Skip to content
This repository has been archived by the owner on May 21, 2024. It is now read-only.

OTA-2613 Clean up "aktualizr/docs/ " folder #1208

Merged
merged 1 commit into from
May 23, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 5 additions & 8 deletions docs/README.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -2,23 +2,21 @@

This directory contains developer-focused documentation on various specialized aktualizr topics.

link:./automatic-provisioning.adoc[automatic-provisioning.adoc] - Describes how aktualizr handles automatic provisioning.
link:./client-provisioning-methods.adoc[client-provisioning-methods.adoc] - Describes how aktualizr handles provisioning with either shared credentials or device credentials.

link:./configuration.adoc[configuration.adoc] - A reference for aktualizr's TOML config files.

link:./credentials.adoc[credentials.adoc] - An explanation of the format of credentials.zip, a bundle generated by HERE OTA Connect/OTA Community Edition containing necessary credentials and config for aktualizr and meta-updater.
link:./provisioning-methods-and-credentialszip.adoc[provisioning-methods-and-credentialszip.adoc] - An explanation of the format of credentials.zip, a bundle generated by HERE OTA Connect/OTA Community Edition containing necessary credentials and config for aktualizr and meta-updater.
merltron marked this conversation as resolved.
Show resolved Hide resolved

link:./deb-package-install.adoc[deb-package-install.adoc] - The https://github.com/advancedtelematic/aktualizr/releases[releases] page includes a .deb package for aktualizr. This isn't likely useful for most production use cases, but it can be handy for testing. This document guides you through how to use the .deb.

link:./debugging-tips.adoc[debugging-tips.adoc] - Useful debugging info, mostly targeted at people contributing to the development of aktualizr.

link:./fault-injection.adoc[fault-injection.adoc] - How to inject faults during aktualizr runs, to help test failure cases of the system.

link:./hsm-provisioning.adoc[hsm-provisioning.adoc] - An explanation of aktualizr's approach to using a hardware security module for provisioning.
link:./provision-with-device-credentials.adoc[provision-with-device-credentials.adoc] - Provisioning with device credentials is a more secure way of provisioning devices. Unlike shared-credentials provisioning, each image is required to have some credentials side-loaded that are unique to the device which receives the image. This topic also explains of aktualizr's approach to using a hardware security module for provisioning with device credentials.

link:./implicit-provisioning.adoc[implicit-provisioning.adoc] - Implicit provisioning an alternative to automatic provisioning. It's distinct from automatic provisioning in that it requires each image to have some unique credentials side-loaded.

link:./integrating-libaktualizr.adoc[integrating-libaktualizr.adoc] - How to use Aktualizr as a library ('libaktualizr') to implement custom software update clients. This can be used to integrate Aktualizr with a user interface or to deliver updates to a custom package manager.
link:./integrate-libaktualizr.adoc[integrate-libaktualizr.adoc] - How to use Aktualizr as a library ('libaktualizr') to implement custom software update clients. This can be used to integrate Aktualizr with a user interface or to deliver updates to a custom package manager.

link:./linux-secondaries.adoc[linux-secondaries.adoc] - A quick how-to demonstrating aktualizr on a secondary ECU, using two QEMU devices.

Expand All @@ -32,8 +30,7 @@ link:./selectively-triggering-aktualizr.adoc[selectively-triggering-aktualizr.ad

== Developer documentation

Additional documentation intended for developers that may need to use the libaktualizr API should refer to link:https://advancedtelematic.github.io/aktualizr/index.html[the doxygen output on github].

Additional documentation intended for developers that may need to use the libaktualizr API should refer to link:https:
[NOTE]
====
The link above is for the doxygen docs on master. Doxygen docs for the following tagged release versions are also available:
Expand Down
29 changes: 0 additions & 29 deletions docs/automatic-provisioning.adoc

This file was deleted.

39 changes: 39 additions & 0 deletions docs/client-provisioning-methods.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
// Copy of this topic: https://docs.ota.here.com/client-config/client-provisioning-methods.html adapted for aktualizr repo. Replaces duplicate "automatic-provisioning.adoc"

In OTA Connect, the provisioning process ensures that the device has a certificate and a unique identifier. After a device has been provisioned, it can receive software updates. OTA Connect supports two types of provisioning:

* *Provisioning with Shared Credentials*
+
Devices use temporary provisioning credentials to request permanent credentials from the server. You download the temporary provisioning credentials from the OTA Connect web app and install them on a device. Once the device registers with the server for the first time, the server assigns permanent credentials to the device. The device then uses these permanent credentials for all future transactions.


* *Provisioning with Device Credentials*
+
merltron marked this conversation as resolved.
Show resolved Hide resolved
Devices already have permanent credentials installed. The server doesn't issue any credentials to devices. Instead, you use a root CA certificate to sign the credentials that you install on the device. You then install the same root CA certificate on the OTA Connect server.
Every time the device attempts to connect, the server verifies that the device credentials are signed by the same CA that you originally installed on the server.

== Choosing a provisioning method

The type of provisioning that you choose depends on your requirements. If you're just testing and want to get started quickly, provisioning with shared credentials is fine. It is easier to set up but is less secure. Because the server self-signs the credentials that it issues to devices, the devices have no way of verifying the integrity of the server. This level of security is not suitable for a production environment. The device should always be able to verify that is communicating with a genuine OTA Connect server. Once you move to production, you should look at some form of provisioning that uses device certificates. For more security, use a Hardware Security Module (HSM) to store the device certificates.

=== Configure a Device to Provision with Shared Credentials

To configure a device to provision with shared credentials, follow these steps:

. Download a https://docs.ota.here.com/quickstarts/generating-provisioning-credentials.html[provisioning key].
. Edit the following `.toml` configuration file:
+
link:../config/sota_autoprov.toml[config/sota_autoprov.toml]
. Update the configuration file with the path to the zip file that you saved in the first step and start Aktualizr on the device.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't right. Editing that toml file in the aktualizr repo won't have any effect on bitbaking. meta-updater copies that file onto the device, but it takes it from whatever is in the aktualizr repo, not some locally-edited version. What you really need to do is tell meta-updater where to find your downloaded credentials by setting SOTA_PACKED_CREDENTIALS in your local.conf. If you really need to edit that file for bitbaking, there is a separate process, but I wouldn't go into that here. If you're just explaining how to run aktualizr locally, that's a separate matter, but that isn't made clear here, and you'd probably want to use a different config file to start with.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still a problem.

+
** When aktualizr starts, it uses the provisioning key to register with the device gateway HTTPS API.
** The server registers the new device and returns a PKCS#12 archive containing the real credentials for the device. This archive contains the root CA certificate and client certificate.
** The device unpacks the archive into the paths that are specified in the `[storage]` section of the config.
** The device uses this private key and certificate for all further communication with the server.

=== Configure a Device to Provision with Device Credentials

To configure a device to provision with device credentials, you need a root CA certificate obtained from a trusted certificate authority.

* If you don't have a root CA certificate yet, you can https://docs.ota.here.com/prod/generate-and-install-a-root-certificate.html[generate and install a self-signed root CA certificate] or link:./provision-with-device-credentials.adoc#simulate-device-credential-provisioning-for-testing[simulate provisioning with device credentials].
* When you're ready to move to production, follow the procedure to link:./provision-with-device-credentials.adoc#use-a-hardware-security-module-hsm-when-provisioning-with-device-credentials[use a Hardware Security Module to provision with device credentials]
139 changes: 0 additions & 139 deletions docs/credentials.adoc

This file was deleted.

95 changes: 0 additions & 95 deletions docs/hsm-provisioning.adoc

This file was deleted.

Loading