Problem solved: Secure offline updates for embedded Linux devices
Torizon makes offline updates of embedded devices simple, safe, and reliable. In part two of our blog series on secure offline updates, we explore why it matters and how it works.
These days, embedded devices silently impact almost every aspect of our lives, deployed inside our critical infrastructure, factory machinery, medical devices, and even homes. As a result, software updates have become more critical than ever to ensure their uninterrupted operation and protect them against malicious actors. They also offer device makers new opportunities to speed up innovation and enable new business models.
Across applications, over-the-air updates are increasingly becoming the norm. Still, many legacy devices require updates that can only be performed on-site. As we saw in part one of our blog series on secure offline updates, most common offline update systems used today have critical weaknesses. Lacking a straightforward way to get the job done, product manufacturers are often forced to prioritize speed over security. The consequences can range from bricked devices causing costly production line interruptions to catastrophic system outages instigated by cybercriminals.
Torizon, our easy-to-use industrial Linux platform, finally offers product manufacturers a straightforward and low-risk way to develop, package, and deploy offline software updates while maintaining high security. This blog explores some of the key benefits that it provides.
Torizon’s secure offline update service for embedded Linux devices was developed from the ground up to de-risk software updates and make them hassle-free. The service lets users configure their update via a web UI and store everything required for the software update on a USB stick, an SD card, or a network-connected storage device. They can then execute the update by inserting the storage medium into the device or disseminating it to fielded devices via a private network.
Reliability is top of mind for most users since devices bricked due to a poorly executed update translates to lost revenue and unhappy customers.. Ensuring reliability starts with a solid foundation provided by a robust operating system. That’s why our engineers at Toradex meticulously test the entire Torizon OS, including the drivers, the OTA system, and the tooling, releasing quarterly production releases, monthly development releases, and nightly builds for patches.
To maximize device uptime, Torizon features an advanced rollback system that kicks in whenever an update fails. Whether the failure is due to external factors (the user might, for example, pull out the storage media with the update too early or power off the device at the wrong time), or bad software (a SW bug could prevent the system from booting), Torizon automatically reverts the system to a known, functional, clearly defined state. And it doesn’t just work for application updates. These fallbacks work regardless of the software layer being updated, from the bootloader over the OS to applications.
Software containerization further increases reliability by bundling all the dependencies the update requires to reduce the risk of breaking other applications during the update process. Meanwhile, the synchronous updates feature reduces testing efforts by only permitting updates that fit together to be executed. Some applications may, for example, only be compatible with certain versions of an OS.
The Torizon secure offline update service leverages additional tools to maximize reliability and help users deal with unforeseen circumstances. It relies on the OSTree library to handle updates for filesystem trees, in this case, the entire Linux root filesystem. This reduces storage space requirements and guarantees system integrity in the event of power outages. Greenboot simplifies the management of update checks and rollbacks. And hardware watchdogs are in place to identify and automatically recover from unsuccessful updates.
Our Torizon secure offline update service is designed for security from the ground up. It builds on the industry-hardened Uptane framework, developed to secure over-the-air software updates for automotive applications. We expanded its scope to include offline updates by contributing new additions to the framework.
Signing not only the software but also the update instructions prevents outdated updates from being installed on devices and eliminates a variety of attack vectors. Similarly, rollback protections prevent malicious actors from rolling back devices to vulnerable earlier states. And, by placing an upper bound on their validity, time-limiting updates ensure that only the most recent updates are deployed onto devices.
Further features are in place to enable security to keep up with changing circumstances (such as device ownership) and offline keys, which some companies use as part of their security strategy.
While it’s one thing to enable secure offline updates, the real challenge lies in making the entire update process user-friendly, even for non-specialists. That’s why our secure offline update service includes several checks to prevent service personnel from installing wrong updates or damaging the device.
Torizon’s intuitive web UI simplifies the creation of updates, ensuring that mechanisms are in place to handle errors that may arise if they are improperly executed. Alternatively, users can use an API to integrate the functionality into their own back end to manage device updates from their internal dashboards.
Ensuring a high degree of security needs to be equally simple. Lacking direct communication between the Torizon Cloud and the device to authenticate the updates, Torizon uses so-called Lockboxes to achieve the same level of security guarantees. These Lockboxes, make moving offline updates from one location to another simple and secure while protecting them from being tampered with before deployment.
Additional features simplify installing offline updates on fielded devices, allowing users to store multiple updates on a single storage medium. Updates can also be executed from a local network not connected to a cloud, reducing the time and effort required to update fleets of devices deployed, for example, in a factory setting.
To learn more about how Torizon enables secure offline updates for embedded Linux devices, head over to our online webinar. There, we go deeper into the points covered here and invite you to experience the solution in action in a short demo covering the entire update process.
Alternatively, check out the Toradex Developer Resources portal to learn how to get started with full-stack, secure, and reliable updates on devices that are not connected to the internet.
Daniel Lang, CMO, Toradex