From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Date: Tue, 3 Sep 2019 23:44:06 +0200 From: Thorsten Scherer Message-ID: <20190903214354.5jojdbwmbx3lnlti@tuxx.tk-scherer.de> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: Subject: Re: [meta-rauc] [RAUC] [Yocto] Rauc certificate expiration management advices List-Id: meta-rauc Layer for Yocto - Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Errors-To: meta-rauc-bounces@pengutronix.de Sender: "meta-rauc" To: Adrien Martin Cc: Patrick Boettcher , "rauc@pengutronix.de" , "meta-rauc@pengutronix.de" Hello Adrien, On Wed, Aug 14, 2019 at 03:56:07PM +0000, Adrien Martin wrote: > Hello, > = > My name is Adrien Martin, embedded system engineer at STIMIO and I am fac= ing an issue with rauc update security. > Just to let you know, I don't have much experience with security concepts= in general. > = > I am using Rauc (v0.4, quite old I admit) for an embedded linux system (i= mx6ul) with barebox bootloader, all images / bundles are generated via Yoct= o (Poky) > = > Following the documentation, you need to set : > = > * RAUC_KEY_FILE =3D "path/to/key.pem" # What I call the private k= ey > * RAUC_CERT_FILE =3D "path/to/cert.pem" # What I call the certificate= (public key) > = > As a result, when generating your image and bundle, you get : > = > * A linux image with /etc/rauc/cert.pem integrated to your rootfs > * A signed bundle with the key.pem > = > My problem is what happens when the certificate is expired ? > = > My initial though was, I just have to generate a new cert.pem, based on t= he same private key.pem with a new valid lifetime period and set up this ne= w cert in the yocto recipe. > Then, I generate the bundle via Yocto and try to install it. > = > This doesn't work and gives me : > # rauc info /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb > rauc-Message: Reading bundle: /var/volatile/original/msdi-bundle-msdi-imx= 6-1.raucb > rauc-Message: Verifying bundle... > signature verification failed: Verify error:self signed certificate > = > It looks like a bundle can only be use with the cert file set in the yoct= o recipe. This bundle will keep this cert file in /etc/rauc/ folder so all = future bundle installations will need the exact same certificate. > = > Could you explain me what am I missing ? What method do you recommand to = manage certificates expirations over time ? I guess you're trying to replace the expired certificate in a "Single Key" scenario, which is not possible [1]. The documentaion lists some other variants, though I am not sure which one applies best to your use-case (maybe install hooks??). > = > Thank you very much. > = > Best regards, > = > Adrien MARTIN > Ing=E9nieur Syst=E8me Embarqu=E9 STIMIO > adrien.martin@stimio.fr > 1 Avenue du Professeur Jean Rouxel, ZAC de la Fleuriaye, 44470 Carquefou > www.stimio.fr > [stimio_logo] > = > _______________________________________________ > RAUC mailing list Best regards, Thorsten [1] https://rauc.readthedocs.io/en/latest/advanced.html#single-key -- Thorsten Scherer _______________________________________________ meta-rauc mailing list