How Mender environment update can work on a protected U-boot environment settings?

Hi,

I hope everyone is doing well and safe.

We have a security concern and planning to make the U-boot environment as read-only!

Hence, I would like to understand, how U-boot env variables for mender (such as current boot partition, altboot configuration etc) will work with the readonly env settings.

Let me put my current understanding below:

  • Once, the board booted, then mender will change the env only during the mender - install and mender -commit time.

  • Hence, if we can enable the write mode to fw_setenv before this operation, then mender will work. Once the settings are done, then will remove the write mode to the fw_setenv

  • This might require a code change in the mender source since, -install and -commit are performing from the mender source, not from the Yocto patches.

  • This also need a correct fw_config setting to take the env from the read-only location.

Could anyone confirm my understanding is correct? Should I taken care of any other procedure/step?

Also, I would like to know anyone already tried this kind of setup earlier :slight_smile:

Hi @ajithpv that sounds ok in principle but I don’t think you need to modify the Mender source itself. I think you can do it using state scripts on pre-install and post-commit. @kacf can likely comment on exactly where you need to enable read-write.

Drew

1 Like

I can’t recall that it has been attempted before, but I don’t see why it wouldn’t work, as long as write access is enabled at the correct times.

Your assumptions look correct, but remember that write access also needs to be enabled during boot, since U-Boot need to write the boot counter while an update is in progress.

With regards to code changes, I think an easier path will be to make a dedicated Update Module for this, and base it on the test rootfs-image module that we use in internal testing. This is essentially feature equivalent to the internal rootfs-image module, but much easier to adapt. The downside is that you may lose some convenience functionality such as copying in and out of artifacts using mender-artifact, since it only understands the rootfs-image Payload type.

1 Like