Hello, My name is Adrien Martin, embedded system engineer at STIMIO and I am facing an issue with rauc update security. Just to let you know, I don't have much experience with security concepts in general.
I am using Rauc (v0.4, quite old I admit) for an embedded linux system (imx6ul) with barebox bootloader, all images / bundles are generated via Yocto (Poky) Following the documentation, you need to set : * RAUC_KEY_FILE = "path/to/key.pem" # What I call the private key * RAUC_CERT_FILE = "path/to/cert.pem" # What I call the certificate (public key) As a result, when generating your image and bundle, you get : * A linux image with /etc/rauc/cert.pem integrated to your rootfs * A signed bundle with the key.pem My problem is what happens when the certificate is expired ? My initial though was, I just have to generate a new cert.pem, based on the same private key.pem with a new valid lifetime period and set up this new cert in the yocto recipe. Then, I generate the bundle via Yocto and try to install it. This doesn't work and gives me : # rauc info /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb rauc-Message: Reading bundle: /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb rauc-Message: Verifying bundle... signature verification failed: Verify error:self signed certificate It looks like a bundle can only be use with the cert file set in the yocto recipe. This bundle will keep this cert file in /etc/rauc/ folder so all future bundle installations will need the exact same certificate. Could you explain me what am I missing ? What method do you recommand to manage certificates expirations over time ? Thank you very much. Best regards, Adrien MARTIN Ingénieur Système Embarqué STIMIO adrien.mar...@stimio.fr<mailto:adrien.mar...@stimio.fr> 1 Avenue du Professeur Jean Rouxel, ZAC de la Fleuriaye, 44470 Carquefou www.stimio.fr<http://www.stimio.fr/> [stimio_logo]
_______________________________________________ meta-rauc mailing list
