aktualizr/2020.7/aktualizr__secondary_8cc_source.html

 #include "aktualizr_secondary.h"

 #include "crypto/keymanager.h"
 #include "logging/logging.h"
 #include "update_agent.h"
 #include "uptane/manifest.h"
 #include "utilities/utils.h"

 #include <sys/types.h>
 #include <memory>

 AktualizrSecondary::AktualizrSecondary(AktualizrSecondaryConfig config, std::shared_ptr<INvStorage> storage,
                                        std::shared_ptr<KeyManager> key_mngr, std::shared_ptr<UpdateAgent> update_agent)
     : config_(std::move(config)),
       storage_(std::move(storage)),
       keys_(std::move(key_mngr)),
       update_agent_(std::move(update_agent)),
       dispatcher_(*this) {
   uptaneInitialize();
   manifest_issuer_ = std::make_shared<Uptane::ManifestIssuer>(keys_, ecu_serial_);
   initPendingTargetIfAny();

   if (hasPendingUpdate()) {
     LOG_INFO << "Found a pending target to be applied.";
     // TODO(OTA-4545): refactor this to make it simpler as we don't need to persist/store
     // an installation status of each ECU but store it just for a given secondary ECU
     std::vector<Uptane::Target> installed_versions;
     boost::optional<Uptane::Target> pending_target;
     storage_->loadInstalledVersions(ecu_serial_.ToString(), nullptr, &pending_target);

     if (!!pending_target) {
       data::InstallationResult install_res =
           data::InstallationResult(data::ResultCode::Numeric::kUnknown, "Unknown installation error");
       LOG_INFO << "Pending update found; attempting to apply it. Target hash: " << pending_target->sha256Hash();

       install_res = update_agent_->applyPendingInstall(*pending_target);

       if (install_res.result_code != data::ResultCode::Numeric::kNeedCompletion) {
         storage_->saveEcuInstallationResult(ecu_serial_, install_res);

         if (install_res.success) {
           LOG_INFO << "Pending update has been successfully applied: " << pending_target->sha256Hash();
           storage_->saveInstalledVersion(ecu_serial_.ToString(), *pending_target, InstalledVersionUpdateMode::kCurrent);
         } else {
           LOG_ERROR << "Application of the pending update has failed: (" << install_res.result_code.toString() << ")"
                     << install_res.description;
           storage_->saveInstalledVersion(ecu_serial_.ToString(), *pending_target, InstalledVersionUpdateMode::kNone);
         }

         director_repo_.dropTargets(*storage_);
       } else {
         LOG_INFO << "Pending update hasn't been applied because a reboot hasn't been detected";
       }
     }
   }
 }

 Uptane::EcuSerial AktualizrSecondary::getSerial() const { return ecu_serial_; }

 Uptane::HardwareIdentifier AktualizrSecondary::getHwId() const { return hardware_id_; }

 PublicKey AktualizrSecondary::getPublicKey() const { return keys_->UptanePublicKey(); }

 std::tuple<Uptane::EcuSerial, Uptane::HardwareIdentifier, PublicKey> AktualizrSecondary::getInfo() const {
   return std::tuple<Uptane::EcuSerial, Uptane::HardwareIdentifier, PublicKey>{getSerial(), getHwId(), getPublicKey()};
 }

 Uptane::Manifest AktualizrSecondary::getManifest() const {
   Uptane::InstalledImageInfo installed_image_info;
   Uptane::Manifest manifest;
   if (update_agent_->getInstalledImageInfo(installed_image_info)) {
     manifest = manifest_issuer_->assembleAndSignManifest(installed_image_info);
   }

   return manifest;
 }

 bool AktualizrSecondary::putMetadata(const Metadata& metadata) { return doFullVerification(metadata); }

 bool AktualizrSecondary::sendFirmware(const std::string& firmware) {
   if (!pending_target_.IsValid()) {
     LOG_ERROR << "Aborting image download/receiving; no valid target found.";
     return false;
   }

   if (!update_agent_->download(pending_target_, firmware)) {
     LOG_ERROR << "Failed to pull/store an update data";
     pending_target_ = Uptane::Target::Unknown();
     return false;
   }

   LOG_INFO << "Download firmware " << pending_target_.filename() << " successful.";
   return true;
 }

 data::ResultCode::Numeric AktualizrSecondary::install(const std::string& target_name) {
   if (!pending_target_.IsValid()) {
     LOG_ERROR << "Aborting target image installation; no valid target found.";
     return data::ResultCode::Numeric::kInternalError;
   }

   if (pending_target_.filename() != target_name) {
     LOG_ERROR << "name of the target to install and a name of the pending target do not match";
     return data::ResultCode::Numeric::kInternalError;
   }

   auto install_result = update_agent_->install(pending_target_);

   switch (install_result) {
     case data::ResultCode::Numeric::kOk: {
       storage_->saveInstalledVersion(ecu_serial_.ToString(), pending_target_, InstalledVersionUpdateMode::kCurrent);
       pending_target_ = Uptane::Target::Unknown();
       LOG_INFO << "The target has been successfully installed: " << target_name;
       break;
     }
     case data::ResultCode::Numeric::kNeedCompletion: {
       storage_->saveInstalledVersion(ecu_serial_.ToString(), pending_target_, InstalledVersionUpdateMode::kPending);
       LOG_INFO << "The target has been successfully installed, but a reboot is required to be applied: " << target_name;
       break;
     }
     default: {
       LOG_INFO << "Failed to install the target: " << target_name;
     }
   }

   return install_result;
 }

 void AktualizrSecondary::completeInstall() { update_agent_->completeInstall(); }

 bool AktualizrSecondary::doFullVerification(const Metadata& metadata) {
   // 5.4.4.2. Full verification  https://uptane.github.io/uptane-standard/uptane-standard.html#metadata_verification

   // 1. Load and verify the current time or the most recent securely attested time.
   //
   //    We trust the time that the given system/OS/ECU provides, In ECU We Trust :)
   TimeStamp now(TimeStamp::Now());

   // 2. Download and check the Root metadata file from the Director repository, following the procedure in
   // Section 5.4.4.3. DirectorRepository::updateMeta() method implements this verification step, certain steps are
   // missing though. see the method source code for details

   // 3. NOT SUPPORTED: Download and check the Timestamp metadata file from the Director repository, following the
   // procedure in Section 5.4.4.4.
   // 4. NOT SUPPORTED: Download and check the Snapshot metadata file from the Director repository, following the
   // procedure in Section 5.4.4.5.
   //
   // 5. Download and check the Targets metadata file from the Director repository, following the procedure in
   // Section 5.4.4.6. DirectorRepository::updateMeta() method implements this verification step
   //
   // The following steps of the Director's Targets metadata verification are missing in DirectorRepository::updateMeta()
   //  6. If checking Targets metadata from the Director repository, verify that there are no delegations.
   //  7. If checking Targets metadata from the Director repository, check that no ECU identifier is represented more
   //  than once.
   try {
     director_repo_.updateMeta(*storage_, metadata);
   } catch (const std::exception& e) {
     LOG_ERROR << "Failed to update Director metadata: " << e.what();
     return false;
   }

   // 6. Download and check the Root metadata file from the Image repository, following the procedure in Section 5.4.4.3.
   // 7. Download and check the Timestamp metadata file from the Image repository, following the procedure in
   // Section 5.4.4.4.
   // 8. Download and check the Snapshot metadata file from the Image repository, following the procedure in
   // Section 5.4.4.5.
   // 9. Download and check the top-level Targets metadata file from the Image repository, following the procedure in
   // Section 5.4.4.6.
   try {
     image_repo_.updateMeta(*storage_, metadata);
   } catch (const std::exception& e) {
     LOG_ERROR << "Failed to update Image repo metadata: " << e.what();
     return false;
   }

   // 10. Verify that Targets metadata from the Director and Image repositories match.
   if (!director_repo_.matchTargetsWithImageTargets(*(image_repo_.getTargets()))) {
     LOG_ERROR << "Targets metadata from the Director and Image repositories DOES NOT match ";
     return false;
   }

   auto targetsForThisEcu = director_repo_.getTargets(getSerial(), getHwId());

   if (targetsForThisEcu.size() != 1) {
     LOG_ERROR << "Invalid number of targets (should be 1): " << targetsForThisEcu.size();
     return false;
   }

   if (!update_agent_->isTargetSupported(targetsForThisEcu[0])) {
     LOG_ERROR << "The given target type is not supported: " << targetsForThisEcu[0].type();
     return false;
   }

   pending_target_ = targetsForThisEcu[0];

   LOG_DEBUG << "Metadata verified, new update found.";
   return true;
 }

 void AktualizrSecondary::uptaneInitialize() {
   if (keys_->generateUptaneKeyPair().size() == 0) {
     throw std::runtime_error("Failed to generate uptane key pair");
   }

   // from uptane/initialize.cc but we only take care of our own serial/hwid
   EcuSerials ecu_serials;

   if (storage_->loadEcuSerials(&ecu_serials)) {
     ecu_serial_ = ecu_serials[0].first;
     hardware_id_ = ecu_serials[0].second;
     return;
   }

   std::string ecu_serial_local = config_.uptane.ecu_serial;
   if (ecu_serial_local.empty()) {
     ecu_serial_local = keys_->UptanePublicKey().KeyId();
   }

   std::string ecu_hardware_id = config_.uptane.ecu_hardware_id;
   if (ecu_hardware_id.empty()) {
     ecu_hardware_id = Utils::getHostname();
     if (ecu_hardware_id == "") {
       throw std::runtime_error("Failed to define ECU hardware ID");
     }
   }

   ecu_serials.emplace_back(Uptane::EcuSerial(ecu_serial_local), Uptane::HardwareIdentifier(ecu_hardware_id));
   storage_->storeEcuSerials(ecu_serials);
   ecu_serial_ = ecu_serials[0].first;
   hardware_id_ = ecu_serials[0].second;

   // this is a way to find out and store a value of the target name that is installed
   // at the initial/provisioning stage and included into a device manifest
   // i.e. 'filepath' field or ["signed"]["installed_image"]["filepath"]
   // this value must match the value pushed to the backend during the bitbaking process,
   // specifically, at its OSTree push phase and is equal to
   // GARAGE_TARGET_NAME ?= "${OSTREE_BRANCHNAME}" which in turn is equal to OSTREE_BRANCHNAME ?= "${SOTA_HARDWARE_ID}"
   // therefore, by default GARAGE_TARGET_NAME == OSTREE_BRANCHNAME == SOTA_HARDWARE_ID
   // If there is no match then the backend/UI will not render/highlight currently installed version at all/correctly
   storage_->importInstalledVersions(config_.import.base_path);
 }

 void AktualizrSecondary::initPendingTargetIfAny() {
   try {
     director_repo_.checkMetaOffline(*storage_);
   } catch (const std::exception& e) {
     LOG_INFO << "No valid metadata found in storage.";
     return;
   }

   auto targetsForThisEcu = director_repo_.getTargets(ecu_serial_, hardware_id_);

   if (targetsForThisEcu.size() != 1) {
     LOG_ERROR << "Invalid number of targets (should be 1): " << targetsForThisEcu.size();
     return;
   }

   if (!update_agent_->isTargetSupported(targetsForThisEcu[0])) {
     LOG_ERROR << "The given target type is not supported: " << targetsForThisEcu[0].type();
     return;
   }

   pending_target_ = targetsForThisEcu[0];
 }
AktualizrSecondaryConfig
Definition: aktualizr_secondary_config.h:40

Uptane::Manifest
Definition: manifest.h:15

std
STL namespace.

data::ResultCode::Numeric
Numeric
Definition: types.h:128

Uptane::InstalledImageInfo
Definition: tuf.h:135

data::InstallationResult
Definition: types.h:182

Uptane::EcuSerial
Definition: tuf.h:177

Metadata
Definition: aktualizr_secondary_metadata.h:8

Uptane::HardwareIdentifier
Definition: tuf.h:146

data::ResultCode::Numeric::kInternalError
SWM Internal integrity error.

TimeStamp
Definition: types.h:86

PublicKey
Definition: crypto.h:26