apertis-update-manager-automount manual

medium

Image Types:
minimal-armhf
Image Deployment:
OSTree
Type:
functional

Description

Test the apertis-update-manager automatic update via mass storage device.


Resources

  • Static non-encrypted and encrypted update bundle files of the same architecture, variant and version as the testing image
  • A Fat32 USB flash drive, preloaded with the update bundle at the root of the disk
  • The latest static update file can be downloaded at the same location than the target image. It has the same basename, and a '.delta' extension
  • The static update file should be copied to the flash drive using the name 'static-update.bundle'.
  • A second Fat32 USB flash drive, preloaded with the encrypted update bundle at the root of the disk
  • The latest encrypted static update file can be downloaded at the same location than the target image. It has the same basename, and a '.delta.enc' extension
  • The static encrypted update file should be copied to the second flash drive using the name 'static-update.bundle.enc'.
  • A third Fat32 USB flash drive, which will contain the encrypted update bundle with unknown key at the root of the disk
  • A PC must be connected to DUT serial port

Pre Conditions

  1. The encrypted update bundle with unknown key can be generated from the encrypted update bundle using one of the key used for encryption (saved to key0.key) and the following commands:
  2. $ sudo apt install cryptsetup

    $ wget https://gitlab.apertis.org/infrastructure/apertis-image-recipes/-/raw/apertis/v2021dev3/overlays/apertis-update-manager/usr/share/apertis-update-manager/key0.key

    $ echo -n "wrong key" > tmp.key

    $ BUNDLE=<encrypted-static-update-filename>.delta.enc

    $ cp $BUNDLE $BUNDLE.badkey

    $ sudo udisksctl loop-setup -f $BUNDLE.badkey

    $ sudo cryptsetup luksChangeKey --key-file=key0.key --key-slot=0 /dev/loop0 tmp.key

    $ for i in {1..7} ; do sudo cryptsetup luksKillSlot --key-file=tmp.key /dev/loop0 $i ; done

    $ sudo udisksctl loop-delete -b /dev/loop0

  3. The static encrypted update file with unknown key ($BUNDLE.badkey) should be copied at the root of the third flash drive using the name 'static-update.bundle.enc'.

Execution Steps

  1. Check the initial deployment
  2. $ sudo ostree admin status

  3. Prepare the copy of commit and deploy to allow the upgrade to the same version
  4. Command below shows you an initial commit ID, for instance
  5. $ export BOOTID=$(sudo ostree admin status | sed -n -e 's/^\* apertis \([0-9a-f]*\)\.[0-9]$/\1/p'); echo $BOOTID

  6. Get the Collection ID and ref
  7. $ export CID=$(sudo ostree refs -c | head -n 1 | tr -d '(),' | cut -f 1 -d ' '); echo COLLECTION_ID=$CID

    $ export REF=$(sudo ostree refs -c | head -n 1 | tr -d '(),' | cut -f 2 -d ' '); echo REF=$REF

  8. Create the list of files to skip and enshure there are some files in these directories
  9. $ ls -1d /usr/share/locale /usr/share/man /usr/share/zoneinfo > /tmp/skip

    $ du -sh /usr/share/locale /usr/share/man /usr/share/zoneinfo

  10. Create the commit with changed timestamp and skipped list from above to allow upgrade with recent update file
  11. $ export NEWID=$(sudo ostree commit --orphan --tree=ref=$BOOTID --add-metadata-string=ostree.collection-binding=$CID --bind-ref=$REF --timestamp="1 year ago" --skip-list=/tmp/skip); echo "New commit: $NEWID"

  12. Deploy the prepared commit
  13. $ sudo ostree admin upgrade --allow-downgrade --deploy-only --override-commit=$NEWID --reboot

  14. Wait until the system is booted again and check the deployment
  15. $ sudo ostree admin status

  16. The booted commit (started with '*') must have ID which we prepare and the initial commit ID should be marked as '(rollback)'
  17. Check booted deployment have no file objects which we skip
  18. $ du -sh /usr/share/locale /usr/share/man /usr/share/zoneinfo

  19. Remove the initial deployment
  20. $ sudo ostree admin undeploy 1

  21. Reboot the system
  22. $ sudo journalctl -f --unit apertis-update-manager

  23. Plug the first USB flash drive with non-encrypted update bundle file in the device
  24. Wait around 1 min
  25. The USB flash drive must mount correctly but must not start update, with a trace similar to:
  26. Feb 14 10:12:50 apertis apertis-update-[471]: mount added : /media/USB1

  27. Remove the USB flash drive
  28. Plug the third USB flash drive with encrypted update bundle file with unknown key in the device
  29. The USB flash drive must mount correctly but must not start update, with a trace similar to:
  30. Feb 14 10:41:14 apertis apertis-update-[465]: mount added : /media/USB1

    Feb 14 10:41:15 apertis apertis-update-[465]: Unable to unlock /dev/loop0

  31. Plug the second USB flash drive with encrypted update bundle file in the device
  32. The update starts automatically
  33. After the update, the device will reboot automatically
  34. Remove the USB flash drive immediatly after reboot
  35. Check the current deployment has been updated and that the rollback entry points to the prepared deployment
  36. $ sudo ostree admin status


Expected

The update was properly applied