apertis-update-manager-ota-signed manual

medium

Image Types:
minimal-armhf
Image Deployment:
OSTree
Type:
functional

Description

Test the apertis-update-manager uses only signed updates over the air.

Resources

  • The DUT u-boot environment must be clean: in u-boot, run: `env default -a` followed by `saveenv`
  • A PC must be connected to DUT serial port
  • The DUT must be connected to network

Pre Conditions

  1. This test requires a properly configured time source: when testing devices not carrying a battery-backed real time clock in a network which prevents connections to NTP servers (and only in that case) manually ensure that the time on the device is set appropriately and that it is propagated to the hardware clock so it is stay set on the next reboot if the power is not plugged off.
    2. $ sudo timedatectl --adjust-system-clock set-time "2019-08-21 18:49:03"
  2. If direct access to repository with updates for DUT is restricted and proxy server should be used, then need to add the address of this proxy for OSTree on DUT by command:
    3. $ sudo ostree config set 'remote "origin"'.proxy "http://10.168.128.45:3128"

Execution Steps

  1. Check the initial deployment
    2. $ sudo ostree admin status
  2. Prepare the copy of commit and deploy to allow the upgrade to the same version
  3. Command below shows you an initial commit ID, for instance
    4. $ export BOOTID=$(sudo ostree admin status | sed -n -e 's/^\* apertis \([0-9a-f]*\)\.[0-9]$/\1/p'); echo $BOOTID
  4. Get the Collection ID and ref
    5. $ export CID=$(sudo ostree refs -c | head -n 1 | tr -d '(),' | cut -f 1 -d ' '); echo COLLECTION_ID=$CID
    $ export REF=$(sudo ostree refs -c | head -n 1 | tr -d '(),' | cut -f 2 -d ' '); echo REF=$REF
  5. Create the list of files to skip and ensure there are some files in those directories, the default Apertis 'ed25519' public key will be removed as well.
    6. $ ls -1d /usr/share/locale /usr/share/man /usr/share/zoneinfo /usr/share/ostree/trusted.ed25519.d > /tmp/skip
    $ du -sh /usr/share/locale /usr/share/man /usr/share/zoneinfo /usr/share/ostree/trusted.ed25519.d
  6. Create the commit with changed timestamp and skipped list from above to allow upgrade with recent update file
    7. $ export NEWID=$(sudo ostree commit --orphan --tree=ref=$BOOTID --add-metadata-string=ostree.collection-binding=$CID --bind-ref=$REF --timestamp="1 year ago" --skip-list=/tmp/skip); echo "New commit: $NEWID"
  7. Copy public key to home directory
    8. $ cp -av /usr/share/ostree/trusted.ed25519.d/apertis.ed25519 ./
  8. Deploy the prepared commit
    9. $ sudo ostree admin upgrade --allow-downgrade --deploy-only --override-commit=$NEWID --reboot
  9. Wait until the system is booted again and check the deployment
    10. $ sudo ostree admin status
  10. The booted commit (started with '*') must have ID which we prepare and the initial commit ID should be marked as '(rollback)'
  11. Remove the initial deployment
    12. $ sudo ostree admin undeploy 1
  12. Reboot the system
  13. Check the current deployment
    14. $ sudo ostree admin status
  14. Start the user interface agent with mode preventing automatic system reboot after update
    15. $ sudo updatectl --register-upgrade-handler &
  15. Need to monitor the journal log to catch events
    16. $ sudo journalctl -ef --unit apertis-update-manager &
  16. Enable network updates with CLI tool
    17. $ sudo updatectl --check-network-updates
  17. Check that the update manager refuses to update

    18.  Sep 18 12:54:09 apertis apertis-update-[426]: Ostree upgrade failed: Can't verify commit

  18. Copy the public key to system-wide directory -- this allowing to use signed commits for update
    19. $ sudo mkdir -p /etc/ostree/trusted.ed25519.d/; sudo cp -av apertis.ed25519 /etc/ostree/trusted.ed25519.d/
  19. Try to update via network again
    20. $ sudo updatectl --check-network-updates
  20. Should to see started download/deploy process. Check the string saying we are using the signed commit: 'security: SIGN: commit'

    21.  Sep 18 13:01:13 apertis apertis-update-managerd[426]: libostree pull from 'origin' for apertis/v2020/amd64-uefi/minimal complete

                                                  security: disabled 

                                                  security: SIGN: commit http: TLS

                                                  non-delta: meta: 438 content: 3962

                                                  transfer: secs: 64 size: 44.5 MB

  21. After the update, the device does *not* reboot automatically
  22. Check if there is pending deployment and reboot the DUT
    23. $ sudo ostree admin status
    $ sudo reboot
  23. Check the current deployment has been updated and that the rollback entry points to the prepared deployment
    24. $ sudo ostree admin status

Expected

The OTA update signed with 'unknown' signature is refused to update