-
Notifications
You must be signed in to change notification settings - Fork 61
Fix/ota 4119/ota 4132/root verification #1501
Conversation
d15af59
to
d37167f
Compare
@@ -47,6 +47,45 @@ bool RepositoryCommon::verifyRoot(const std::string& root_raw) { | |||
|
|||
void RepositoryCommon::resetRoot() { root = Root(Root::Policy::kAcceptAll); } | |||
|
|||
bool RepositoryCommon::updateRoot(INvStorage& storage, const IMetadataFetcher& fetcher, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool, that exactly was I thought about when I saw the initial implementation - share as much code as possible between the director and imagerepo implementation.
Perhaps, it makes sense to add a reference(s) to the corresponding paragraphs of the uptane spec.
25e169e
to
f7645b1
Compare
Codecov Report
@@ Coverage Diff @@
## master #1501 +/- ##
==========================================
- Coverage 80.91% 80.72% -0.19%
==========================================
Files 184 184
Lines 11151 11141 -10
==========================================
- Hits 9023 8994 -29
- Misses 2128 2147 +19
Continue to review full report at Codecov.
|
35d4543
to
9365d07
Compare
Ready for review but depends on advancedtelematic/tuf-test-vectors#65 before merging. |
9365d07
to
06f9981
Compare
Unfortunately, we can't merge this as is because the backend apparently expects that devices fetch the unnumbered |
I vote for the temporary fix |
Done. I also realized that I forgot to amend uptane-generator to stop creating an unnumbered |
24cb71e
to
f5c0e5a
Compare
It is essentially identical for the Director and Image repos, so there is no need to duplicate the code. Signed-off-by: Patrick Vacek <[email protected]>
Do not check for an unnumbered version of the root metadata. Just check for the next available version and move on if it is not found. Signed-off-by: Patrick Vacek <[email protected]>
Previously they just threw exceptions. Signed-off-by: Patrick Vacek <[email protected]>
It appears to have been dumping an object into the storage field instead of the actual path. Also convert the import paths into absolute paths instead of local. This makes testing and debugging much easier. Signed-off-by: Patrick Vacek <[email protected]>
It now needs to respect versions. Signed-off-by: Patrick Vacek <[email protected]>
aktualizr no longer tries an unnumbered version. Signed-off-by: Patrick Vacek <[email protected]>
New tests should cover the root version checking. Signed-off-by: Patrick Vacek <[email protected]>
This is a hack, but currently the backend expects that the unnumbered root.json is fetched once. Otherwise a device is not considered "online". Once that requirement is lifted, this commit should be reverted. Also at that time, uptane-generator should be amended to stop creating an unnumbered root.json. Signed-off-by: Patrick Vacek <[email protected]>
Signed-off-by: Patrick Vacek <[email protected]>
Signed-off-by: Patrick Vacek <[email protected]>
f5c0e5a
to
0419df6
Compare
// If not, then we have to go fetch the missing ones by name/number until we catch up. | ||
|
||
// 5.4.4.3.2. Update to the latest Root metadata file. | ||
for (int version = rootVersion() + 1;; ++version) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this loop be upper-bounded? It seems a bit dangerous to never stop here if the server keeps supplying valid metadata.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a really good point. Yes, it probably should be, but what's reasonable? 100? We should probably bring this up directly with the Uptane group. Or do you have an opinion?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It sounds like another limit implementations should enforce, like the size of downloaded metadata artifacts.
I am thinking if we should have a limit for version jumps during an update or just a global upper bound (which we need anyway since we're using json integers and an int
in this code).
The "jump" limit might complicate diagnostic of accidental trigger, since it would only affect a fraction of the devices.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It sounds like another limit implementations should enforce, like the size of downloaded metadata artifacts.
Could be, yes.
I am thinking if we should have a limit for version jumps during an update or just a global upper bound (which we need anyway since we're using json integers and an
int
in this code).
Global might make more sense, because if you provision a new device, it'll have to catch up the whole way to the latest anyway. But I'm also a bit concerned that it might be unexpected to have such a limit.
I think we should either leave it is or make a quick decision now, and either way make a ticket to follow up on it and in the meantime move forward with getting this merged. Do you have a preference? If we want to just make a quick decision, I'd say 100 should be fine for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok I see, then 100 or 1000 would be fine for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done (with 1000 for now), and made https://saeljira.it.here.com/browse/OTA-4273 to re-evaluate again.
The idea is to try to better handle the scenario where the server keeps unceasingly providing valid metadata, which could be a sort of bizarre attack. Suggested-by: Laurent Bonnans <[email protected]> Signed-off-by: Patrick Vacek <[email protected]>
No description provided.