Security/Reviews/B2GUpdates

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

B2G Updates
Target * https://wiki.mozilla.org/Gaia/System/Updates Full Query
ID Summary Priority Status
778084 Tracking: Gecko glue for FOTA updates -- RESOLVED
792452 MAR changes to embed multiple signatures (includes only libmar work not updater B2G specific work) P1 RESOLVED
797477 Enable loading certificates and MAR verification in updater code for B2G P1 RESOLVED

3 Total; 0 Open (0%); 3 Resolved (100%); 0 Verified (0%);

The given value "* https://wiki.mozilla.org/Gaia/System/Updates Full Query
ID Summary Priority Status
778084 Tracking: Gecko glue for FOTA updates -- RESOLVED
792452 MAR changes to embed multiple signatures (includes only libmar work not updater B2G specific work) P1 RESOLVED
797477 Enable loading certificates and MAR verification in updater code for B2G P1 RESOLVED

3 Total; 0 Open (0%); 3 Resolved (100%); 0 Verified (0%);

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

FOTA Updates=

FOTA: Full over-the-air updates (i.e. Gonk/Drivers/Firmware + Gecko + Gaia)
Purpose: Only for security bugs that can't be fixed in Gecko or Gaia. Ideally are never needed for shipping devices.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=778084
Wiki: https://wiki.mozilla.org/Gaia/System/Updates/Gonk
Frequency: Immediate for critical security bugs. Quarterly for any non-critical security bugs, if needed. If there are no bug fixes in a given quarter, there is no quarterly update.
Integrity checking: Update packages will be signed .mar files (inside the mar file will be a zip file containing the update)
Update server(s): Currently AUS, production undecided.
Delivery: Updates will be provided over a private APN? (what about Wifi?)

Process overview:

  1. Device checks for new update manifest (e.g. http://update.boot2gecko.org/nightly/update.xml)
  2. Download update via existing firefox delivery mechanism (updater & mar)
  3. If there is an update, it is downloaded over http, probably via cdn.
  4. Downloaded .mar file is checked against the hash in the manifest
  5. Updater runs to check signatures and update details
  6. Sets up recovery partition (copy files and create recovery commands)
  7. Reboot in to recovery mode
  8. Recovery checks a signature of the oem key
  9. return back to normal mode after installation
  10. status checking afterwards

Backup keys possible in mar file, but not in android

Gecko/Gaia Updates

Purpose: Automatic updates of b2g "userspace" (gecko, built-in apps and dependencies; not third-party apps)
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=715816
Wiki: https://wiki.mozilla.org/Gaia/System/Updates/GeckoGaia
Frequency:

  • 42 weeks (ESR) > update cycle > 6 weeks (Firefox)
  • Current proposal is 18 weeks

Integrity checking: MAR Signing as above & Gaia apps also signed as per packaged apps. Update server(s): Not decided yet.
Delivery: Updates will be provided over a private APN. (Wifi? Download to PC then USB update?)
Update flow: https://wiki.mozilla.org/images/4/46/SystemUpdates_Flow1.pdf

Downloading checking signature of updates as per the process above.
Installation process:

    1. system partition is read-only
    2. updater mounts the partition as read-write, copies files across
    3. remounts partition as read-only
    4. b2g process is restarted
    5. in case of error the device is rebooted (not normally required though)

What solutions/approaches were considered other than the proposed solution?

- Why three signatures?

  • support for contractual relationships

- Who has final say in the case of disagreement on timing or content of updates?

  • open question, to discuss with carriers

Why was this solution chosen?

`

Any security threats already considered in the design and why?

`

Threat Brainstorming

Update is modified in transit or prior to being applied

  • SSL used for the update manifest (including hash of update content)
  • Updates signed (potentially by all 3 keys)

Updates not available in timely fashion

  • How urgent update process will work is an open question, currently being negotiated with partners.
    • Open question on how frequency will work with multiple carriers. Possibly have Gecko/Gaia updates Mozilla signed only.

Open questions: Who will host updates? Will users be able to get updates over WiFi or USB?

  • Property "SecReview feature goal" (as page type) with input value "==FOTA Updates===

    FOTA: Full over-the-air updates (i.e. Gonk/Drivers/Firmware + Gecko + Gaia) Purpose: Only for security bugs that can't be fixed in Gecko or Gaia. Ideally are never needed for shipping devices. Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=778084 Wiki: https://wiki.mozilla.org/Gaia/System/Updates/Gonk Frequency: Immediate for critical security bugs. Quarterly for any non-critical security bugs, if needed. If there are no bug fixes in a given quarter, there is no quarterly update. Integrity checking: Update packages will be signed .mar files (inside the mar file will be a zip file containing the update) Update server(s): Currently AUS, production undecided. Delivery: Updates will be provided over a private APN? (what about Wifi?)

    Process overview:

    1. Device checks for new update manifest (e.g. http://update.boot2gecko.org/nightly/update.xml)
    2. Download update via existing firefox delivery mechanism (updater & mar)
    3. If there is an update, it is downloaded over http, probably via cdn.
    4. Downloaded .mar file is checked against the hash in the manifest
    5. Updater runs to check signatures and update details
    6. Sets up recovery partition (copy files and create recovery commands)
    7. Reboot in to recovery mode
    8. Recovery checks a signature of the oem key
    9. return back to normal mode after installation
    10. status checking afterwards

    Backup keys possible in mar file, but not in android

    Gecko/Gaia Updates

    Purpose: Automatic updates of b2g "userspace" (gecko, built-in apps and dependencies; not third-party apps) Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=715816 Wiki: https://wiki.mozilla.org/Gaia/System/Updates/GeckoGaia Frequency:

    • 42 weeks (ESR) > update cycle > 6 weeks (Firefox)
    • Current proposal is 18 weeks

    Integrity checking: MAR Signing as above & Gaia apps also signed as per packaged apps. Update server(s): Not decided yet. Delivery: Updates will be provided over a private APN. (Wifi? Download to PC then USB update?) Update flow: https://wiki.mozilla.org/images/4/46/SystemUpdates_Flow1.pdf

    Downloading checking signature of updates as per the process above. Installation process:

      1. system partition is read-only
      2. updater mounts the partition as read-write, copies files across
      3. remounts partition as read-only
      4. b2g process is restarted
      5. in case of error the device is rebooted (not normally required though)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
      6. Property "SecReview alt solutions" (as page type) with input value "- Why three signatures?
    • support for contractual relationships

    - Who has final say in the case of disagreement on timing or content of updates?

    • open question, to discuss with carriers" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview threat brainstorming" (as page type) with input value "Update is modified in transit or prior to being applied
    • SSL used for the update manifest (including hash of update content)
    • Updates signed (potentially by all 3 keys)

    Updates not available in timely fashion

    • How urgent update process will work is an open question, currently being negotiated with partners.
      • Open question on how frequency will work with multiple carriers. Possibly have Gecko/Gaia updates Mozilla signed only.

    Open questions: Who will host updates?

    Will users be able to get updates over WiFi or USB?" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status In Progress
Release Target `
Action Items
bbondy::Check to make the update is not significantly larger than expected to prevent disk space being exhausted::https://bugzilla.mozilla.org/show_bug.cgi?id=801855 Resolved
pauljt:: Fuzz mar format::804046 Resolved