Hello Thorsten, Thank you for your response, this confirms what we have also found in our research in the meantime. We will find a better security key/certs management in the coming future to overcome this kind of problem.
Best regards, Adrien MARTIN Ingénieur Système Embarqué STIMIO adrien.mar...@stimio.fr 1 Avenue du Professeur Jean Rouxel, ZAC de la Fleuriaye, 44470 Carquefou www.stimio.fr -----Message d'origine----- De : Thorsten Scherer <tk-sche...@mailbox.org> Envoyé : mardi 3 septembre 2019 23:44 À : Adrien Martin <adrien.mar...@stimio.fr> Cc : rauc@pengutronix.de; meta-r...@pengutronix.de; Patrick Boettcher <patrick.boettc...@stimio.fr> Objet : Re: [RAUC] [Yocto] Rauc certificate expiration management advices Hello Adrien, On Wed, Aug 14, 2019 at 03:56:07PM +0000, Adrien Martin wrote: > Hello, > > My name is Adrien Martin, embedded system engineer at STIMIO and I am facing > an issue with rauc update security. > Just to let you know, I don't have much experience with security concepts in > general. > > I am using Rauc (v0.4, quite old I admit) for an embedded linux system > (imx6ul) with barebox bootloader, all images / bundles are generated > via Yocto (Poky) > > Following the documentation, you need to set : > > * RAUC_KEY_FILE = "path/to/key.pem" # What I call the private key > * RAUC_CERT_FILE = "path/to/cert.pem" # What I call the certificate > (public key) > > As a result, when generating your image and bundle, you get : > > * A linux image with /etc/rauc/cert.pem integrated to your rootfs > * A signed bundle with the key.pem > > My problem is what happens when the certificate is expired ? > > My initial though was, I just have to generate a new cert.pem, based on the > same private key.pem with a new valid lifetime period and set up this new > cert in the yocto recipe. > Then, I generate the bundle via Yocto and try to install it. > > This doesn't work and gives me : > # rauc info /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb > rauc-Message: Reading bundle: > /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb > rauc-Message: Verifying bundle... > signature verification failed: Verify error:self signed certificate > > It looks like a bundle can only be use with the cert file set in the yocto > recipe. This bundle will keep this cert file in /etc/rauc/ folder so all > future bundle installations will need the exact same certificate. > > Could you explain me what am I missing ? What method do you recommand to > manage certificates expirations over time ? I guess you're trying to replace the expired certificate in a "Single Key" scenario, which is not possible [1]. The documentaion lists some other variants, though I am not sure which one applies best to your use-case (maybe install hooks??). > > Thank you very much. > > Best regards, > > Adrien MARTIN > Ingénieur Système Embarqué STIMIO > adrien.mar...@stimio.fr<mailto:adrien.mar...@stimio.fr> > 1 Avenue du Professeur Jean Rouxel, ZAC de la Fleuriaye, 44470 > Carquefou www.stimio.fr<http://www.stimio.fr/> > [stimio_logo] > > _______________________________________________ > RAUC mailing list Best regards, Thorsten [1] https://rauc.readthedocs.io/en/latest/advanced.html#single-key -- Thorsten Scherer <tk-sche...@mailbox.org> _______________________________________________ RAUC mailing list
