RAUC v1.5 Released

Jan Lübbe, Enrico Jörns | | RAUC
Download

Download v1.5 release of RAUC

This release fixes a vulnerability in RAUC that can be exploited under certain circumstances to achieve a local privilege escalation. It provides both a mitigation for the vulnerability when using the existing bundle format as well as a new bundle format that uses dm-verity to continuously authenticate the update data while it is installed.

In summary, the vulnerability is that the during installation, the RAUC bundle signature is checked first and then the payload data is used for the installation. If an attacker is able to change or replace the bundle file between the signature check and the actual installation, he can inject his own data.

The vulnerability is tracked as CVE-2020-25860. Please read our security advisory, which contains the background information necessary to evaluate whether your system is affected or not.

Security Fix

To protect against attempts to modify or replace the bundle during installation, RAUC 1.5 takes ownership of bundle files if they are not owned by root and removes write permissions. RAUC then checks that no writable file descriptors are open for the bundle file (using the F_SETLEASE fcntl) and performs all further installation steps using the single file descriptor. This protects against file replacement and concurrent writes to the open bundle.

Integration

The rauc/rauc-1.5-integration repository contains examples to simplify integrating the RAUC update into existing projects. You can subscribe to this issue to receive notifications of important updates to this repository and of integration into the upstream build systems.

New Bundle Format

This version introduces the new verity bundle format (the old format is now called plain). The verity format was added to prepare for future use cases (such as network streaming and encryption), for better parallelization of installation with hash verification and to detect modification of the bundle during installation (CVE-2020-25860). The bundle format is detected when reading a bundle and checked against the set of allowed formats configured in the system.conf (see here).

See here for more details on how to switch to the verity format.

Other Enhancements

  • Support resolving the root=PARTLABEL=xxx kernel command line option. (by Gaël PORTAY)
  • Disable the unnecessary SMIMECapabilities information in the bundle signature, saving ~100 bytes.
  • Remove redundant checksum verification for source images during installation. The RAUC bundle is already verified at this point, so there is no need to verify the checksum of each file individually. (by Bastian Krause)

Bug fixes

  • Fix install handler selection for *.img files for boot-* slots when used with casync. (by Martin Schwan)
  • Fix checking for unknown keys in the slot configuration.
  • Fix some corner cases related to stopping the D-Bus daemon.
  • Propagate error if unable to save manifest. (by Stefan Wahren)
  • Apply --handler-args only during installation (and not during bundle creation).
Changes

Code

  • Remove unused code for signed manifests (outside of a bundle).
  • Add G_GNUC_WARN_UNUSED_RESULT to many functions to let the compiler verify that the caller uses the functions return value (and thus checks for errors).

Documentation

Beside some smaller typo and errors fixes, mainly the u-boot integration documentation related to scripting and (fail-save) environment storage was extended and clarified.

Again, thanks to all contributors since v1.4: Bastian Krause, Christoph Steiger, Christopher Obbard, Enrico Jörns, Gaël PORTAY, Jan Lübbe, Martin Schwan, Michael Heimpold, Stefan Wahren, Uwe Kleine-König


Further Readings

rauc-hawkbit-updater v1.0 Released

Back in 2018, rauc-hawkbit-updater was started by Prevas A/S as a C/GLib port of our rauc-hawkbit Python prototype (also called RAUC hawkBit Client) that was mainly developed for showcases and to serve as a demonstration and evaluation platform for others.


Showcase: Fail-Safe (OTA) Field Updating

Enrico Jörns | | didyouknow, rauc

Being able to robustly and securely update embedded systems and IoT devices in the field is a key requirement of every product today. The update framework RAUC is the basis for a modern and future-proof solution. In this showcase we present the basic principles of a fail-safe update system and how Pengutronix can support you with implement this for your platform.


RAUC v1.4 Released

Enrico Jörns | | RAUC

It's been 3 weeks ago now since the tag for RAUC 1.4 was created. But it is vacation time and so we have a good excuse for communicating things with some delay. Fortunately, the media team is back now and so also those of you who haven't noticed the new release yet will be informed about notable changes.