Difference between revisions of "Secure OTA Update"

From eLinux.org
Jump to: navigation, search
m
(Other)
 
(13 intermediate revisions by 4 users not shown)
Line 1: Line 1:
Please add your email if you are interested at being involved at the collaboration efforts.
+
= Overview =
 +
A valid software update system on Linux should provide the following elements
 +
* Atomic updates
 +
** Stateless system
 +
* Capable of updating all software
 +
** bootloader
 +
** kernel
 +
** user data / configuration
 +
** rootfs / root file system
 +
* fail-safe, rollback to a previous software state
 +
** boot/update monitoring (watchdog) with boot confirmation
 +
* Secure download and verification of the image
 +
* Easy to use without vendor lock-in
 +
* Trusted
 +
** Compliant with and leverages HW elements (TPM/TEE)
  
BoF: Secure OTA Collaboration Slides: https://goo.gl/1EGWkr
+
= Storage and delivery methods =
 +
* Layered Tarball-based (i.e. [http://docker.com docker])
 +
* File-based (i.e.[https://ostree.readthedocs.io/en/latest/ libostree])
 +
* Chunk-based (i.e. [http://0pointer.net/blog/casync-a-tool-for-distributing-file-system-images.html casync])
 +
* Block-based (i.e. others)
  
Actions:  
+
= Todo =
- Setup mailing list
+
* Develop guidelines / reference implementations for key stories
- initial interest
+
** Secure boot
  - alan (at) opensourcefoundries.com
+
** Trusted execution environment (bootloader update, integrity checks)
  - peter (at) korsgaard.com
+
** Bootloader-driven rootfs image update process (image swap, boot count)
  - ricardo (at) opensourcefoundries.com
+
** Boot firmware update process
 +
** Integration with different Open Source management servers
 +
** Secure software distribution (TUF) implementation
 +
** Watchdog best practices / boot image validation
 +
* Investigate cross-compatibility extensions in existing solutions
 +
** i.e. Mender support in SWUpdate?
 +
** casync (chunk-based image support in AGL
 +
 
 +
= Relevant conference presentations =
 +
* ELC-E 2017
 +
** [https://elinux.org/images/5/51/SWUpdateELCE2017.pdf SWUpdate - Updating an Embedded System]
 +
** [https://elinux.org/images/0/0c/BoF_secure_ota_linux.pdf BoF - Collaborating on secure OTA systems for linux]
 +
** [https://elinux.org/images/6/6d/UF_-_ELCE_2017_Presentation.pdf Orchestrated Android-Style System Upgrades for Embedded Linux]
 +
* FOSDEM 2017
 +
** [https://archive.fosdem.org/2017/schedule/event/secure_safe_embedded_updates/ Secure and Safe Updates for Your Embedded Device (RAUC)]
 +
* [https://uptane.github.io/ Uptane, Automotive-focused update framework]
 +
** [[images/f/f3/How_we_added_software_updates_to_AGL.pdf|How we added software updates to AGL]]
 +
** [http://events.linuxfoundation.org/sites/events/files/slides/OTA%20Updates%20in%20AGL%20Using%20OSTree.pdf OTA Updates in AGL using OSTree]
 +
** [https://www.slideshare.net/leonanavi/software-over-the-air-sota-for-automotive-grade-linux-agl Software over the air for AGL]
 +
* [https://theupdateframework.github.io/ TUF - The update framework]
 +
** NCC security assessments: [https://www.nccgroup.trust/uk/our-research/the-update-framework-tuf-security-assessment/ Kolide TUF Client], [https://www.nccgroup.trust/us/our-research/docker-notary/ Docker Notary], [https://www.nccgroup.trust/uk/our-research/osquery-application-security-assessment-public-report/ osquery]
 +
** [http://events.linuxfoundation.org/sites/events/files/slides/LINUXCON_EU_When%20the%20going%20gets%20tough%2C%20get%20TUF%20going%21.pdf When the going gets tough, get TUF going]
 +
 
 +
= Relevant information =
 +
* [https://www.cncf.io/announcement/2017/10/24/cncf-host-two-security-projects-notary-tuf-specification/ Cloud Native Compute Foundation announces Notary and TUF specification adoption]
 +
* [http://markets.businessinsider.com/news/stocks/Cybersecurity-Protocol-that-Fends-off-Automobile-Hacks-Named-to-Popular-Science-Magazine-s-List-of-Top-100-Technologies-of-the-Year-1004763332 Uptane: One of Popular Science's top 100 technologies of the year]
 +
* [https://ostree.readthedocs.io/en/latest/manual/related-projects ostree's documentation of related projects]
 +
* [https://wiki.yoctoproject.org/wiki/System_Update Update systems listed in the Yocto Project]
 +
 
 +
= Reference implementations =
 +
* AGL has a meta-sota layer that is an implementation - [https://wiki.automotivelinux.org/subsystem/agl-sota/ostree agl-sota]
 +
 
 +
= Other =
 +
* [https://groups.google.com/forum/#!forum/linuxota Mailing list]

Latest revision as of 17:07, 15 November 2017

Overview

A valid software update system on Linux should provide the following elements

  • Atomic updates
    • Stateless system
  • Capable of updating all software
    • bootloader
    • kernel
    • user data / configuration
    • rootfs / root file system
  • fail-safe, rollback to a previous software state
    • boot/update monitoring (watchdog) with boot confirmation
  • Secure download and verification of the image
  • Easy to use without vendor lock-in
  • Trusted
    • Compliant with and leverages HW elements (TPM/TEE)

Storage and delivery methods

  • Layered Tarball-based (i.e. docker)
  • File-based (i.e.libostree)
  • Chunk-based (i.e. casync)
  • Block-based (i.e. others)

Todo

  • Develop guidelines / reference implementations for key stories
    • Secure boot
    • Trusted execution environment (bootloader update, integrity checks)
    • Bootloader-driven rootfs image update process (image swap, boot count)
    • Boot firmware update process
    • Integration with different Open Source management servers
    • Secure software distribution (TUF) implementation
    • Watchdog best practices / boot image validation
  • Investigate cross-compatibility extensions in existing solutions
    • i.e. Mender support in SWUpdate?
    • casync (chunk-based image support in AGL

Relevant conference presentations

Relevant information

Reference implementations

  • AGL has a meta-sota layer that is an implementation - agl-sota

Other