OSADL Networking Day 2017
In the last talk before lunch, my colleague Enrico Jörns talked about the RAUC (Robust Auto Update Controller) framework.
While customers might disagree, the most important reason for updating is deploying security updates and bugfixes, not features. Updating should be as robust as possible; unattended updates should not brick your device. In addition, unauthorized modification should be avoided. Often people start with a shell script (well, there is never enough time to develop an update system, right?), but over the time it turned out that this also often misses a lot of important corner cases regarding NAND handling, sudden power loss, out-of-memory situations etc. An updating concept always starts with a controlled environment (i.e. Yocto, PTXdist, Buildroot) and a lot of (mostly automated) testing of the generated root filesystem. Then you need to verify identity, both of the device (is it the right image for it?) and of the update service (is this authorized to update this device?). In order to achieve atomicity, RAUC makes use of redundancy. A+B scenarios have the advantage that it is really robust (you can fallback if something goes wrong), but needs enough space for two systems. One of the design criteria for RAUC was that it is designed as a framework, so you can use it with many different bootloaders (Barebox, U-Boot, Grub), media (USB stick, NAND, eMMC, ...). RAUC contains an update daemon that runs on the device under Linux, plus a D-Bus connected command line tool to talk to RAUC. Updates are put into bundles (compressed and mountable squashfs) which are signed with X.509 signatures and can basically contain anything. Bundles contain things to put into slots (i.e. rootfs, app-fs, bootloader). Enrico outlined that RAUC also supports different integrity mechanisms (IMA/EVM, DM-Verity), even those where files are re-hashed with a key which is only available on the target. Finally, RAUC can be integrated with the Hawkbit deployment server. For integration, there is meta-rauc for Yocto, and it is also integrated in PTXdist mainline.
Back in 2018, rauc-hawkbit-updater was started by Prevas A/S as a C/GLib port of our rauc-hawkbit Python prototype (also called RAUC hawkBit Client) that was mainly developed for showcases and to serve as a demonstration and evaluation platform for others.
Being able to robustly and securely update embedded systems and IoT devices in the field is a key requirement of every product today. The update framework RAUC is the basis for a modern and future-proof solution. In this showcase we present the basic principles of a fail-safe update system and how Pengutronix can support you with implement this for your platform.
This release fixes a vulnerability in RAUC that can be exploited under certain circumstances to achieve a local privilege escalation. It provides both a mitigation for the vulnerability when using the existing bundle format as well as a new bundle format that uses dm-verity to continuously authenticate the update data while it is installed.
On June, 27th, while the sun was relentlessly heating up Germany as hardly every before, above 50 employees from many companies came together in a well air-conditioned room in the TP ConferenceCenter in Heidelberg. All operating in different fields of application but all involved in embedded systems and all interested to learn something new about security and deploying software updates.