Fix/ota 4119/ota 4132/root verification #1501
Conversation
pattivacek
force-pushed
the
fix/OTA-4119/OTA-4132/root-verification
branch
from
d15af59
to
d37167f
Compare
| @@ -47,6 +47,45 @@ bool RepositoryCommon::verifyRoot(const std::string& root_raw) { | |||
|
|
|||
| void RepositoryCommon::resetRoot() { root = Root(Root::Policy::kAcceptAll); } | |||
|
|
|||
| bool RepositoryCommon::updateRoot(INvStorage& storage, const IMetadataFetcher& fetcher, | |||
There was a problem hiding this comment.
Cool, that exactly was I thought about when I saw the initial implementation - share as much code as possible between the director and imagerepo implementation.
Perhaps, it makes sense to add a reference(s) to the corresponding paragraphs of the uptane spec.
pattivacek
force-pushed
the
fix/OTA-4119/OTA-4132/root-verification
branch
2 times, most recently
from
25e169e
to
f7645b1
Compare
Codecov Report
@@ Coverage Diff @@
## master #1501 +/- ##
==========================================
- Coverage 80.91% 80.72% -0.19%
==========================================
Files 184 184
Lines 11151 11141 -10
==========================================
- Hits 9023 8994 -29
- Misses 2128 2147 +19
Continue to review full report at Codecov.
|
pattivacek
force-pushed
the
fix/OTA-4119/OTA-4132/root-verification
branch
from
35d4543
to
9365d07
Compare
|
Ready for review but depends on advancedtelematic/tuf-test-vectors#65 before merging. |
pattivacek
force-pushed
the
fix/OTA-4119/OTA-4132/root-verification
branch
from
9365d07
to
06f9981
Compare
|
Unfortunately, we can't merge this as is because the backend apparently expects that devices fetch the unnumbered |
I vote for the temporary fix |
Done. I also realized that I forgot to amend uptane-generator to stop creating an unnumbered |
pattivacek
force-pushed
the
fix/OTA-4119/OTA-4132/root-verification
branch
from
24cb71e
to
f5c0e5a
Compare
It is essentially identical for the Director and Image repos, so there is no need to duplicate the code. Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
Do not check for an unnumbered version of the root metadata. Just check for the next available version and move on if it is not found. Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
Previously they just threw exceptions. Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
It appears to have been dumping an object into the storage field instead of the actual path. Also convert the import paths into absolute paths instead of local. This makes testing and debugging much easier. Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
It now needs to respect versions. Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
aktualizr no longer tries an unnumbered version. Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
New tests should cover the root version checking. Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
This is a hack, but currently the backend expects that the unnumbered root.json is fetched once. Otherwise a device is not considered "online". Once that requirement is lifted, this commit should be reverted. Also at that time, uptane-generator should be amended to stop creating an unnumbered root.json. Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
pattivacek
force-pushed
the
fix/OTA-4119/OTA-4132/root-verification
branch
from
f5c0e5a
to
0419df6
Compare
| // If not, then we have to go fetch the missing ones by name/number until we catch up. | ||
|
|
||
| // 5.4.4.3.2. Update to the latest Root metadata file. | ||
| for (int version = rootVersion() + 1;; ++version) { |
There was a problem hiding this comment.
Should this loop be upper-bounded? It seems a bit dangerous to never stop here if the server keeps supplying valid metadata.
There was a problem hiding this comment.
That's a really good point. Yes, it probably should be, but what's reasonable? 100? We should probably bring this up directly with the Uptane group. Or do you have an opinion?
There was a problem hiding this comment.
It sounds like another limit implementations should enforce, like the size of downloaded metadata artifacts.
I am thinking if we should have a limit for version jumps during an update or just a global upper bound (which we need anyway since we're using json integers and an int in this code).
The "jump" limit might complicate diagnostic of accidental trigger, since it would only affect a fraction of the devices.
There was a problem hiding this comment.
It sounds like another limit implementations should enforce, like the size of downloaded metadata artifacts.
Could be, yes.
I am thinking if we should have a limit for version jumps during an update or just a global upper bound (which we need anyway since we're using json integers and an
intin this code).
Global might make more sense, because if you provision a new device, it'll have to catch up the whole way to the latest anyway. But I'm also a bit concerned that it might be unexpected to have such a limit.
I think we should either leave it is or make a quick decision now, and either way make a ticket to follow up on it and in the meantime move forward with getting this merged. Do you have a preference? If we want to just make a quick decision, I'd say 100 should be fine for now.
There was a problem hiding this comment.
Ok I see, then 100 or 1000 would be fine for now.
There was a problem hiding this comment.
Done (with 1000 for now), and made https://saeljira.it.here.com/browse/OTA-4273 to re-evaluate again.
The idea is to try to better handle the scenario where the server keeps unceasingly providing valid metadata, which could be a sort of bizarre attack. Suggested-by: Laurent Bonnans <laurent.bonnans@here.com> Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
No description provided.