Getting device owner's approval to perform update/install/remove

[sophokles73]

We want to use Kanto's Update Manager mechanism in the Software Defined Vehicle context. In particular, we are thinking about implementing an Update Agent which can perform a firmware update of an OEM specific control unit (ECU).

In general, the process maps pretty well to the Update Agent's state machine. However, after having downloaded the firmware artifact(s) and before applying the update, we would need to obtain the driver's approval for actually performing the firmware update. This is because the vehicle might not be usable during the update process which might take up to several hours.

We already thought about implementing a custom component which monitors the Update Agent's desired state feedback topic and produces a (custom) message for the Update Agent once the driver approval has been gathered (the mechanism for doing so is out-of-scope here). However, given that this seems to be a common use case (not only in the SDV context), we wonder if it makes sense to add to the Update Agent state machine in a generic way.

WDYT?

[k-gostev]

We have also discussed this functionality with @dimitar-dimitrow, and we think it would be a must have addition to the update manager. We just need to see how to fit this on the roadmap.

[dimitar-dimitrow]

Getting the device owner's approval could be done as a communication(MQTT) between UM and a software component running on HMI(Human Machine Interface). MQTT topics and payloads should be defined. Here are some open questions that could be used to better define them.

After a discussion with @k-gostev , we aligned on the following things:

• The whole desired state will be approved at once, to minimize the owner's efforts.
• As a start a property will be added to the UM to configure before which phase(download/update/activate) the owner's approval will be requested. At a latter stage this configuration could be included to the desired state.
• The download/update/activate phases should be synced across agents. Currently one agent could be in the updating phase, while another one is still downloading. This will allow us to request an approval once all agents have gone though the downloading phase for example.
• As of now the owner should have the options to either accept or reject the update. Rejecting the update would mean that the current desired state will be dropped and a new one should be issued from the cloud. In the future scheduling could be added.
• The approval request should be accompanied with a message describing the update to the owner. The message could include a interval in which the update is expected to finish e.g. 10-30min. The message should be included in the desired state.
• For a start MQTT topics and message payloads will not follow the Hono/Ditto spec, approvals will be accepted only from HMI on the device . On a latter stage Hono/Ditto support could be added, this will enable the use case of accepting the update through the cloud on another device(e.g. smartphone).

[dimitar-dimitrow]

• 56

• 58

• 60

• 62

• eclipse-kanto/kanto#326