bartoszek/zephyr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5bda586c64
zephyr/subsys/mgmt/updatehub/Kconfig
Gerson Fernando Budke d18f12de23 mgmt: updatehub: Enable flash sha verification 
Currently updatehub trust on MCUboot to test a new image. The process
is executed on next boot after a validate the downloaded image.  To
have a more reliable system, is recommended run the SHA-256 algorithm
to attest that firmware was properly stored on the flash memory.  This
implements the use of flash_img_check to achieve that, and as a
consequence, add a new level of trust that avoids an useless reboot
on the system.

Updatehub uses two SHA-256 verification.  One is used to check the
data stream at download.  The second one, realise the verification
reading from flash.  Users have the possibility to chose only one
option or keep both verifications.  However, it is adviced keep
always both verifications enabled to get consistent reports on
back end.

Signed-off-by: Gerson Fernando Budke <gerson.budke@ossystems.com.br>
2020-09-04 17:32:29 +02:00

166 lines
4.6 KiB
Plaintext
Raw Blame History

# Copyright (c) 2018-2020 O.S.Systems
# SPDX -License-Identifier: Apache-2.0
menuconfig UPDATEHUB
bool"UpdateHub Firmware Over-the-Air support"
select FLASH
select REBOOT
select IMG_MANAGER
select IMG_ENABLE_IMAGE_CHECK
select BOOTLOADER_MCUBOOT
select MPU_ALLOW_FLASH_WRITE
select NETWORKING
select REQUIRES_FULL_LIBC
select NET_UDP
select NET_SOCKETS
select NET_SOCKETS_POSIX_NAMES
select COAP
select NET_CONFIG_SETTINGS
select DNS_RESOLVER
select JSON_LIBRARY
select TINYCRYPT
select TINYCRYPT_SHA256
select HWINFO
help
UpdateHub is an enterprise-grade solution which makes simple to
remotely update all your embedded devices in the field. It
handles all aspects related to sending Firmware Over-the-Air
(FOTA) updates with maximum security and efficiency, while you
focus in adding value to your product.
config UPDATEHUB_POLL_INTERVAL
int "Time to poll interval (in minutes)"
default 1440
range 0 43200
depends on UPDATEHUB
help
Set the interval that the UpdateHub update server will be polled.
This time interval is zero and 43200 minutes(30 days).
config UPDATEHUB_PRODUCT_UID
string "Product Unique Identifier (UID)"
depends on UPDATEHUB
help
The product unique identifier is used when communicating
with the UpdateHub server.
config UPDATEHUB_SUPPORTED_HARDWARE_MAX
int "Max number of supported hardware"
default 1
range 1 100
depends on UPDATEHUB
help
Configure the max number of supported hardware
by the same image.
config UPDATEHUB_CE
bool "Use UpdateHub Community Edition Sever"
depends on UPDATEHUB
help
Allow the use of UpdateHub Community
Server (updatehub-ce) as alternative to the
updatehub.io enterprise server.
config UPDATEHUB_SERVER
string "User address for the updatehub-ce-server"
depends on UPDATEHUB_CE
help
This configuration is default, if need to use
other address, must be set on the UpdateHub shell
config UPDATEHUB_SHELL
bool "Enable UpdateHub shell utilities"
depends on UPDATEHUB
depends on SHELL
select KERNEL_SHELL
help
Activate shell module that provides UpdateHub commands like
config UPDATEHUB_DTLS
bool"Activate communication CoAPS/DTLS"
depends on UPDATEHUB
select MBEDTLS
select MBEDTLS_ENABLE_HEAP
select NET_SOCKETS_SOCKOPT_TLS
select NET_SOCKETS_ENABLE_DTLS
help
Enables DTLS communication between the UpdateHub
client and the server
config UPDATEHUB_COAP_CONN_TIMEOUT
int "CoAP connection timeout in seconds"
default 10
range 1 360
depends on UPDATEHUB
help
Set the CoAP connection timeout value.
config UPDATEHUB_COAP_MAX_RETRY
int "Maximum retries attempts to download a packet"
default 10
range 3 10
depends on UPDATEHUB
help
Set the maximum number of retries attempts to download a packet
before abort a current update.
config UPDATEHUB_COAP_BLOCK_SIZE_EXP
int "Max CoAP block size defined as 2^(4 + EXP)"
default 6
range 0 6
depends on UPDATEHUB
help
Configure the max size of a data payload were value:
0 - COAP_BLOCK_16
1 - COAP_BLOCK_32
2 - COAP_BLOCK_64
3 - COAP_BLOCK_128
4 - COAP_BLOCK_256
5 - COAP_BLOCK_512
6 - COAP_BLOCK_1024
This value is mapped directly to enum coap_block_size.
choice
prompt "Firmware verification"
depends on UPDATEHUB
default UPDATEHUB_DOWNLOAD_STORAGE_SHA256_VERIFICATION
config UPDATEHUB_DOWNLOAD_SHA256_VERIFICATION
bool "SHA-256 on download"
help
Enables SHA-256 verification of data stream while downloading.
Notice that it does not check whether the image written to a
storage is still valid, it only confirms that what has been
downloaded matches the server side SHA.
To check if the data written to permanent storage matches the SHA
simultaneously, enable "Both download and flash verifications"
option.
config UPDATEHUB_STORAGE_SHA256_VERIFICATION
bool "SHA-256 from flash"
help
Enables SHA-256 verification of stored data stream. When this
option is enabled, the data stream will be read back from the
storage and verified with SHA to make sure that it has been
correctly written.
To check if the download data stream matches the SHA simultaneously,
enable "Both download and flash verifications" option.
config UPDATEHUB_DOWNLOAD_STORAGE_SHA256_VERIFICATION
bool "SHA-256 from both download and flash"
help
Enables SHA-256 verification on both data stream while downloading
and stored data stream on flash.
It is advised to leave this option enabled.
endchoice
module = UPDATEHUB
module-str = Log level for UpdateHub
module-help = Enables logging for UpdateHub code.
source "subsys/logging/Kconfig.template.log_config"
Reference in New Issue View Git Blame Copy Permalink