From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: From: Adrien Martin Date: Thu, 5 Sep 2019 12:17:11 +0000 Message-ID: References: <20190903214354.5jojdbwmbx3lnlti@tuxx.tk-scherer.de> In-Reply-To: <20190903214354.5jojdbwmbx3lnlti@tuxx.tk-scherer.de> Content-Language: fr-FR MIME-Version: 1.0 Subject: Re: [RAUC] [Yocto] Rauc certificate expiration management advices List-Id: RAUC Project - Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Errors-To: rauc-bounces@pengutronix.de Sender: "RAUC" To: Thorsten Scherer Cc: Patrick Boettcher , "rauc@pengutronix.de" , "meta-rauc@pengutronix.de" Hello Thorsten, Thank you for your response, this confirms what we have also found in our r= esearch in the meantime. = We will find a better security key/certs management in the coming future to= overcome this kind of problem. Best regards, Adrien MARTIN Ing=E9nieur Syst=E8me Embarqu=E9 STIMIO adrien.martin@stimio.fr 1 Avenue du Professeur Jean Rouxel, ZAC de la Fleuriaye, 44470 Carquefou www.stimio.fr -----Message d'origine----- De=A0: Thorsten Scherer = Envoy=E9=A0: mardi 3 septembre 2019 23:44 =C0=A0: Adrien Martin Cc=A0: rauc@pengutronix.de; meta-rauc@pengutronix.de; Patrick Boettcher Objet=A0: Re: [RAUC] [Yocto] Rauc certificate expiration management advices Hello Adrien, On Wed, Aug 14, 2019 at 03:56:07PM +0000, Adrien Martin wrote: > Hello, > = > My name is Adrien Martin, embedded system engineer at STIMIO and I am fac= ing an issue with rauc update security. > Just to let you know, I don't have much experience with security concepts= in general. > = > I am using Rauc (v0.4, quite old I admit) for an embedded linux system = > (imx6ul) with barebox bootloader, all images / bundles are generated = > via Yocto (Poky) > = > Following the documentation, you need to set : > = > * RAUC_KEY_FILE =3D "path/to/key.pem" # What I call the private k= ey > * RAUC_CERT_FILE =3D "path/to/cert.pem" # What I call the certificate= (public key) > = > As a result, when generating your image and bundle, you get : > = > * A linux image with /etc/rauc/cert.pem integrated to your rootfs > * A signed bundle with the key.pem > = > My problem is what happens when the certificate is expired ? > = > My initial though was, I just have to generate a new cert.pem, based on t= he same private key.pem with a new valid lifetime period and set up this ne= w cert in the yocto recipe. > Then, I generate the bundle via Yocto and try to install it. > = > This doesn't work and gives me : > # rauc info /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb > rauc-Message: Reading bundle: = > /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb > rauc-Message: Verifying bundle... > signature verification failed: Verify error:self signed certificate > = > It looks like a bundle can only be use with the cert file set in the yoct= o recipe. This bundle will keep this cert file in /etc/rauc/ folder so all = future bundle installations will need the exact same certificate. > = > Could you explain me what am I missing ? What method do you recommand to = manage certificates expirations over time ? I guess you're trying to replace the expired certificate in a "Single Key" = scenario, which is not possible [1]. The documentaion lists some other var= iants, though I am not sure which one applies best to your use-case (maybe = install hooks??). > = > Thank you very much. > = > Best regards, > = > Adrien MARTIN > Ing=E9nieur Syst=E8me Embarqu=E9 STIMIO > adrien.martin@stimio.fr > 1 Avenue du Professeur Jean Rouxel, ZAC de la Fleuriaye, 44470 = > Carquefou www.stimio.fr > [stimio_logo] > = > _______________________________________________ > RAUC mailing list Best regards, Thorsten [1] https://rauc.readthedocs.io/en/latest/advanced.html#single-key -- Thorsten Scherer _______________________________________________ RAUC mailing list