X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=blobdiff_plain;ds=inline;f=docs%2F2_Architecture_Guides%2F2_Security_Blueprint%2F8_Update_OTA.md;fp=docs%2F2_Architecture_Guides%2F2.2_Security_Blueprint%2F8_Update_%28Over_The_Air%29%2F1.2.8.0_Abstract.md;h=60ae8e451fb556a338a90edb25d15ea65e10bfa6;hb=65bd017e8b8f9a06008266de46303c88a9ac51c8;hp=cd47ed01a486dc899be5cad76076d34233e66dc1;hpb=7d32dd28e9b9fa97dd43bed13fb3050eb7ff8b3d;p=AGL%2Fdocumentation.git diff --git a/docs/2_Architecture_Guides/2.2_Security_Blueprint/8_Update_(Over_The_Air)/1.2.8.0_Abstract.md b/docs/2_Architecture_Guides/2_Security_Blueprint/8_Update_OTA.md similarity index 59% rename from docs/2_Architecture_Guides/2.2_Security_Blueprint/8_Update_(Over_The_Air)/1.2.8.0_Abstract.md rename to docs/2_Architecture_Guides/2_Security_Blueprint/8_Update_OTA.md index cd47ed0..60ae8e4 100644 --- a/docs/2_Architecture_Guides/2.2_Security_Blueprint/8_Update_(Over_The_Air)/1.2.8.0_Abstract.md +++ b/docs/2_Architecture_Guides/2_Security_Blueprint/8_Update_OTA.md @@ -1,11 +1,7 @@ --- -title: Introduction +title: Update (Over The Air) --- -# Part 8 - Update (**OTA**) - -## Abstract - Updating applications and firmware is essential for the development of new features and even more to fix security bugs. However, if a malicious third party manages to alter the content during transport, it could alter the functioning of @@ -92,3 +88,67 @@ _MITM_ | **M**an **I**n **T**he **M**iddle _OTA_ | **O**ver **T**he **A**ir _SOTA_ | **S**oftware **O**ver **T**he **A**ir _TUF_ | **T**he **U**pdate **F**ramework + +# Firmware Over The Air + +The firmware update is critical since its alteration back to compromise the +entire system. It is therefore necessary to take appropriate protective +measures. + +AGL includes the _meta-updater_ Yocto layer that enables OTA software updates +via [Uptane](https://uptane.github.io), an automotive-specific extension to [The +Update Framework](https://theupdateframework.github.io/). Uptane and TUF are +open standards that define a secure protocol for delivering and verifying +updates even when the servers and network--internet and car-internal--aren't +fully trusted. + +_meta-updater_ includes the application +[`aktualizr`](https://github.com/advancedtelematic/aktualizr), developed +Advanced Telematic Systems (now part of HERE Technologies) that enables OTA for +an ECU. `aktualizr` combined with Uptane is suitable for updating the firmware, +software, and other packages on even functionally critical ECUs. `aktualizr` can +be enabled with the free, open souce backend +[`ota-community-edition`](https://github.com/advancedtelematic/ota-community-edition). + +This FOTA update mechanism can be enabled through the `agl-sota` feature. + +## Building + +To build an AGL image that uses `aktualizr`, the following can be used. + +``` +source meta-agl/scripts/aglsetup.sh -m agl-sota +``` + +During the build, _meta-updater_ will use credentials downloaded from +`ota-community-edition` to sign metadata verifying the build as authentic. These +signatures are part of the Uptane framework and are used to verify FOTA updates. + +## Atomic Upgrades with Rollbacks + +`aktualizr`'s primary method of updating firmware is to use `libostree` with +binary diffs. The binary diffs use the least amout of bandwidth, and by it's +nature `libostree` stores current and previous firmware versions on disk or in +flash memory to allow for rollbacks. + +`libostree` is a content addressable object store much like `git`. Versions are +specified via SHA2-256. These hashes are signed in the Uptane metadata and are +robust against cryptographic compromise. + +# Software Over The Air + +Software updates in connected vehicles are a very useful feature, which can +deliver significant benefits. If not implemented with security in mind, software +updates can incur serious vulnerabilities. Any software update system must +ensure that not only are the software updates to devices done in a secure way, +but also that the repositories and servers hosting these updates are adequately +protected. As the process of updating software migrates from a Dealership update +model towards an **OTA** update model, securing these processes becomes a high +priority. + +**SOTA** is made possible by **AppFw** (See Platform part). It will be possible +to manage in a simple way the packets (i.g. Android like). + +Domain | Improvement +------------- | ----------------- +Update-SOTA-1 | Part to complete. \ No newline at end of file