RAUC v1.5 Released
This release fixes a vulnerability in RAUC that can be exploited under certain circumstances to achieve a local privilege escalation. It provides both a mitigation for the vulnerability when using the existing bundle format as well as a new bundle format that uses dm-verity to continuously authenticate the update data while it is installed.
In summary, the vulnerability is that the during installation, the RAUC bundle signature is checked first and then the payload data is used for the installation. If an attacker is able to change or replace the bundle file between the signature check and the actual installation, he can inject his own data.
To protect against attempts to modify or replace the bundle during installation, RAUC 1.5 takes ownership of bundle files if they are not owned by root and removes write permissions. RAUC then checks that no writable file descriptors are open for the bundle file (using the F_SETLEASE fcntl) and performs all further installation steps using the single file descriptor. This protects against file replacement and concurrent writes to the open bundle.
New Bundle Format
This version introduces the new verity bundle format (the old format is now called plain). The verity format was added to prepare for future use cases (such as network streaming and encryption), for better parallelization of installation with hash verification and to detect modification of the bundle during installation (CVE-2020-25860). The bundle format is detected when reading a bundle and checked against the set of allowed formats configured in the system.conf (see here).
See here for more details on how to switch to the verity format.
- Support resolving the root=PARTLABEL=xxx kernel command line option. (by Gaël PORTAY)
- Disable the unnecessary SMIMECapabilities information in the bundle signature, saving ~100 bytes.
- Remove redundant checksum verification for source images during installation. The RAUC bundle is already verified at this point, so there is no need to verify the checksum of each file individually. (by Bastian Krause)
- Fix install handler selection for *.img files for boot-* slots when used with casync. (by Martin Schwan)
- Fix checking for unknown keys in the slot configuration.
- Fix some corner cases related to stopping the D-Bus daemon.
- Propagate error if unable to save manifest. (by Stefan Wahren)
- Apply --handler-args only during installation (and not during bundle creation).
- Remove unused code for signed manifests (outside of a bundle).
- Add G_GNUC_WARN_UNUSED_RESULT to many functions to let the compiler verify that the caller uses the functions return value (and thus checks for errors).
Again, thanks to all contributors since v1.4: Bastian Krause, Christoph Steiger, Christopher Obbard, Enrico Jörns, Gaël PORTAY, Jan Lübbe, Martin Schwan, Michael Heimpold, Stefan Wahren, Uwe Kleine-König
In its current master branch, RAUC now supports encrypted Bundles. This tutorial will introduce you to the basics of using encryption in RAUC and show how to use it in a simplified Yocto setup with the meta-rauc Layer.