diff options
Diffstat (limited to 'security-blueprint')
-rw-r--r-- | security-blueprint/part-8/0_Abstract.md | 4 | ||||
-rw-r--r-- | security-blueprint/part-8/1-FOTA.md | 64 |
2 files changed, 30 insertions, 38 deletions
diff --git a/security-blueprint/part-8/0_Abstract.md b/security-blueprint/part-8/0_Abstract.md index daeaa6f..1e7bf6b 100644 --- a/security-blueprint/part-8/0_Abstract.md +++ b/security-blueprint/part-8/0_Abstract.md @@ -4,7 +4,8 @@ Updating applications and firmware is essential for the development of new features and even more to fix security bugs. -However, if a malicious third party manages to divert its first use, it could +However, if a malicious third party manages to alter the content during +transport, it could alter the functioning of the system and/or applications. The security of the updates is therefore a critical point to evaluate in order to guarantee the integrity, the confidentiality and the legitimacy of the transmitted data. @@ -20,3 +21,4 @@ Acronyms or Abbreviations | Description _FOTA_ | **F**irmware **O**ver **T**he **A**ir _OTA_ | **O**ver **T**he **A**ir _SOTA_ | **S**oftware **O**ver **T**he **A**ir +_TUF_ | **T**he **U**pdate **F**ramework diff --git a/security-blueprint/part-8/1-FOTA.md b/security-blueprint/part-8/1-FOTA.md index add068e..3d7f58e 100644 --- a/security-blueprint/part-8/1-FOTA.md +++ b/security-blueprint/part-8/1-FOTA.md @@ -2,50 +2,40 @@ The firmware update is critical since its alteration back to compromise the entire system. It is therefore necessary to take appropriate protective measures. -The principle of verifying chain integrity fulfills much of AGL's security. -During a firmware update, it is necessary to update the different signatures to -check the integrity of the system. -There is also the constraint of the update time: The system must start quickly -and therefore, update itself as quickly. We imagine that the **FOTA** is mainly -used in the vehicle maintenance session (e.g. Garage). We will then use no more - **FOTA** but a wired update. There is a limit to what can be updated wirelessly. - This maintenance update could solve these problems. +AGL includes the _meta-updater_ Yocto layer that enables OTA software +updates via [Uptane](https://uptane.github.io), an automotive-specific extension +to [The Update Framework](https://theupdateframework.github.io/). Uptane and TUF +are open standards that define a secure protocol for delivering and verifying +updates even when the servers and network--internet and car-internal--aren't fully trusted. -Field upgrades can be achieved securely by using a Secure Loader. This loader -will authenticate an incoming image (USB, Serial, Network) prior to writing it -to the flash memory on the device. It should not be possible to write to flash -from bootloader (U-Boot). Note that because USB support is to be disabled within -the sboot/U-Boot code, the board specific implementation of the Secure Loader -will have to manage the entire USB initialization, enumeration, and read/write -access to the mass storage device. +_meta-updater_ includes the application [`aktualizr`](https://github.com/advancedtelematic/aktualizr), +developed Advanced Telematic Systems (now part of HERE Technologies) that enables +OTA for an ECU. `aktualizr` combined with Uptane is suitable for updating the +firmware, software, and other packages on even functionally critical ECUs. +`aktualizr` can be enabled with the free, open souce backend +[`ota-community-edition`](https://github.com/advancedtelematic/ota-community-edition). -<!-- section-config --> +This FOTA update mechanism can be enabled through the `agl-sota` feature. -Domain | Object | Recommendations -------------- | ----------------------------------------- | --------------- -Update-FOTA-1 | Integrity, confidentiality and legitimacy | Must be secure. +## Building -<!-- end-section-config --> +To build an AGL image that uses `aktualizr`, the following can be used. -Different possible type of **FOTA**: +``` +source meta-agl/scripts/aglsetup.sh -m <machine> agl-sota <other-features...> +``` -- Package-based like rpm, dpkg: +During the build, _meta-updater_ will use credentials downloaded from `ota-community-edition` +to sign metadata verifying the build as authentic. These signatures are part of the Uptane +framework and are used to verify FOTA updates. - - `+` Simple. - - `-` Power-off. - - `-` Dependency. +## Atomic Upgrades with Rollbacks -- Full file system updates: +`aktualizr`'s primary method of updating firmware is to use `libostree` with binary diffs. +The binary diffs use the least amout of bandwidth, and by it's nature `libostree` stores +current and previous firmware versions on disk or in flash memory to allow for rollbacks. - - `+` Robust. - - `-` Tends device-specific. - - `-` Need rsync or similar. - -- Atomic differential: - - - `+` Robust. - - `+` Minimal bandwidth consumption. - - `+` Easy reusable. - - `-` Physically one file system (Corruption -> unbootable system). - - `-` No rollback logic. +`libostree` is a content addressable object store much like `git`. Versions are specified +via SHA2-256. These hashes are signed in the Uptane metadata and are robust against +cryptographic compromise. |