OTA-3969: Do the full verification of metadata on the IP Secondary #1449
Conversation
|
Nice, maybe this is easier than I thought! Let me know when you're ready for a deeper review. But at first glance it's looking good. |
mike-sul
force-pushed
the
feat/OTA-3969/ip-secondary-full-verification
branch
from
e53af0d to
b7867bb
Compare
Codecov Report
@@ Coverage Diff @@
## master #1449 +/- ##
==========================================
+ Coverage 80.25% 80.59% +0.34%
==========================================
Files 182 184 +2
Lines 11029 11068 +39
==========================================
+ Hits 8851 8920 +69
+ Misses 2178 2148 -30
Continue to review full report at Codecov.
|
mike-sul
force-pushed
the
feat/OTA-3969/ip-secondary-full-verification
branch
6 times, most recently
from
631945a to
307dcb6
Compare
mike-sul
force-pushed
the
feat/OTA-3969/ip-secondary-full-verification
branch
4 times, most recently
from
d33d800 to
09214cb
Compare
| @@ -61,7 +68,7 @@ if(BUILD_OSTREE) | |||
| LIBRARIES uptane_generator_lib | |||
| LIBRARIES aktualizr-posix | |||
| ARGS ${PROJECT_BINARY_DIR}/ostree_repo PROJECT_WORKING_DIRECTORY) | |||
| target_link_libraries(t_aktualizr_secondary_uptane virtual_secondary) | |||
| target_link_libraries(t_aktualizr_secondary_uptane virtual_secondary) | |||
There was a problem hiding this comment.
Not at all critical, but what's up with this indent?
There was a problem hiding this comment.
Some kind of typo, will move it back.
| @@ -113,14 +86,17 @@ bool AktualizrSecondary::putRootResp(const std::string& root, bool director) { | |||
| } | |||
|
|
|||
| bool AktualizrSecondary::sendFirmwareResp(const std::shared_ptr<std::string>& firmware) { | |||
| if (target_ == nullptr) { | |||
| LOG_ERROR << "No valid installation target found"; | |||
| auto targetsForThisEcu = director_repo_.getTargets(getSerial()); | |||
There was a problem hiding this comment.
Should we be rechecking the metadata (without fetching) like we do on the Primary before installation? It seems redundant, but it's a protection against unexpected changes in the time since the metadata was received.
There was a problem hiding this comment.
Yes, I agree, we should check at least an image file size (binary case) and its hash (for both ostree and binary).
There was a problem hiding this comment.
I think it's also worth rechecking the whole metadata chain from the metadata, but yeah, checking the object's hash/size is even more important.
| // | ||
| // The followin steps of the Director's target metadata verification are missing in DirectorRepository::updateMeta() | ||
| // 6. If checking Targets metadata from the Director repository, verify that there are no delegations. | ||
| // 7. If checking Targets metadata from the Director repository, check that no ECU identifier is represented more |
There was a problem hiding this comment.
Can you make a tech debt ticket for this and put it in the robustness epic?
It looks like you've already implemented the check for the secondary; is your proposal to move that check into the Uptane code directly so it is applied universally as early as is reasonable?
There was a problem hiding this comment.
Understood. We implicitly do step 6 in that we ignore the concept of delegations from the Director, but it's not a bad idea to check for them and throw a warning if found. Since we don't use the Snapshot role on the Director, though, all we can do is just check for them in the Targets metadata.
There was a problem hiding this comment.
| // This procedure doesn't exactly follow the spec: | ||
| // https://uptane.github.io/uptane-standard/uptane-standard.html#check_root At first, it should try to download N+1 | ||
| // version of the Root metadata file instead of downloading the "latest" one how do we know which version is the | ||
| // latest and why just root.json is downloaded ? |
There was a problem hiding this comment.
root.json without a number is guaranteed to be the latest in our scheme. The design is to fetch the latest, and if it matches what we already have stored, we're good. If not, then we have to go fetch the missing ones by name/number until we catch up. Might be worth a renewed discussion on what the best method is; I don't see the harm in our method.
There was a problem hiding this comment.
Thanks for explanation.
| // 1. At initial stage (just after provisioning) the root metadata from 1.root.json are not verified | ||
| // 2. If local_version becomes higher than 1, e.g. 2 than a rollback attack is possible since the business logic | ||
| // here won't return any error as suggested in #4 of | ||
| // https://uptane.github.io/uptane-standard/uptane-standard.html#check_root |
There was a problem hiding this comment.
Good call. Can you make another tech debt for this? (It's the same logic with the Image repo, so it can all be in one ticket.)
There was a problem hiding this comment.
| @@ -235,6 +241,11 @@ bool ImagesRepository::updateMeta(INvStorage& storage, Fetcher& fetcher) { | |||
| local_version = -1; | |||
| } | |||
|
|
|||
| // I am not sure that #6 of https://uptane.github.io/uptane-standard/uptane-standard.html#check_snapshot is | |||
| // performed | |||
There was a problem hiding this comment.
What's your concern? That we don't match the Targets metadata filenames?
There was a problem hiding this comment.
Yes, I mean exactly what #6 says
"Check that each Targets metadata filename listed in the previous Snapshot metadata file is also listed in this"
There was a problem hiding this comment.
This might be another thing worth making a ticket for and looking into more. I'm not sure how critical this really is, though, and I'm also not sure that the backend doesn't make some optimizations that would prevent that from working. In fact, I'm not sure this is actually sensible; what happens if a delegation gets (legitimately) removed?
There was a problem hiding this comment.
FYI: uptane/uptane-standard#149. Let's wait for resolution on that before making changes on our side.
Signed-off-by: Mykhaylo Sul <myk.sul@gmail.com>
Signed-off-by: Mykhaylo Sul <myk.sul@gmail.com>
mike-sul
force-pushed
the
feat/OTA-3969/ip-secondary-full-verification
branch
from
09214cb to
0fdd4c0
Compare
|
@patrickvacek Updated the PR according to the comments as well as created the suggested "robustness" tickets. |
Signed-off-by: Mykhaylo Sul myk.sul@gmail.com