartret@iot.bzh> | 2017-12-07 12:52:16 +0100 |
commit | 981e9b9c4a40e248733d45cfedc6a512bdf95f5e (patch) | |
tree | 12526631368064d80c832d6bbf78b20af85c50f7 /security-blueprint/part-8/1-FOTA.md | |
parent | bc11e3eaceb629fbf5dee7ed7bfdf696839ddb12 (diff) |
Add proposal for new security blueprint
Diffstat (limited to 'security-blueprint/part-8/1-FOTA.md')
-rw-r--r-- | security-blueprint/part-8/1-FOTA.md | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/security-blueprint/part-8/1-FOTA.md b/security-blueprint/part-8/1-FOTA.md new file mode 100644 index 0000000..a65a239 --- /dev/null +++ b/security-blueprint/part-8/1-FOTA.md @@ -0,0 +1,51 @@ +# Firmware Over The Air + +The firmware update is critical since its alteration back to compromise the +entire system. It is therefore necessary to take appropriate protective measures. +The principle of verifying chain integrity fulfills much of AGL's security. +During a firmware update, it is necessary to update the different signatures to +check the integrity of the system. + +There is also the constraint of the update time: The system must start quickly +and therefore, update itself as quickly. We imagine that the **FOTA** is mainly +used in the vehicle maintenance session (e.g. Garage). We will then use no more + **FOTA** but a wired update. There is a limit to what can be updated wirelessly. + This maintenance update could solve these problems. + +Field upgrades can be achieved securely by using a Secure Loader. This loader +will authenticate an incoming image (USB, Serial, Network) prior to writing it +to the flash memory on the device. It should not be possible to write to flash +from bootloader (U-Boot). Note that because USB support is to be disabled within +the sboot/U-Boot code, the board specific implementation of the Secure Loader +will have to manage the entire USB initialization, enumeration, and read/write +access to the mass storage device. + +<!-- config --> + +Domain | Object | Recommendations +------------- | ----------------------------------------- | --------------- +Update-FOTA-1 | Integrity, confidentiality and legitimacy | Must be secure. + +<!-- endconfig --> + +Different possible type of **FOTA**: + +- Package-based like rpm, dpkg: + + - `+` Simple. + - `-` Power-off. + - `-` Dependency. + +- Full file system updates: + + - `+` Robust. + - `-` Tends device-specific. + - `-` Need rsync or similar. + +- Atomic differential: + + - `+` Robust. + - `+` Minimal bandwidth consumption. + - `+` Easy reusable. + - `-` Physically one file system (Corruption -> unbootable system). + - `-` No rollback logic. |