One of the first big decisions we had to make for the Linux microPlatform was our Over-The-Air Update (OTA) strategy. This decision required a lot of time, meetings, beer, and coffee. This article is the first of a small series explaining our recommended approach to OTA for the LMP. This article explains how and why we ultimately chose OTA Connect and its open source deployment project OTA Community Edition.
Everyone had thoughts on what they wanted from an OTA system. This was no surprise, as most of us have backgrounds in traditional embedded Linux, Android, and Linux distros. We also firmly believe in using open source software that's secure by design. With all that in mind, we established a list of things we wanted in an OTA solution.
Self-Hosted and Open Source
Foundries.io believes in providing open source software with no vendor lock-in. We also hope to help contribute to and grow a healthy community working on an OTA solution.
OSTree can be thought of as Git for system images. An OSTree client can "pull" down a specific image from an OSTree server by telling it which SHA it wants. Each update to a system will have a new SHA and the "pull" operation will only pull down a delta between the two images. The project has nice comparison to other projects that describes the pros and cons of the OSTree approach.
If you think of OSTree as a repository hosting a bunch of images that can be downloaded, The Update Framework(TUF) is a cryptographically sound way of describing what images are valid for a device. It's in use by several high profile projects to achieve similar goals. A great feature of TUF is its belief that a private key will eventually get compromised, but that recovery is possible because of their multi-level key management strategy where signing keys are kept offline and can be rotated.
Uptane goes a step beyond TUF to provide a really secure update system that's trusted by the automobile industry. With OSTree and TUF providing and describing what can be installed, Uptane has the ability for an operator to tell a device what it should have installed.
We found a project called Aktualizr that is basically an open source implementation of an OSTree and Uptane daemon for a managed device. The maintainers of the project are responsive. They've taken trivial patches from us when we were strangers, helped guide us through adding more complex functionality, and are open to new feature requests. They've also been patient and helpful working through difficult bugs.
The company behind Aktualizr also makes an open source project out of their commercial OTA Connect offering called OTA Community Edition. There's nothing technically binding Aktualizr to this service. However, it's the only integrated solution that handles OSTree and Uptane we've found.
In following articles, we'll delve into what OTA Connect is and how to deploy it.