Support Uptane as a way to update Zephyr software

[JustinCappos]

Introduction

Right now, Zephyr updates seem to mostly be using the SWupdate tool. We'd like to include an alternative tool, Uptane, which provides a much stronger set of security properties that help it resist even nation-state actors.

Problem description

SWupdate does not provide revocation, delegations, roles, or similar mechanisms to account for situations where the signing key and/or repository are compromised.

Proposed change

I'd like to help the Uptane project, specifically, the Aktualizr implementation which is included in AGL, etc. be an option for interested users.

Detailed RFC

For details about the security model, etc, please see the Uptane website. Essentially, right now, if a key or server is compromised, there is a serious risk to all Zephyr users. Adopting a different architecture will mitigate much of this risk.

Proposed change (Detailed)

I'll have to have someone from our team take a look at how to package this all up and get things smoothly into Zephyr. I'm curious to talk first to explore if this is of interest before working to do this effort.

Dependencies

I'm not sure. Will need to consult with others. Just starting the process here first. Overall the codebase is used and maintained by Toradex, which runs Zephyr on some of their boards.

Concerns and Unresolved Questions

Need to have further discussions with the community about any concerns from their end.

Alternatives

I am also speaking with the folks at SWupdate about possibly adding the security model from Uptane (or similar) to their tool. I would be happy to see that effort progress also or possibly instead of this.

[beriberikix]

@kestewart asked for my .02, so sharing the wealth :) Generally I think it's a great thing to provide more options for device management & OTA. So thoughts that come to mind:

• What aspects can be generalized/re-used by other subsystem like DFU
• What are the target class of the devices? The typical Zephyr MCU device is rather constrained and I think the aktualizr client typically runs on a Linux-class device.
• Zephyr's C++ support is functional but limited. C modules are generally preferred in tree.

FWIW, at Golioth we use our own mechanism for OTA and IETF SUIT but I would be excited to see any improvements to this part of Zephyr!

[ceolin]

Hi, I agree with @beriberikix. aktualizr client will not just fit on Zephyr, unless you are intending to pull an specific part. I'm also interested to understand what are the intended targets and how it relates with other components like boot loader. From the C++ thing, don't take for granted that any C++ feature is available and take in mind we support multiple toolchains.

That's said, it will be fantastic to have it. I'll take a closer look in the client to give more feedback. We can bring this topic to one security working group meeting as well.

[henrikbrixandersen]

You mention that Zephyr OTA is currently mostly done using SWupdate. I am not aware of a Zephyr port of SWupdate, could you please post a reference to this?

[de-nordic]

I am removing myself as assignee because I only collaborate within MCUmgr subsystem, and I have no idea what SWupdate and quite sure that Zephyr does not use it.

[zephyrbot]

Hi @d3zd3z, @ceolin,

This issue, marked as an RFC, was opened a while ago and did not get any traction. It was just assigned to you based on the labels. If you don't consider yourself the right person to address this issue, please re-assing it to the right person.

Please take a moment to review if the issue is still relevant to the project. If it is, please provide feedback and direction on how to move forward. If it is not, has already been addressed, is a duplicate, or is no longer relevant, please close it with a short comment explaining the reason.

@JustinCappos you are also encouraged to help moving this issue forward by providing additional information and confirming this request/issue is still relevant to you.

Thanks!