Uptane

Implementation Specification

Trishank Karthik Kuppusamy, Akan Brown, Sebastien Awwad,

Damon McCoy, Russ Bielawski, Sam Weber, John Liming, Cameron Mott, Sam Lauzon, André Weimerskirch, Justin Cappos

Overview

2

Big picture

3

Time server

4

Time server

• A primary sends a list of tokens, one for each ECU, to the time server.
• An automated process on the time server returns a signed message containing: (1) the list of tokens, and (2) the current time.

5

Automated

process

time

server

vehicle

Primary

(1)

sends

list of tokens

(2)

receives

signed current time

& list of tokens

Image repository

6

The image repository

7

targets

A

snapshot

timestamp

A*.img

root

OEM-managed

supplier-managed

Metadata

B

C

D

E

B*.img

C*.img

CA*.img

CB*.img

signs metadata for

signs root keys for

delegates images to

signs for images

• When possible, OEM delegates updates for ECUs to suppliers.
• Delegations are flexible, and accommodate a variety of arrangements.

A1.img

B3.img

CA5.img

CB2.img

Director repository

8

Director repository

• Records vehicle version manifests.
• Determines which ECUs install which images.
• Produces different metadata for different vehicles.
• May encrypt images per ECU.
• Has access to an inventory database.

9

Automated

process

Inventory

database

timestamp

metadata

(3)

​

w

r

i

t

e

s

(2) reads & writes

encrypted

image

snapshot

metadata

targets

metadata

repository

vehicle

Primary

(1)

sends vehicle

version

manifest

(4)

receives

link to

timestamp

metadata

(5) downloads

Workflow on vehicle

10

Downloading updates (1)

• First, the primary builds the vehicle version manifest, or a signed record of what ECUs have installed.
• Prior to this step, each secondary must have sent the primary its version report, which contains its: (1) ECU version manifest, or a signed record of what it has installed, and (2) a token for the time server.

11

Downloading updates (2)

• The primary downloads the current time from the time server on behalf of its secondaries.
• The primary sends the time server a list of tokens, one for each of its secondaries, sent in their version reports.

12

Downloading updates (3)

• The primary downloads metadata from both the director and image repositories.
• The primary performs full verification of metadata on behalf of secondaries.

13

Downloading updates (4)

• The primary downloads and verifies images on behalf of all ECUs.
• Encrypted images, if any, are downloaded from the director repository.
• Unencrypted images are downloaded from the image repository.

14

Downloading updates (5)

• The primary sends the latest downloaded time to all of its secondaries.

15

Downloading updates (6)

• The primary sends the latest downloaded metadata to all of its secondaries.

16

Downloading updates (7)

• The primary sends each of its secondaries with additional storage its latest image.

17

Before installing an update (1)

1. Verify the latest downloaded time.
1. Signatures must be valid.
2. List of tokens must include the token sent in the last version report.
3. The current time must be greater than the previous downloaded time.
4. If all checks pass, then generate a new token. Otherwise, reuse previous token.
2. Verify metadata using full / partial verification.
• (Discussed in more detail later.)
3. If a secondary does not have additional storage, download image from primary.
• May use primary to backup previous working image, so it can restore in case this update fails.

18

Before installing an update (2)

• Verify that the latest image matches the latest metadata.
• Check that the H/W identifier matches its own.
• Check that the previous release counter <= current release counter.
• Check that the encrypted image, if any, matches the director targets metadata.
• Check that the unencrypted image matches the director targets metadata.
• If all checks pass, overwrite the previous with the latest metadata. If there is additional storage, overwrite the previous with the latest image.
• Otherwise, if some check failed, and there is no additional storage, then restore the previous image from the backup on the primary.
• Send the next version report to the primary.
• Include the next token for the time server.
• Include the ECU version manifest, which contains: (1) the ECU identifier, (2) the previous and current times, (3) any security attack detected during an update, and (4) metadata about what is currently installed.

19

Partial verification

1. Load the latest downloaded time from the time server.
2. Load the latest top-level targets metadata file from the director repository.
1. Check for an arbitrary software attack. This metadata file must have been signed by a threshold of keys specified in the previous root metadata file.
2. Check for a rollback attack.
3. Check for a freeze attack. The latest downloaded time should be < the expiration timestamp in this metadata file.
4. Check that there are no delegations.
5. Check that every ECU identifier has been represented at most once.
3. Return an error code indicating a security attack, if any.

20

Full verification

1. Load the latest downloaded time from the time server.
2. Verify metadata from the director repository.
1. Check the root metadata file.
2. Check the timestamp metadata file.
3. Check the snapshot metadata file.
4. Check the targets metadata file.
3. Download and verify metadata from the image repository.
• Check the root metadata file.
• Check the timestamp metadata file.
• Check the snapshot metadata file, especially for rollback attacks.
• Check the targets metadata file.
• For every image A in the director targets metadata file, perform a preorder depth-first search for the same image B in the targets metadata from the image repository, and check that A = B.
4. Return an error code indicating a security attack, if any.

21

Q & A

22

For more details, please see the

Implementation Specification at

https://goo.gl/tNxCoj