From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: From: Adrien Martin Date: Wed, 14 Aug 2019 15:56:07 +0000 Message-ID: Content-Language: fr-FR MIME-Version: 1.0 Subject: [RAUC] [Yocto] Rauc certificate expiration management advices List-Id: RAUC Project - Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0025062553==" Errors-To: rauc-bounces@pengutronix.de Sender: "RAUC" To: "rauc@pengutronix.de" , "meta-rauc@pengutronix.de" Cc: Patrick Boettcher --===============0025062553== Content-Language: fr-FR Content-Type: multipart/related; boundary="_004_DB8PR05MB605958E2F1FE8B3E06812D56F3AD0DB8PR05MB6059eurp_"; type="multipart/alternative" --_004_DB8PR05MB605958E2F1FE8B3E06812D56F3AD0DB8PR05MB6059eurp_ Content-Type: multipart/alternative; boundary="_000_DB8PR05MB605958E2F1FE8B3E06812D56F3AD0DB8PR05MB6059eurp_" --_000_DB8PR05MB605958E2F1FE8B3E06812D56F3AD0DB8PR05MB6059eurp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, My name is Adrien Martin, embedded system engineer at STIMIO and I am facin= g an issue with rauc update security. Just to let you know, I don't have much experience with security concepts i= n general. I am using Rauc (v0.4, quite old I admit) for an embedded linux system (imx= 6ul) with barebox bootloader, all images / bundles are generated via Yocto = (Poky) Following the documentation, you need to set : * RAUC_KEY_FILE =3D "path/to/key.pem" # What I call the private key * RAUC_CERT_FILE =3D "path/to/cert.pem" # What I call the certificate (= public key) As a result, when generating your image and bundle, you get : * A linux image with /etc/rauc/cert.pem integrated to your rootfs * A signed bundle with the key.pem My problem is what happens when the certificate is expired ? My initial though was, I just have to generate a new cert.pem, based on the= same private key.pem with a new valid lifetime period and set up this new = cert in the yocto recipe. Then, I generate the bundle via Yocto and try to install it. This doesn't work and gives me : # rauc info /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb rauc-Message: Reading bundle: /var/volatile/original/msdi-bundle-msdi-imx6-= 1.raucb rauc-Message: Verifying bundle... signature verification failed: Verify error:self signed certificate It looks like a bundle can only be use with the cert file set in the yocto = recipe. This bundle will keep this cert file in /etc/rauc/ folder so all fu= ture bundle installations will need the exact same certificate. Could you explain me what am I missing ? What method do you recommand to ma= nage certificates expirations over time ? Thank you very much. Best regards, Adrien MARTIN Ing=E9nieur Syst=E8me Embarqu=E9 STIMIO adrien.martin@stimio.fr 1 Avenue du Professeur Jean Rouxel, ZAC de la Fleuriaye, 44470 Carquefou www.stimio.fr [stimio_logo] --_000_DB8PR05MB605958E2F1FE8B3E06812D56F3AD0DB8PR05MB6059eurp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hello,

 

My name is Adrien Martin, embedded system engineer a= t STIMIO and I am facing an issue with rauc update security.

Just to let you know, I don’t have much experi= ence with security concepts in general.

 

I am using Rauc (v0.4, quite old I admit) for an emb= edded linux system (imx6ul) with barebox bootloader, all images / bundles a= re generated via Yocto (Poky)

 

Following the documentation, you need to set :<= o:p>

  • RAUC_KEY_FILE =3D "path/to/key.pem"     = ;# What I call the private key
  • RAUC_CERT_FILE =3D &quo= t;path/to/cert.pem" # What I call the certificate (public key)

 

As a result, when generating your image and bundle, = you get :

  • A linux image with /etc/rauc/cert.pem integrated to your rootfs<= /o:p>
  • A signed bundle with the key.pem

 

My problem is what happens when the certificate i= s expired ?

 

My initial though was, I just have to generate a new= cert.pem, based on the same private key.pem with a new valid lifetime peri= od and set up this new cert in the yocto recipe.

Then, I generate the bundle via Yocto and try to ins= tall it.

 

This doesn’t work and gives me :

# rauc info /var/volatile/original/msdi-bundle-msdi-= imx6-1.raucb

rauc-Message: Reading bundle: /var/volatile/original= /msdi-bundle-msdi-imx6-1.raucb

rauc-Message: Verifying bundle...

signature verification failed: Verify error:self sig= ned certificate

 

It looks like a bundle can only be use with the cert= file set in the yocto recipe. This bundle will keep this cert file in /etc= /rauc/ folder so all future bundle installations will need the exact same certific= ate.

 

Could you explain me what am I missing ? = What method do you recommand to manage certificates expirations over time&n= bsp;?

 

Thank you very much.

 

Best regards,

 

Adrien MARTI= N

Ing=E9nieur = Syst=E8me Embarqu=E9 STIMIO

adrien.martin@stimio.fr

1 Avenue du = Professeur Jean Rouxel, ZAC de la Fleuriaye, 44470 Carquefou

www.stimio.fr

3D"stimio=

 

--_000_DB8PR05MB605958E2F1FE8B3E06812D56F3AD0DB8PR05MB6059eurp_-- --_004_DB8PR05MB605958E2F1FE8B3E06812D56F3AD0DB8PR05MB6059eurp_ Content-Type: image/png; name="image001.png" Content-Description: image001.png Content-Disposition: inline; filename="image001.png"; size=3378; creation-date="Wed, 14 Aug 2019 15:56:07 GMT"; modification-date="Wed, 14 Aug 2019 15:56:07 GMT" Content-ID: Content-Transfer-Encoding: base64 iVBORw0KGgoAAAANSUhEUgAAAF8AAAAhCAYAAAC/ZHdEAAAAAXNSR0IArs4c6QAAAAlwSFlzAAAO xAAADsQBlSsOGwAAABl0RVh0U29mdHdhcmUATWljcm9zb2Z0IE9mZmljZX/tNXEAAAyySURBVGhD 7Zp5bFTlGsbf6cy0FNpCaaHsm6C4oqIXBILIJooJchX3hXgVo3FF0MQl4B9ucSMiEuBGRY0hqOCC IhD3LSiLiHAFARUUWQu0pXSb6X1+3+U0x3FmOkOt5CZ9k5OWzjnf+b7nfd7nXYZQrcya7KggEDoq b216qUOgCfyjSIT/G/Brq6qsZudOC4TDFmrXrsGQRUtKLFpRYcGCAgsEgw1e70gWaHTw9+zZYxs3 brRIJGLRaNQ6depkPXr0sEAgkPJ+a3bssF2PP26l779vGc2bW/4VV1jrCRMso0WLlNfwbiTFlWmd 4jlzrPrXXy1n5EgrvPlmC3XokPZaDX2g0cFftWqVPfDAA1ZeXm7V1dV27bXX2qRJkywsBqditZWV tuvhh2339OnudqqDiu+/t4zsbGt9440mL6ayTN09ZUuW2DY5rkrA82TZN99YZPdua/fkkxbMyUlr rYbe3Ojgw/gKhfehQ4espqbGOSAdq/rpJyuB8XqIC4tovZIFC6zVVVdZRhqA1SrySl57zTGegwN+ RFfJO+9YwU03WfDUU9PZWoPvbXTwm0smssVSnADwLSQVqbLenU56HMjIsKgPfNgfCGnrabKe5aKH ne+Pl1rtrVbE+LstZfB3Ktn9/vvvtmvXLqtS8gPEdkp8HaSVLVu2/MO+AXq3Qpn7dkiv0dkMAci1 f/9+++WXX9zfcsTaAhJeEhAzu3WzVhdfbDseecSqxVwspGdaXnll2pqPE/NGj7aSd9+1quJiF0k4 MmfIEMvs2TNt7MGC84ENxMrNzbX27ds7TCBdfVYv+ID1xhtv2BK0cts2O3jwoEucITEP0I877jgb M2aMjVTi8hh94MABe/TRR23t2rUOWJzBZ1yffPKJkQfIAaNGjbKJEycmjQSqm0LlCDS+/IMPLAvg L73UsuWQIzGeDSmP7HnxReeA7L59re2991qwVauUlwOTN99802GydetWKysrc2TifK20zimnnGIX XXSRDRw4MCmxkoKPVx8R4xYtWuQA5AX89JhaonINFn/55Ze2YcMGu0m6icSg7evWrbMvvvjCRUdh YaFjPc/Blh9++MFwUK9evZwjE1n19u1Wq4PByjb33Wd2++12QPfvlBTlaW8tRYBgfr6TpvqM0rJS uaI4K8uyL7vMuioClIjMOnZ0CbdqyxYLd+7sStlk9qvyxWOPPWaLFy+u2zvn5RxB7QPHbN682T7/ /HO75ZZb7EpFKESNZwnBh5mzZs2yhQsXOoYDfGdt7vTTT3dy8fPPP9uKFSsc0MjLHJVulJGXXHKJ ZemAZ511luULGD777bff3Oa8Nc4880zHfBiCU/wWVWSVShZIghGVqUU33GCRLl1suaJlqQ60SQfr t2mTDdYhD+g9YX2W2aeP5QwdatlKmAH9zTMALfvoIzv09ddW/eOPViVHrpUcLJMs5MnxQ7XHwYqk LORU1U7N3r2We+65lifWhuWUWIMwT+q+t956y2ECEZFfSMRPZPknFQieE5544gnLy8uzsWPHpgf+ Jh1w6dKlblHsxBNPtPvEPmQGT5aWljrHTJs2zTmA0Js3b56dffbZ1rZtW7vrrrvc5mDAwyoVqXi4 b/DgwS5CMJzkZ0WNNr/j/vut+PXXLSKmdpTcBM85x/49d67Nnj3btunwIyQV/ffts2Z6voRFvvrK AvPnO7ByzzvPCm+91UJFRbbvlVdsn6SlUueoFcPRdph2gq71mZk2R/e/refGSC4n3X235Us6t1xz je3XmfNUSbUXu7P79fsDaO+KFO+9956TFs5Gv3Lbbbc5QiI5nkS/9NJLDjcwgcCQ7JhjjvmTAxIy f4tYg6cztVGSCfrMIp6xAVi+cuVKp+PNmjVzbEZWinR4LwnjeQzWc3EfMhRrdJt75Mi9zz/vgMoV i9sKlLdVh09/5hkrkeO6KaH9U1JUpM/3+xfQupSPexV9hxSNYUld6YcfWlTa7iVVbqeegUqjFY2r da5VuuYJ6AKRZeLkyVY4frzteu45K9F5AsoDneT0sKIZI6l68ot8Ev133HGHDR8+vG4nnBmpwQnz 5VgSMBIEiW9UTxIb5QnBj71xuw4Nc/1MxbtsgOTiMRlp8huy4x+cskbsOtxfpTywXxvGACxHUlIq iVgkcMrF3Dw5tL1kqLOcmSmJadm6tcnbVq2EV6n8EtHvKP+h1autXD/5nXUoKZtJFjKPPdblhwwR Kfztt9ZTAG3o3t0i+vdisXmstLmDZKhYERYlkhWxdML511/v9vSjZIuLnMaZhqhCIopjDbKOGzfO Pv74Y9unCEWCli9fbleoK4+tChOC31NJDoai13gZrwPiiBEjjM9gNKHG71wNtSrJQ40c7JiqDWep xMTh2wRulqKFxqpAzu50zz1WJA2tpbnS3yKSoYo1a2z3s8/aQVVDXuoljYe7drU2StItxM6wSsCA ng8o91R99511eughq5U+hwXWPkX4Zo1AuigCqHqicrIQdk7Voa1WTEcJiGzIBzFPPvlkpwrxrKMk jTxAwcH9YIgipAw+D+Otp556yqhq6FBffvllp3nefIY8cMYZZzjtQ78bYhEBoKzsmKrTWUjgVij5 VgtgwjwK+xUNrS680AL0Bv8LNctQqIfF4JDkYevVV7sI4rOAoqbwzjutQODHWpYYXiitD8phYpAj VYkqnoCSd0DM9ozkz56QK/oWdB4mAzrSmsi8z1mXvVOe8zyY+i0h82E1cxh06xUlLxIwDqC0pN7/ RloM4CTXAQMG2FVq9U866aQjx5+qx99sHd64vxN1lYwAiGeZSmhZxx9vlQIfC2lf2SJGXBOgGZR/ vNP7LomfvN+/h8O/U6lVKn948okDkpEt9nOcxvOxlrTO5wWXX3659e/f34UQpSUJBDlAz0jE9AKv vvqqS7xTpkyxQYMGHbkD4j3pB4OeIAH4tTEzI7rZOmBj10VKYtdJ0mXDXgD1zOt3Eh2Uz/39S+zz 3nP1drjc2F1hzUVipZaF+auV2JYtW+bqfXICjdOMGTNcSUWL/bcbzPU3bIAZ00Mc0Z60bkjAU915 jSKkg3yJLPZzKjyeT4n5hInXNvMAiQKdJ9Oj71zU88OGDXNjhDVKeCzO3H79+vVHB/yYk8F8N3xr oFH2ZsiRXWjmpPWwGnBpphIZOZIETbRQ2TG/ipcj4u4ObX/66afts88+cwkDLeffLOI3Mv5QlX3M asjqOI3Gwm+eTrIOv3OARO12SjilOskE/BTGDj4t+fPriabDOYGKjogm0gH1KzV3AAwRY+3TTz91 uRHZBg8KE7r9lJgPQLAdiSHhAi5DpEs1lPJrH10ucuOqEYU8L4stp/gb4epNNim7eIYeoU2bNq7p +ksMHaf01GIk6ahKxfS+Zkm+i24qfanriW7OCPAzZ850nTzzK88Afq6aMy9CKMkZOsYrS+Mynxsv VEn3obpE6lMAn65vkngxrTQL0sXxIrpb7kcDKTvxst+oeckJ3A/gDOGQKf7ON1yx5Vfdsz6G41wv chImUTk4KGdmqjcB9DBfC/rKxphwdF00lY2Tp0S4+/5XDdUfzROFB9KKA95XEwZBKUg4I7kQzOiG iW7kB8Iyy4pnCUXxtNNOc3MLJngAS/gws1igjhM2M6uhfsUxaCAg0kLDZr/BGDb3ouYsbAgNJJ+w MdbwjC/I6TYdEFQihw9eo4g6KBms1FXO6DbBFDSojrfdgw+6psqBKuAz40iC974qvfuACMFXh9le Yj5cBdGguUtNld/ZnHGyxhBTp0518gMOkIkOFhzofL2kTEN2/vnn2wR9ZZmoLE06XmB2g4dfeOEF JxXIzF5N/rzxKQmYRNtXM/EbNH3kZ6zBmOuuu84YxRIpXg5gQ34Jo0bPVf6o0GjajZIFTrUcVS4n 0facoIP/Q07MlAzGM5KrAzsJ4HXPCaheet8g7Xej9lWsjhYiQADkisatudZprrI5NmkzVnhcX+Yz 6KO8BhOvB4BcnBcCXnDBBTZesyL6oESWtBwg1BmoITVejc//RvC+DuQlvXv3rhszJ3oJZSrfCxCm 9AkYCcyvlS2kp101zWRUUK5+gjFxoRw7Qc1be0lIH0ViO40Lgg3spN3Lda6BYuUJOtd/JCHrNG7o LedmqGst0vgipGhtrommk6445SoywnT3a42qkWLv2z2kh6qwj/bOVZ+lVIvhPUII8xqMdCsWgIYJ yYzBVwsxiwvrKon5l0YEjWICNV/gDuBiMomc6W8FIlMqRt5joulNNb3RQyrPevekBL5/QaIhXeDT 2dAf7v0rmqRUX97Ad/klNNVXpg1+qgs33Vc/Ak3g149Ro93RBH6jQVv/wk3g149Ro93xX0y+FJy5 FPOgAAAAAElFTkSuQmCC --_004_DB8PR05MB605958E2F1FE8B3E06812D56F3AD0DB8PR05MB6059eurp_-- --===============0025062553== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ RAUC mailing list --===============0025062553==--