mail archive of the rauc mailing list
 help / color / mirror / Atom feed
* [RAUC] [Yocto] Rauc certificate expiration management advices
@ 2019-08-14 15:56 Adrien Martin
  2019-09-03 21:44 ` [meta-rauc] " Thorsten Scherer
  0 siblings, 1 reply; 3+ messages in thread
From: Adrien Martin @ 2019-08-14 15:56 UTC (permalink / raw)
  To: rauc, meta-rauc; +Cc: Patrick Boettcher


[-- Attachment #1.1.1: Type: text/plain, Size: 1973 bytes --]

Hello,

My name is Adrien Martin, embedded system engineer at STIMIO and I am facing an issue with rauc update security.
Just to let you know, I don't have much experience with security concepts in general.

I am using Rauc (v0.4, quite old I admit) for an embedded linux system (imx6ul) with barebox bootloader, all images / bundles are generated via Yocto (Poky)

Following the documentation, you need to set :

  *   RAUC_KEY_FILE = "path/to/key.pem"     # What I call the private key
  *   RAUC_CERT_FILE = "path/to/cert.pem" # What I call the certificate (public key)

As a result, when generating your image and bundle, you get :

  *   A linux image with /etc/rauc/cert.pem integrated to your rootfs
  *   A signed bundle with the key.pem

My problem is what happens when the certificate is expired ?

My initial though was, I just have to generate a new cert.pem, based on the same private key.pem with a new valid lifetime period and set up this new cert in the yocto recipe.
Then, I generate the bundle via Yocto and try to install it.

This doesn't work and gives me :
# rauc info /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb
rauc-Message: Reading bundle: /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb
rauc-Message: Verifying bundle...
signature verification failed: Verify error:self signed certificate

It looks like a bundle can only be use with the cert file set in the yocto recipe. This bundle will keep this cert file in /etc/rauc/ folder so all future bundle installations will need the exact same certificate.

Could you explain me what am I missing ? What method do you recommand to manage certificates expirations over time ?

Thank you very much.

Best regards,

Adrien MARTIN
Ingénieur Système Embarqué STIMIO
adrien.martin@stimio.fr<mailto:adrien.martin@stimio.fr>
1 Avenue du Professeur Jean Rouxel, ZAC de la Fleuriaye, 44470 Carquefou
www.stimio.fr<http://www.stimio.fr/>
[stimio_logo]


[-- Attachment #1.1.2: Type: text/html, Size: 10498 bytes --]

[-- Attachment #1.2: image001.png --]
[-- Type: image/png, Size: 3378 bytes --]

[-- Attachment #2: Type: text/plain, Size: 66 bytes --]

_______________________________________________
RAUC mailing list

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [meta-rauc] [RAUC] [Yocto] Rauc certificate expiration management advices
  2019-08-14 15:56 [RAUC] [Yocto] Rauc certificate expiration management advices Adrien Martin
@ 2019-09-03 21:44 ` Thorsten Scherer
  2019-09-05 12:17   ` Adrien Martin
  0 siblings, 1 reply; 3+ messages in thread
From: Thorsten Scherer @ 2019-09-03 21:44 UTC (permalink / raw)
  To: Adrien Martin; +Cc: Patrick Boettcher, rauc, meta-rauc

Hello Adrien,

On Wed, Aug 14, 2019 at 03:56:07PM +0000, Adrien Martin wrote:
> Hello,
> 
> My name is Adrien Martin, embedded system engineer at STIMIO and I am facing an issue with rauc update security.
> Just to let you know, I don't have much experience with security concepts in general.
> 
> I am using Rauc (v0.4, quite old I admit) for an embedded linux system (imx6ul) with barebox bootloader, all images / bundles are generated via Yocto (Poky)
> 
> Following the documentation, you need to set :
> 
>   *   RAUC_KEY_FILE = "path/to/key.pem"     # What I call the private key
>   *   RAUC_CERT_FILE = "path/to/cert.pem" # What I call the certificate (public key)
> 
> As a result, when generating your image and bundle, you get :
> 
>   *   A linux image with /etc/rauc/cert.pem integrated to your rootfs
>   *   A signed bundle with the key.pem
> 
> My problem is what happens when the certificate is expired ?
> 
> My initial though was, I just have to generate a new cert.pem, based on the same private key.pem with a new valid lifetime period and set up this new cert in the yocto recipe.
> Then, I generate the bundle via Yocto and try to install it.
> 
> This doesn't work and gives me :
> # rauc info /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb
> rauc-Message: Reading bundle: /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb
> rauc-Message: Verifying bundle...
> signature verification failed: Verify error:self signed certificate
> 
> It looks like a bundle can only be use with the cert file set in the yocto recipe. This bundle will keep this cert file in /etc/rauc/ folder so all future bundle installations will need the exact same certificate.
> 
> Could you explain me what am I missing ? What method do you recommand to manage certificates expirations over time ?

I guess you're trying to replace the expired certificate in a "Single
Key" scenario, which is not possible [1].  The documentaion lists some
other variants, though I am not sure which one applies best to your
use-case (maybe install hooks??).

> 
> Thank you very much.
> 
> Best regards,
> 
> Adrien MARTIN
> Ingénieur Système Embarqué STIMIO
> adrien.martin@stimio.fr<mailto:adrien.martin@stimio.fr>
> 1 Avenue du Professeur Jean Rouxel, ZAC de la Fleuriaye, 44470 Carquefou
> www.stimio.fr<http://www.stimio.fr/>
> [stimio_logo]
> 
> _______________________________________________
> RAUC mailing list

Best regards,
Thorsten

[1] https://rauc.readthedocs.io/en/latest/advanced.html#single-key

--
Thorsten Scherer <tk-scherer@mailbox.org>

_______________________________________________
meta-rauc mailing list

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [RAUC] [Yocto] Rauc certificate expiration management advices
  2019-09-03 21:44 ` [meta-rauc] " Thorsten Scherer
@ 2019-09-05 12:17   ` Adrien Martin
  0 siblings, 0 replies; 3+ messages in thread
From: Adrien Martin @ 2019-09-05 12:17 UTC (permalink / raw)
  To: Thorsten Scherer; +Cc: Patrick Boettcher, rauc, meta-rauc

Hello Thorsten,

Thank you for your response, this confirms what we have also found in our research in the meantime. 
We will find a better security key/certs management in the coming future to overcome this kind of problem.

Best regards,

Adrien MARTIN
Ingénieur Système Embarqué STIMIO
adrien.martin@stimio.fr
1 Avenue du Professeur Jean Rouxel, ZAC de la Fleuriaye, 44470 Carquefou
www.stimio.fr

-----Message d'origine-----
De : Thorsten Scherer <tk-scherer@mailbox.org> 
Envoyé : mardi 3 septembre 2019 23:44
À : Adrien Martin <adrien.martin@stimio.fr>
Cc : rauc@pengutronix.de; meta-rauc@pengutronix.de; Patrick Boettcher <patrick.boettcher@stimio.fr>
Objet : Re: [RAUC] [Yocto] Rauc certificate expiration management advices

Hello Adrien,

On Wed, Aug 14, 2019 at 03:56:07PM +0000, Adrien Martin wrote:
> Hello,
> 
> My name is Adrien Martin, embedded system engineer at STIMIO and I am facing an issue with rauc update security.
> Just to let you know, I don't have much experience with security concepts in general.
> 
> I am using Rauc (v0.4, quite old I admit) for an embedded linux system 
> (imx6ul) with barebox bootloader, all images / bundles are generated 
> via Yocto (Poky)
> 
> Following the documentation, you need to set :
> 
>   *   RAUC_KEY_FILE = "path/to/key.pem"     # What I call the private key
>   *   RAUC_CERT_FILE = "path/to/cert.pem" # What I call the certificate (public key)
> 
> As a result, when generating your image and bundle, you get :
> 
>   *   A linux image with /etc/rauc/cert.pem integrated to your rootfs
>   *   A signed bundle with the key.pem
> 
> My problem is what happens when the certificate is expired ?
> 
> My initial though was, I just have to generate a new cert.pem, based on the same private key.pem with a new valid lifetime period and set up this new cert in the yocto recipe.
> Then, I generate the bundle via Yocto and try to install it.
> 
> This doesn't work and gives me :
> # rauc info /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb
> rauc-Message: Reading bundle: 
> /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb
> rauc-Message: Verifying bundle...
> signature verification failed: Verify error:self signed certificate
> 
> It looks like a bundle can only be use with the cert file set in the yocto recipe. This bundle will keep this cert file in /etc/rauc/ folder so all future bundle installations will need the exact same certificate.
> 
> Could you explain me what am I missing ? What method do you recommand to manage certificates expirations over time ?

I guess you're trying to replace the expired certificate in a "Single Key" scenario, which is not possible [1].  The documentaion lists some other variants, though I am not sure which one applies best to your use-case (maybe install hooks??).

> 
> Thank you very much.
> 
> Best regards,
> 
> Adrien MARTIN
> Ingénieur Système Embarqué STIMIO
> adrien.martin@stimio.fr<mailto:adrien.martin@stimio.fr>
> 1 Avenue du Professeur Jean Rouxel, ZAC de la Fleuriaye, 44470 
> Carquefou www.stimio.fr<http://www.stimio.fr/>
> [stimio_logo]
> 
> _______________________________________________
> RAUC mailing list

Best regards,
Thorsten

[1] https://rauc.readthedocs.io/en/latest/advanced.html#single-key

--
Thorsten Scherer <tk-scherer@mailbox.org>

_______________________________________________
RAUC mailing list

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2019-09-05 12:17 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-14 15:56 [RAUC] [Yocto] Rauc certificate expiration management advices Adrien Martin
2019-09-03 21:44 ` [meta-rauc] " Thorsten Scherer
2019-09-05 12:17   ` Adrien Martin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox