canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776
edits
Security/Reviews/B2GUpdates: Difference between revisions
Jump to navigation
Jump to search
no edit summary
No edit summary |
No edit summary |
||
| Line 15: | Line 15: | ||
**https://bugzilla.mozilla.org/show_bug.cgi?id=797477 | **https://bugzilla.mozilla.org/show_bug.cgi?id=797477 | ||
*Libmar changes to support multiple sigs: **https://bugzilla.mozilla.org/show_bug.cgi?id=792452 | *Libmar changes to support multiple sigs: **https://bugzilla.mozilla.org/show_bug.cgi?id=792452 | ||
}} | |||
{{SecReview | |||
|SecReview feature goal=====FOTA Updates=== | |||
FOTA: Full over-the-air updates (i.e. Gonk/Drivers + Gecko + Gaia) | |||
Purpose: Only for security bugs that can't be fixed in Gecko or Gaia. Ideally are never needed for shipping devices. | |||
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=778084 | |||
Wiki: https://wiki.mozilla.org/Gaia/System/Updates/Gonk | |||
Frequency: Immediate for critical security bugs. Quarterly for any non-critical security bugs, if needed. If there are no bug fixes in a given quarter, there is no quarterly update. | |||
Integrity checking: Update packages will be signed .mar files (inside the mar file will be a zip file containing the update) | |||
Update server(s): Currently AUS, production undecided??? | |||
Delivery: Updates will be provided over a private APN? (what about Wifi?) | |||
- Full flash of kernel & drivers etc | |||
- android devices use recovery partition to achieve this | |||
- our updates use this | |||
- use google' update scripting language | |||
- download update via existing firefox delivery mechanism (updater & mar) | |||
- download a mar file (delivery & signing) | |||
- updater runs to check signatures and update details | |||
- sets up recovery partitioin (recovery commands) | |||
- reboot in to recovery mode | |||
- return back to normal mode | |||
- status checking afterwards | |||
- recovery mode also checks a signature of the oem key | |||
Backup keys possible in mar file, but nbot in android | |||
====Gecko/Gaia Updates==== | |||
Purpose: Automatic updates of b2g "userspace" (gecko, built-in apps and dependencies; not third-party apps) | |||
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=715816 | |||
Wiki: https://wiki.mozilla.org/Gaia/System/Updates/GeckoGaia | |||
Frequency: | |||
- 42 weeks (ESR) > update cycle > 6 weeks (Firefox) | |||
- Current proposal is 18 weeks | |||
Integrity checking: | |||
- MAR Signing (see https://bugzilla.mozilla.org/show_bug.cgi?id=783638) | |||
- Background information on the MAR file format: https://wiki.mozilla.org/Software_Update:MAR and how signing currently works before Bug 783638. | |||
- Gaia apps also signed as per packaged apps? | |||
Update server(s): ? | |||
Delivery: Updates will be provided over a private APN. (Wifi? Download to PC then USB update?) | |||
Update flow: https://wiki.mozilla.org/images/4/46/SystemUpdates_Flow1.pdf | |||
- very similar to firefox updates | |||
- system partition is read-only | |||
- updater mounts the partitition as read-write | |||
- in case of error the device is rebooted | |||
- UI is based on chromeEvents | |||
- system gaia apps hosted inside system partition | |||
Do we use PGO? (make updates larger) | |||
- work is being done to optimise updates to make them more optimised | |||
- size is important | |||
|SecReview alt solutions=- Why three signatures? | |||
* support for contractual relationships | |||
- Who has final say in the case of disagreement? | |||
* open question, to discuss with carriers | |||
|SecReview solution chosen=- Why three signatures? | |||
- Who decides whay content will go into the final builds? (what happens if for example, mozilla wants something carrier doesnt want?) | |||
|SecReview threat brainstorming=*Update is modified prior to being applied | |||
**SSL used for the update manifest (including hash of update content) | |||
**Updates signed (potentially by all 3 keys) | |||
Updates not delivered in timely fashion | |||
** How will chemspill process work, especially with three signing parties? | |||
** Open question on how frequency will work with mulitple carriers. POssibly have gecko/gaia updates mozilla signed only. | |||
Open question: | |||
Who will host updates? | |||
Will users be able to get updates over wifi or usb? | |||
}} | }} | ||
{{SecReviewActionStatus | {{SecReviewActionStatus | ||
|SecReview action item status= | |SecReview action item status=In Progress | ||
|SecReview action items=??::Check to make the update is not significantly larger than expected to prevent disk space being exhausted::?? | |||
??:: Fuzz mar format::?? | |||
}} | }} | ||