OSADL Networking Day 2017

Robert Schwebel | | OSADL, RAUC

In the last talk before lunch, my colleague Enrico Jörns talked about the RAUC (Robust Auto Update Controller) framework.

While customers might disagree, the most important reason for updating is deploying security updates and bugfixes, not features. Updating should be as robust as possible; unattended updates should not brick your device. In addition, unauthorized modification should be avoided. Often people start with a shell script (well, there is never enough time to develop an update system, right?), but over the time it turned out that this also often misses a lot of important corner cases regarding NAND handling, sudden power loss, out-of-memory situations etc. An updating concept always starts with a controlled environment (i.e. Yocto, PTXdist, Buildroot) and a lot of (mostly automated) testing of the generated root filesystem. Then you need to verify identity, both of the device (is it the right image for it?) and of the update service (is this authorized to update this device?). In order to achieve atomicity, RAUC makes use of redundancy. A+B scenarios have the advantage that it is really robust (you can fallback if something goes wrong), but needs enough space for two systems. One of the design criteria for RAUC was that it is designed as a framework, so you can use it with many different bootloaders (Barebox, U-Boot, Grub), media (USB stick, NAND, eMMC, ...). RAUC contains an update daemon that runs on the device under Linux, plus a D-Bus connected command line tool to talk to RAUC. Updates are put into bundles (compressed and mountable squashfs) which are signed with X.509 signatures and can basically contain anything. Bundles contain things to put into slots (i.e. rootfs, app-fs, bootloader). Enrico outlined that RAUC also supports different integrity mechanisms (IMA/EVM, DM-Verity), even those where files are re-hashed with a key which is only available on the target. Finally, RAUC can be integrated with the Hawkbit deployment server. For integration, there is meta-rauc for Yocto, and it is also integrated in PTXdist mainline.


Further Readings

rauc-hawkbit-updater v1.0 Released

Back in 2018, rauc-hawkbit-updater was started by Prevas A/S as a C/GLib port of our rauc-hawkbit Python prototype (also called RAUC hawkBit Client) that was mainly developed for showcases and to serve as a demonstration and evaluation platform for others.


Showcase: Fail-Safe (OTA) Field Updating

Enrico Jörns | | didyouknow, rauc

Being able to robustly and securely update embedded systems and IoT devices in the field is a key requirement of every product today. The update framework RAUC is the basis for a modern and future-proof solution. In this showcase we present the basic principles of a fail-safe update system and how Pengutronix can support you with implement this for your platform.


RAUC v1.5 Released

Jan Lübbe, Enrico Jörns | | RAUC

This release fixes a vulnerability in RAUC that can be exploited under certain circumstances to achieve a local privilege escalation. It provides both a mitigation for the vulnerability when using the existing bundle format as well as a new bundle format that uses dm-verity to continuously authenticate the update data while it is installed.


CERT@VDE Innovation Workshop

Enrico Jörns | | Event, OSADL, RAUC, CERT@VDE

On June, 27th, while the sun was relentlessly heating up Germany as hardly every before, above 50 employees from many companies came together in a well air-conditioned room in the TP ConferenceCenter in Heidelberg. All operating in different fields of application but all involved in embedded systems and all interested to learn something new about security and deploying software updates.



OSADL Networking Day 2018

Robert Schwebel | | Event, OSADL

Today, Pengutronix engineers Jan Lübbe, Enrico Jörns and Robert Schwebel joined the OSADL Networking Day in Heidelberg. Here is my report about the morning session with the technical talks.