apertis-update-manager-ota-signed manual
medium
- Image Types:
- minimal-armhf
- Image Deployment:
- OSTree
- Type:
- functional
Description
Test the apertis-update-manager uses only signed updates over the air.
Resources
- The DUT u-boot environment must be clean: in u-boot, run: `env default -a` followed by `saveenv`
- A PC must be connected to DUT serial port
- The DUT must be connected to network
Pre Conditions
- This test requires a properly configured time source: when testing devices not carrying a battery-backed real time clock in a network which prevents connections to NTP servers (and only in that case) manually ensure that the time on the device is set appropriately and that it is propagated to the hardware clock so it is stay set on the next reboot if the power is not plugged off.
- If direct access to repository with updates for DUT is restricted and proxy server should be used, then need to add the address of this proxy for OSTree on DUT by command:
$ sudo timedatectl --adjust-system-clock set-time "2019-08-21 18:49:03"
$ sudo ostree config set 'remote "origin"'.proxy "http://10.168.128.45:3128"
Execution Steps
- Check the initial deployment
- Prepare the copy of commit and deploy to allow the upgrade to the same version
- Command below shows you an initial commit ID, for instance
- Get the Collection ID and ref
- Create the list of files to skip and ensure there are some files in those directories, the default Apertis 'ed25519' public key will be removed as well.
- Create the commit with changed timestamp and skipped list from above to allow upgrade with recent update file
- Copy public key to home directory
- Deploy the prepared commit
- Wait until the system is booted again and check the deployment
- The booted commit (started with '*') must have ID which we prepare and the initial commit ID should be marked as '(rollback)'
- Remove the initial deployment
- Reboot the system
- Check the current deployment
- Start the user interface agent with mode preventing automatic system reboot after update
- Need to monitor the journal log to catch events
- Enable network updates with CLI tool
- Check that the update manager refuses to update
- Copy the public key to system-wide directory -- this allowing to use signed commits for update
- Try to update via network again
- Should to see started download/deploy process. Check the string saying we are using the signed commit: 'security: SIGN: commit'
- After the update, the device does *not* reboot automatically
- Check if there is pending deployment and reboot the DUT
- Check the current deployment has been updated and that the rollback entry points to the prepared deployment
$ sudo ostree admin status
$ export BOOTID=$(sudo ostree admin status | sed -n -e 's/^\* apertis \([0-9a-f]*\)\.[0-9]$/\1/p'); echo $BOOTID
$ export CID=$(sudo ostree refs -c | head -n 1 | tr -d '(),' | cut -f 1 -d ' '); echo COLLECTION_ID=$CID
$ export REF=$(sudo ostree refs -c | head -n 1 | tr -d '(),' | cut -f 2 -d ' '); echo REF=$REF
$ ls -1d /usr/share/locale /usr/share/man /usr/share/zoneinfo /usr/share/ostree/trusted.ed25519.d > /tmp/skip
$ du -sh /usr/share/locale /usr/share/man /usr/share/zoneinfo /usr/share/ostree/trusted.ed25519.d
$ export NEWID=$(sudo ostree commit --orphan --tree=ref=$BOOTID --add-metadata-string=ostree.collection-binding=$CID --bind-ref=$REF --timestamp="1 year ago" --skip-list=/tmp/skip); echo "New commit: $NEWID"
$ cp -av /usr/share/ostree/trusted.ed25519.d/apertis.ed25519 ./
$ sudo ostree admin upgrade --allow-downgrade --deploy-only --override-commit=$NEWID --reboot
$ sudo ostree admin status
$ sudo ostree admin undeploy 1
$ sudo ostree admin status
$ sudo updatectl --register-upgrade-handler &
$ sudo journalctl -ef --unit apertis-update-manager &
$ sudo updatectl --check-network-updates
Sep 18 12:54:09 apertis apertis-update-[426]: Ostree upgrade failed: Can't verify commit
$ sudo mkdir -p /etc/ostree/trusted.ed25519.d/; sudo cp -av apertis.ed25519 /etc/ostree/trusted.ed25519.d/
$ sudo updatectl --check-network-updates
Sep 18 13:01:13 apertis apertis-update-managerd[426]: libostree pull from 'origin' for apertis/v2021dev3/amd64-uefi/minimal complete
security: disabled
security: SIGN: commit http: TLS
non-delta: meta: 438 content: 3962
transfer: secs: 64 size: 44.5 MB
$ sudo ostree admin status
$ sudo reboot
$ sudo ostree admin status
Expected
The OTA update signed with 'unknown' signature is refused to update