CIP Software updates architecture

This document describes the requirements and a non-detailed architecture for CIP software updates

These requirements were extracted from a survey conducted among CIP members and by investigating popular update software.

[*] means “essential requirements”

1. Functionality requirements
   1. Ability to update the kernel, rootfs, and applications [*]
   2. Ability to update the bootloader
   3. Easy to customize the update steps [*]
   4. Whitelist: update only these files/folders
   5. Blacklist: update everything except these files/folders
2. Portability requirements
   1. Independent of the image build system [*]
   2. Independent of the underlying filesystems [*]
   3. Minimize client program dependencies [*]
   4. Provide an interface to interact with bootloaders [*]
3. Update media requirements
   1. Ability to update from a network server [*]
   2. Ability to update from local media: USB, microSD, LAN [*]
4. Resource requirements
   1. Minimize network bandwidth usage [*]
   2. Minimize storage overhead on the client [*]
   3. Keep downtime below a few minutes [*]
   4. Minimize CPU utilization peaks
   5. Minimize storage costs on the server [*]
5. Security requirements
   1. Signed updates (authentication, integrity) [*]
   2. Encrypted communication [*]
   3. Ability to run on OP-TEE
   4. Ability to update encrypted filesystems
   5. Ability to update block devices using dm-verity
   6. Device authentication
6. Fail-safety requirements
   1. Reliable against power loss (atomic updates) [*]
   2. Ability to roll back to a previous working image [*]
   3. Ability to do a factory reset (rollback to initial version)
   4. Ability to wipe a partition (only clear data)
7. Network server requirements
   1. Ability to search and get information from devices
   2. Ability to see the update status [*]
   3. Ability to select what devices to update
   4. Ability to scale to millions of devices

The architecture is composed of multiple components that work together to implement the updating system. The build tool is used to create the operating system image, and it may also provide information about the way the system is partitioned and the filesystem format. The server is in charge of storing different versions of the operating system images for each device, and delivering those images to the devices in an efficient and secure way. The client is in charge of applying updates and interact with the bootloader and the server. We will use a typical A/B update architecture because it is stable, fail*safe, and has support on most available tools. Below we show the main roles realized by each component and possible open*source candidates to satisfy them.

• Build tool
  • builds operating system images
  • examples: deby, isar, debos, yocto/oe, live*wrapper, etc.
• Server
  • Storage
    • stores operating system images and versions efficiently
    • candidates: casync, ostree
  • Delivery
    • sends only data that has changed (deltas)
    • candidates: casync, courgette, ostree, rsync
  • Security
    • guarantees encryption, authenticity and integrity of updates
    • candidates: digital signature (x509), https, delta hashes
  • Server application
    • has an https REST API (requires a token on the client)
    • communicate status, send commands, download manifests
    • as a frontend to visualize update status and control updates
    • candidates: mender.io, hawkbit, custom(flask, django, expressjs, ..)
  • File*based vs block based
    • block based updates ensure that any file attributes are updated
    • if the tool supports the necessary attributes file*based updates are possible too
• Client
  • Updater
    • a daemon that accesses the server and performs the updates
    • verifies digital signatures
    • supports various bootloaders (u*boot, efibootguard, etc)
    • candidates: swupdate, rauc, mender, custom script
  • A/B updates
    • each partition is duplicated (with exceptions such as the data partition)
    • enables lower downtime, rollback, and seamless updates
    • stream updates directly to avoid needing a cache
    • use the active partition as the seed to reduce bandwidth usage
    • For small storage devices jump to an update ramdisk
    • For local updates use a USB filesystem