RAUC v1.0 Released
Four days before Christmas Pengutronix prepared a very special present that probably many of you have been waiting for: The 1.0 version of RAUC!
This finally visibly underlines the maturity RAUC already had in the prior releases.
This v1.0 release adds several enhancements and new features concerning signing and signature handling. One of the most important improvements is the support for passing keys/certificates stored on PKCS#11 tokens (e.g. for using a smart card or HSM). Also the boot selection interface gained several fixes and enhancements, especially concerning the U-Boot integration that now implements the full feature set of obtaining and setting the boot status.
Several extensions of the D-Bus API and some code refactoring now allow 'rauc status' to fully work over D-Bus (if enabled) and finalize the clear separation between client and service.
Another topic that got a lot attention is easing RAUC debugging by providing more targeted debugging and error messages, adding documentation, etc.
It is important to note that also several potential issues for the actual installation process were fixed, e.g. by adding proper fsync() handling, using O_EXCL for opening devices, or by fixing uid/gid handling during tar extraction.
RAUC now also fully supports using file:// URIs and allows to open bundles that have a custom file name extensions for cases where this is really mandatory of any reason.
With the 1.0 release we now also support OpenSSL 1.1.
The rest are 'only' minor new options, bug fixes, documentation updates, typo fixes, etc.
Thanks to all contributors since v0.4: Ahmad Fatoum, Alexander Dahl, Arnaud Rebillout, Bastian Stender, Emmanuel Roullit, Enrico Jörns, Jan Lübbe, Jan Remmet, Jim Brennan, Marcel Hamer, Matthias Bolte, Michael Heimpold, Philip Downer, Philipp Zabel, Rasmus Villemoes, Thomas Petazzoni, Timothy Lee, Ulrich Ölmann, Vyacheslav Yurkov, Yann E. MORIN
Back in 2018, rauc-hawkbit-updater was started by Prevas A/S as a C/GLib port of our rauc-hawkbit Python prototype (also called RAUC hawkBit Client) that was mainly developed for showcases and to serve as a demonstration and evaluation platform for others.
Being able to robustly and securely update embedded systems and IoT devices in the field is a key requirement of every product today. The update framework RAUC is the basis for a modern and future-proof solution. In this showcase we present the basic principles of a fail-safe update system and how Pengutronix can support you with implement this for your platform.
This release fixes a vulnerability in RAUC that can be exploited under certain circumstances to achieve a local privilege escalation. It provides both a mitigation for the vulnerability when using the existing bundle format as well as a new bundle format that uses dm-verity to continuously authenticate the update data while it is installed.