Dear Reader,
As loyal readers of my newsletter, you know that I am currently working on an OTA-update solution with an SwUpdate client and a Memfault server. Last month, I ran into a problem with delta updates. SwUpdate requires the upload of two update archives to the OTA-update server: one archive with the update configuration and the checksums of all blocks, and another archive with all the blocks of the ext4 image.
The Memfault server, however, only supports the upload of one archive. So, my customer would have had to set up their own server for hosting the second archive. They explicitly chose a hosted solution, because they wanted to avoid the hassle of running their own server. I came up with an application update as a workaround.
Given a list of application packages, a Yocto task packs all the files of these packages into a tarball and creates an SwUpdate archive with the tarball. The archive is a lot smaller than the archive for a full rootfs update (22 MB versus 350 MB for my project). Installing an application update on a device is faster and requires less bandwidth than a full rootfs update.
If only the applications but not their dependencies changed, the application update is a good workaround. Otherwise, you must ensure that all the modified dependencies are included in the tarball as well. I have used application updates for driver terminals of agricultural and construction machines. These updates even included new versions of the Qt libraries built against an unchanged SDK.
Of course, I was curious whether I could find proper delta-update solutions at EW24. I did with the RAUC client and the QBee server. Read more in the section Two More OTA-Update Solutions.
My next task on the project will be to enable secure boot for the iMX8M Plus. Manufacturers cryptographically sign the boot loader, Linux kernel and applications with their private key. On start-up, the device checks the signature of the software with the corresponding public key (see What is Code Signing? for more details). Manufacturers can guarantee that the software running on the device is the software they provided.
Keeping their private keys secret is paramount for manufacturers. If evildoers get their hands on private keys, they can make users install malicious software on their devices. As this should never happen, manufacturers need a secure and effective way to manage cryptographic keys. They need a so-called public key infrastructure (PKI).
At EW24, I found one company, Crypto Quantique, that offers an OTA update server with built-in PKI. Read more in the section Two More OTA-Update Solutions.
Now, enjoy my round-up of the Embedded World 2024.
Happy reading,
Burkhard