apertis-update-manager-automount manual

medium

Image Types:
minimal-armhf / minimal-arm64
Image Deployment:
OSTree
Type:
functional

Description

Test the apertis-update-manager automatic update via mass storage device.

Resources

  • Static non-encrypted and encrypted update bundle files of the same architecture, variant and version as the testing image
  • A Fat32 USB flash drive, preloaded with the update bundle at the root of the disk
  • The latest static update file can be downloaded at the same location than the target image. It has the same basename, and a '.delta' extension
  • The static update file should be copied to the flash drive using the name 'static-update.bundle'.
  • A second Fat32 USB flash drive, preloaded with the encrypted update bundle at the root of the disk
  • The latest encrypted static update file can be downloaded at the same location than the target image. It has the same basename, and a '.delta.enc' extension
  • The static encrypted update file should be copied to the second flash drive using the name 'static-update.bundle.enc'.
  • A third Fat32 USB flash drive, which will contain the encrypted update bundle with unknown key at the root of the disk
  • A PC must be connected to DUT serial port

Pre Conditions

  1. The encrypted update bundle with unknown key can be generated from the encrypted update bundle using one of the key used for encryption (saved to key0.key) and the following commands:
    2. $ sudo apt install cryptsetup
    $ wget https://gitlab.apertis.org/infrastructure/apertis-image-recipes/-/raw/apertis/v2022dev0/overlays/apertis-update-manager/usr/share/apertis-update-manager/key0.key
    $ echo -n "wrong key" > tmp.key
    $ BUNDLE=<encrypted-static-update-filename>.delta.enc
    $ cp $BUNDLE $BUNDLE.badkey
    $ sudo udisksctl loop-setup -f $BUNDLE.badkey
    $ sudo cryptsetup luksChangeKey --key-file=key0.key --key-slot=0 /dev/loop0 tmp.key
    $ for i in {1..7} ; do sudo cryptsetup luksKillSlot --key-file=tmp.key /dev/loop0 $i ; done
    $ sudo udisksctl loop-delete -b /dev/loop0
  2. The static encrypted update file with unknown key ($BUNDLE.badkey) should be copied at the root of the third flash drive using the name 'static-update.bundle.enc'.

Execution Steps

  1. Check the initial deployment
    2. $ sudo ostree admin status
  2. Prepare the copy of commit and deploy to allow the upgrade to the same version
  3. Command below shows you an initial commit ID, for instance
    4. $ export BOOTID=$(sudo ostree admin status | sed -n -e 's/^\* apertis \([0-9a-f]*\)\.[0-9]$/\1/p'); echo $BOOTID
  4. Get the Collection ID and ref
    5. $ export CID=$(sudo ostree refs -c | head -n 1 | tr -d '(),' | cut -f 1 -d ' '); echo COLLECTION_ID=$CID
    $ export REF=$(sudo ostree refs -c | head -n 1 | tr -d '(),' | cut -f 2 -d ' '); echo REF=$REF
  5. Create the list of files to skip and enshure there are some files in these directories
    6. $ ls -1d /usr/share/locale /usr/share/man /usr/share/zoneinfo > /tmp/skip
    $ du -sh /usr/share/locale /usr/share/man /usr/share/zoneinfo
  6. Create the commit with changed timestamp and skipped list from above to allow upgrade with recent update file
    7. $ export NEWID=$(sudo ostree commit --orphan --tree=ref=$BOOTID --add-metadata-string=ostree.collection-binding=$CID --bind-ref=$REF --timestamp="1 year ago" --skip-list=/tmp/skip); echo "New commit: $NEWID"
  7. Deploy the prepared commit
    8. $ sudo ostree admin upgrade --allow-downgrade --deploy-only --override-commit=$NEWID --reboot
  8. Wait until the system is booted again and check the deployment
    9. $ sudo ostree admin status
  9. The booted commit (started with '*') must have ID which we prepare and the initial commit ID should be marked as '(rollback)'
  10. Check booted deployment have no file objects which we skip
    11. $ du -sh /usr/share/locale /usr/share/man /usr/share/zoneinfo
  11. Remove the initial deployment
    12. $ sudo ostree admin undeploy 1
  12. Reboot the system
    13. $ sudo journalctl -f --unit apertis-update-manager
  13. Plug the first USB flash drive with non-encrypted update bundle file in the device
  14. The USB flash drive must mount correctly but must not start update, with a trace similar to:

    15. Feb 14 10:12:50 apertis apertis-update-[471]: mount added : /media/USB1

    Feb 14 10:12:50 apertis apertis-update-[471]: Trying to use unencrypted bundle instead of encrypted bundle

    Feb 14 10:12:50 apertis apertis-update-[471]: No static-update.bundle.enc found

  15. Remove the USB flash drive
  16. Plug the third USB flash drive with encrypted update bundle file with unknown key in the device
  17. The USB flash drive must mount correctly but must not start update, with a trace similar to:

    18. Feb 14 10:41:14 apertis apertis-update-[465]: mount added : /media/USB1

    Feb 14 10:41:15 apertis apertis-update-[465]: Unable to unlock /dev/loop0

  18. Plug the second USB flash drive with encrypted update bundle file in the device
  19. The update starts automatically
  20. After the update, the device will reboot automatically
  21. Remove the USB flash drive immediatly after reboot
  22. Check the current deployment has been updated and that the rollback entry points to the prepared deployment
    23. $ sudo ostree admin status

Expected

The update was properly applied