Given the increasing malware attacks against Linux-based IoT devices, there is growing interest in integrity protection schemes, as well as system update mechanisms that support over-the-air (OTA) field upgrades. At the recent Embedded Linux Conference, Patrick Ohly, a software engineer at Intel GmbH, Germany, who works on the Yocto Project and the IoT Reference OS Kit for Intel(r) architecture, surveyed both topics and explained how they interrelate.
With attacks on the rise, embedded developers need a combination of proactive hardening with integrity protection schemes and regular system updates, among other security precautions. “Integrity protection ensures that your device only runs software that has been verified to be unmodified,” said Ohly. “But you can’t count on catching everything in advance, and there will be new vulnerabilities and attack methods, so that’s why you need system updates.”
The bulk of Ohly’s talk explored the pros and cons of update and protection schemes available for Yocto/OpenEmbedded. Ohly is the maintainer of meta-integrity and meta-swupd — two layers that make the Linux Integrity Measurement Architecture (IMA) integrity protection scheme and the Clear Linux OS swupd update mechanism available on Yocto/OE. The experience has led him to see the benefits of swupd, as well as the problems with IMA.
Ohly explained the differences between block-based (swupdate, Mender.io) and file-based (swupd, OSTree) system update mechanisms. He then compared three integrity protection schemes: IMA with Extended Verification Module (EVM), or IMA/EVM, as well as whole-disk encryption with per-machine secret key, and dm-verity.
One’s choice of system update mechanism can affect the choice of integrity protection scheme. IMA/EVM works only with the file-based swupd and OSTree while dm-verity works only with the block-based Mender.io and swupdate. Whole disk encryption, meanwhile, works with all four. Although this talk is specific to Yocto, all but these components can work with other embedded Linux environments, with the possible exception of the more Yocto-specific swupdate.
Toward the end of the talk, Ohly detailed a recent project in which he took dm-verity and integrated it with whole-disk encryption into the IoT Refkit. “We are trying to use this to extend Yocto to additional use cases,” he said. Here, we only briefly reference the project, which involves integrating LUKS (Linux Unified Key Setup) and finessing QEMU to properly emulate TPM. If you’re interested, the discussion begins about 33 minutes into the 51-minute talk.
System update pros and cons
Before comparing the system update schemes available to Yocto/OE developers, Ohly noted that “they all have pros and cons, and in some cases, need further work.” The first decision is whether to with a block-based or file-based mechanism. Block-based schemes like swupdate and Mender.io have fixed partition sizes. This means “you can’t have an update stream that is supplied to different devices with different hard disks because they have to be partitioned the same way,” said Ohly. File-based mechanisms like swupd and OSTree “make it easier to support a variety of devices,” he added.
In addition, updating selected files instead of entire partitions is a lot faster. “Swupd in particular works really hard to do the minimal amount of work for updates,” said Ohly.
The two file-based mechanisms have further differences. “OSTree creates an alternative tree using hard-linking, and then during reboot it switches over to a new root,” said Ohly. “It’s a bit more atomic than swupd, but it still needs a writable root file system.”