From: Adrien Martin <adrien.martin@stimio.fr>
To: "rauc@pengutronix.de" <rauc@pengutronix.de>,
"meta-rauc@pengutronix.de" <meta-rauc@pengutronix.de>
Cc: Patrick Boettcher <patrick.boettcher@stimio.fr>
Subject: [RAUC] [Yocto] Rauc certificate expiration management advices
Date: Wed, 14 Aug 2019 15:56:07 +0000 [thread overview]
Message-ID: <DB8PR05MB605958E2F1FE8B3E06812D56F3AD0@DB8PR05MB6059.eurprd05.prod.outlook.com> (raw)
[-- Attachment #1.1.1: Type: text/plain, Size: 1973 bytes --]
Hello,
My name is Adrien Martin, embedded system engineer at STIMIO and I am facing an issue with rauc update security.
Just to let you know, I don't have much experience with security concepts in general.
I am using Rauc (v0.4, quite old I admit) for an embedded linux system (imx6ul) with barebox bootloader, all images / bundles are generated via Yocto (Poky)
Following the documentation, you need to set :
* RAUC_KEY_FILE = "path/to/key.pem" # What I call the private key
* RAUC_CERT_FILE = "path/to/cert.pem" # What I call the certificate (public key)
As a result, when generating your image and bundle, you get :
* A linux image with /etc/rauc/cert.pem integrated to your rootfs
* A signed bundle with the key.pem
My problem is what happens when the certificate is expired ?
My initial though was, I just have to generate a new cert.pem, based on the same private key.pem with a new valid lifetime period and set up this new cert in the yocto recipe.
Then, I generate the bundle via Yocto and try to install it.
This doesn't work and gives me :
# rauc info /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb
rauc-Message: Reading bundle: /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb
rauc-Message: Verifying bundle...
signature verification failed: Verify error:self signed certificate
It looks like a bundle can only be use with the cert file set in the yocto recipe. This bundle will keep this cert file in /etc/rauc/ folder so all future bundle installations will need the exact same certificate.
Could you explain me what am I missing ? What method do you recommand to manage certificates expirations over time ?
Thank you very much.
Best regards,
Adrien MARTIN
Ingénieur Système Embarqué STIMIO
adrien.martin@stimio.fr<mailto:adrien.martin@stimio.fr>
1 Avenue du Professeur Jean Rouxel, ZAC de la Fleuriaye, 44470 Carquefou
www.stimio.fr<http://www.stimio.fr/>
[stimio_logo]
[-- Attachment #1.1.2: Type: text/html, Size: 10498 bytes --]
[-- Attachment #1.2: image001.png --]
[-- Type: image/png, Size: 3378 bytes --]
[-- Attachment #2: Type: text/plain, Size: 66 bytes --]
_______________________________________________
RAUC mailing list
next reply other threads:[~2019-08-14 15:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-14 15:56 Adrien Martin [this message]
2019-09-03 21:44 ` [meta-rauc] " Thorsten Scherer
2019-09-05 12:17 ` Adrien Martin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DB8PR05MB605958E2F1FE8B3E06812D56F3AD0@DB8PR05MB6059.eurprd05.prod.outlook.com \
--to=adrien.martin@stimio.fr \
--cc=meta-rauc@pengutronix.de \
--cc=patrick.boettcher@stimio.fr \
--cc=rauc@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox