Safe and secure software updates for embedded Linux
Bug fixes
Testing
Contributions from: Enrico Jörns, Fabrice Fontaine, Jan Lübbe
This version introduces the new verity
bundle format (the old format
is now called plain
). The verity
format was added to prepare for
future use cases (such as network streaming and encryption), for better
parallelization of installation with hash verification and to detect
modification of the bundle during installation (CVE-2020-25860). The
bundle format is detected when reading a bundle and checked against the
set of allowed formats configured in the system.conf (see the
Bundle Formats section in the docs).
As the old plain
format does not offer protection against modification
during the installation process, RAUC now takes ownership of the bundle
file, removes write permissions and checks for existing open file
descriptors. This is intended as a mitigation to protect against a
compromised update service running as a non-root user, which would
otherwise be able to modify the bundle between signature check and
actual bundle installation.
See the Bundle Format Migration section for more details on how to
switch to the verity
format.
verity
bundle format. See the reference for
details.root=PARTLABEL=xxx
kernel command line
option. (by Gaël PORTAY)F_SETLEASE
fcntl). This fixes CVE-2020-25860. See the advisory for more details:
https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv
The https://github.com/rauc/rauc-1.5-integration repository contains examples to simplify integrating the RAUC update into existing projects. You can subscribe to https://github.com/rauc/rauc-1.5-integration/issues/1 to receive notifications of important updates to this repository and of integration into the upstream build systems.
*.img
files for boot-*
slots when
used with casync. (by Martin Schwan)Contributions from: Bastian Krause, Christoph Steiger, Christopher Obbard, Enrico Jörns, Gaël PORTAY, Jan Lübbe, Martin Schwan, Michael Heimpold, Stefan Wahren, Uwe Kleine-König
Note
Slots with both a parent=
and a bootname=
entry are now rejected
when parsing the system configuration. While the intention was to have
either a bootname or a parent link, this was not enforced in previous
versions. Move the bootname to the parent slot when updating to RAUC
1.4.
It is now recommended to explicitly select either per-slot or global
configuration file in the system config using
statusfile=<path>/per-slot
. If a central storage location is
available, global status file should be preferred.
Enhancements
boot-gpt-switch
to support atomic updating of
boot partitions in the GPT. This is useful if the firmware does not
support atomic bootloader updates by itself. See
here for details.Bug fixes
Testing
Code
Documentation
Contributions from: Andreas Schmidt, Bastian Krause, Christian Bräuner Sørensen, Dan Callaghan, Enrico Jörns, Jan Lübbe, Michael Heimpold, Tobias Junghans, Uwe Kleine-König
Enhancements
check-crl
configuration option to require Certificate
Revocation List (CRL) checking during installation. If the keyring
already contains a CRL, but checking is not enabled, a warning will
be printed.--mksquashfs-args
option for bundle creation. This can
be used to configure the details of the squashfs compression. (by
Louis des Landes)--casync-args
option for the rauc convert
command.
This can be used to configure the details of the casync conversion.
(by Christopher Obbard)--no-verify
with rauc resign
. This can be
useful for resigning of bundles signed with expired certificates.RAUC_BUNDLE_MOUNT_POINT
environment variable to hook
scripts. This also deprecates the old name RAUC_UPDATE_SOURCE
for
this value in handler scripts. (by Rasmus Villemoes)rauc
binary. This was done by using
--gc-sections
and adding a configure switch to disable the
bundle
, resign
and convert
commands. (by Rasmus Villemoes)rauc.external
). This is
useful for using RAUC in a factory installer. (by Marco Felsch)rauc status
output.Bug fixes
rauc-ERROR **: Not enough substeps: check_bundle
abort. (by Rouven
Czerwinski)Testing
Code
-Werror
and -O0
when building from a git
repository. This caused confusion in several cases.Documentation
Contributions from: Arnaud Rebillout, Christopher Obbard, Enrico Jörns, Jan Kundrát, Jan Lübbe, Louis des Landes, Marco Felsch, Martin Hundebøll, Michael Heimpold, Michael Tretter, Rasmus Villemoes, Rouven Czerwinski, Trent Piepho, Ulrich Ölmann
Enhancements
--signing-keyring
argument to specify a distinct keyring for
post-signing verification. This allows for example to use
rauc resign
with certs not verifying against the original keyring.--progress
argument to rauc install
that enables
a basic text progress bar instead of the default line-by-line log.tmppath
to casync system config options to allow setting
TMPDIR for casync. (by Gaël PORTAY)boot-mbr-switch
to support atomic updating of
boot partitions in the MBR. (by Thomas Hämmerle) See here for details.Bug fixes
Testing
Code
Documentation
/dev/data
symlink to mount the right data
partition in dual data partition setups. (by Fabian Knapp)Contributions from: Bastian Krause, Ellie Reeves, Enrico Jörns, Fabian Knapp, Gaël PORTAY, Jan Lübbe, Leif Middelschulte, Michael Heimpold , Stephan Michaelsen , Thomas Hämmerle, Thorsten Scherer, Tobias Junghans, Uwe Kleine-König
Enhancements
Booted from
line of rauc status
to simplify identificationresize
option for ext4 slots to RAUC run resize2fs on a ext4 slot after copying the image.--dump-cert
) without verificationefi-use-bootnext
(only valid when bootloader is 'efi') to disable usage of BootNext for marking slots primary.system-info
handler via RAUC_SYSTEM_VARIANT
Bug fixes
mark-*
subcommandsTesting
Code
git-version-gen
upstream versionrauc-service.sh
(by Angus Lees)resolve_path()
if
and (
via uncrustifyDocumentation
Contributions from: Angus Lees, Arnaud Rebillout, Beralt Meppelink, Enrico Jörns, Evan Edstrom, Ian Abbott, Jan Lübbe, Michael Heimpold, Rasmus Villemoes, Ulrich Ölmann, Vitaly Ogoltsov
Enhancements
Bug fixes
Testing
Documentation
Contributions from: Ahmad Fatoum, Enrico Jörns, Jan Lübbe, Matthias Bolte
Enhancements
extra-mount-opts
argument to slot config to allow passing custom options to mount
calls (such as user_xattr or seclabel)readonly
slots that are part of the slot description but should never be written by RAUCuse-bundle-signing-time
to use singing time for verification instead of the current timemax-bundle-download-size
config setting (by Michael Heimpold)force-install-same
flag to ignore-checksum
(old remains valid of course) (by Jan Remmet).raucb
file extension, although it is still recommended*.squashfs
to raw
slot handling (by Emmanuel Roullit)*.img
files can now be installed to ext4
, ubifs
or vfat
slots (by Michael Heimpold)rauc status
command line call now only uses the D-Bus API (when enabled) to obtain status information instead of loading configuration and performing operations itself. This finalizes the clear separations between client and service and also allows calling the command line client wihout requiring any configuration.rauc-subprocess
for printing RAUC subprocess invocations. This can be activated bysetting the environment variable G_MESSAGES_DEBUG=rauc-subprocess
. See the debugging RAUC section for details.BOOT_ORDER
when marking it badBug fixes
fsync()
when writing raw images to assure content is fully written to disk before exiting (by Jim Brennan)mark_active()
root=
command line parameterCONFIG_FEATURE_TAR_LONG_OPTIONS
when using busybox tar.O_EXCL
to ensure exclusive accessfile://
URI'sTesting
g_critical()
to detect issues earlyrauc convert
(casync) testingCode
Documentation
Contributions from: Alexander Dahl, Arnaud Rebillout, Bastian Stender, Emmanuel Roullit, Enrico Jörns, Jan Lübbe, Jan Remmet, Jim Brennan, Marcel Hamer, Michael Heimpold, Philip Downer, Philipp Zabel, Rasmus Villemoes, Thomas Petazzoni, Timothy Lee, Ulrich Ölmann, Vyacheslav Yurkov, Yann E. MORIN
Enhancements
barebox-statename
key to [system]
section of system.conf in order to allow using non-default names for barebox stateboot-emmc
will tell RAUC to handle bootloader updates on eMMC by using the mmcblkXboot0/-boot1
partitions and the EXT_CSD registers for alternating updates.*.vfat
images to vfat slotsrauc convert
command to convert conventional bundles to casync bundle and chunk store.caibx
and .caidx
suffix image types in bundle--detailed
argument to rauc status
to obtain newly added slot status informationGetSlotStatus
to obtain collected status of all slotsstatusfile
key in [system]
section of system.conf
).write-slot
command to write images directly to defined slots (for use during development)Bug fixes
Testing
Code
Documentation
Enhancements
rauc status
rauc extract
command to extract bundlesUUID=
and PARTUUID=
kernel options.Bug fixes
root=<symlink>
boot parameters (such as root=/dev/disk/by-path/pci-0000:00:17.0-ata-1-part1
)Testing
Documentation