Security/Reviews/B2GUpdates

Item Reviewed

B2G Updates

Target

* https://wiki.mozilla.org/Gaia/System/Updates Background info on FF updates: https://wiki.mozilla.org/Software_Update Useful bugzilla links: Full Query ID Summary Priority Status 778084 Tracking: Gecko glue for FOTA updates -- RESOLVED 792452 MAR changes to embed multiple signatures (includes only libmar work not updater B2G specific work) P1 RESOLVED 797477 Enable loading certificates and MAR verification in updater code for B2G P1 RESOLVED 3 Total; 0 Open (0%); 3 Resolved (100%); 0 Verified (0%); Some FAQ here for Gecko Updates: https://bugzilla.mozilla.org/show_bug.cgi?id=778084#c3 Updater changes for b2g: https://bugzilla.mozilla.org/show_bug.cgi?id=797477 Libmar changes to support multiple sigs: **https://bugzilla.mozilla.org/show_bug.cgi?id=792452 https://bugzilla.mozilla.org/show_bug.cgi?id=783638 Background information on the MAR file format: https://wiki.mozilla.org/Software_Update:MAR and how signing currently works before

{{#set:SecReview name=B2G Updates |SecReview target=* https://wiki.mozilla.org/Gaia/System/Updates

• Background info on FF updates:
  • https://wiki.mozilla.org/Software_Update
• Useful bugzilla links:

Full Query

ID	Summary	Priority	Status
778084	Tracking: Gecko glue for FOTA updates	--	RESOLVED
792452	MAR changes to embed multiple signatures (includes only libmar work not updater B2G specific work)	P1	RESOLVED
797477	Enable loading certificates and MAR verification in updater code for B2G	P1	RESOLVED

3 Total; 0 Open (0%); 3 Resolved (100%); 0 Verified (0%);

• Some FAQ here for Gecko Updates:
  • https://bugzilla.mozilla.org/show_bug.cgi?id=778084#c3
• Updater changes for b2g:
  • https://bugzilla.mozilla.org/show_bug.cgi?id=797477
• Libmar changes to support multiple sigs: **https://bugzilla.mozilla.org/show_bug.cgi?id=792452
  • https://bugzilla.mozilla.org/show_bug.cgi?id=783638
• Background information on the MAR file format: https://wiki.mozilla.org/Software_Update:MAR and how signing currently works before

}}

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

FOTA Updates=

FOTA: Full over-the-air updates (i.e. Gonk/Drivers/Firmware + Gecko + Gaia)
Purpose: Only for security bugs that can't be fixed in Gecko or Gaia. Ideally are never needed for shipping devices.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=778084
Wiki: https://wiki.mozilla.org/Gaia/System/Updates/Gonk
Frequency: Immediate for critical security bugs. Quarterly for any non-critical security bugs, if needed. If there are no bug fixes in a given quarter, there is no quarterly update.
Integrity checking: Update packages will be signed .mar files (inside the mar file will be a zip file containing the update)
Update server(s): Currently AUS, production undecided.
Delivery: Updates will be provided over a private APN? (what about Wifi?)

Process overview:

1. Device checks for new update manifest (e.g. http://update.boot2gecko.org/nightly/update.xml)
2. Download update via existing firefox delivery mechanism (updater & mar)
3. If there is an update, it is downloaded over http, probably via cdn.
4. Downloaded .mar file is checked against the hash in the manifest
5. Updater runs to check signatures and update details
6. Sets up recovery partition (copy files and create recovery commands)
7. Reboot in to recovery mode
8. Recovery checks a signature of the oem key
9. return back to normal mode after installation
10. status checking afterwards

Backup keys possible in mar file, but not in android

Gecko/Gaia Updates

Purpose: Automatic updates of b2g "userspace" (gecko, built-in apps and dependencies; not third-party apps)
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=715816
Wiki: https://wiki.mozilla.org/Gaia/System/Updates/GeckoGaia
Frequency:

• 42 weeks (ESR) > update cycle > 6 weeks (Firefox)
• Current proposal is 18 weeks

Integrity checking: MAR Signing as above & Gaia apps also signed as per packaged apps. Update server(s): Not decided yet.
Delivery: Updates will be provided over a private APN. (Wifi? Download to PC then USB update?)
Update flow: https://wiki.mozilla.org/images/4/46/SystemUpdates_Flow1.pdf

Downloading checking signature of updates as per the process above.
Installation process:

1. 1. system partition is read-only
   2. updater mounts the partition as read-write, copies files across
   3. remounts partition as read-only
   4. b2g process is restarted
   5. in case of error the device is rebooted (not normally required though)

What solutions/approaches were considered other than the proposed solution?

- Why three signatures?

• support for contractual relationships

- Who has final say in the case of disagreement on timing or content of updates?

• open question, to discuss with carriers

Why was this solution chosen?

`

Any security threats already considered in the design and why?

`

Threat Brainstorming

Update is modified in transit or prior to being applied

• SSL used for the update manifest (including hash of update content)
• Updates signed (potentially by all 3 keys)

Updates not available in timely fashion

• How urgent update process will work is an open question, currently being negotiated with partners.
  • Open question on how frequency will work with multiple carriers. Possibly have Gecko/Gaia updates Mozilla signed only.

Open questions: Who will host updates? Will users be able to get updates over WiFi or USB? {{#set: SecReview feature goal===FOTA Updates=== FOTA: Full over-the-air updates (i.e. Gonk/Drivers/Firmware + Gecko + Gaia)
Purpose: Only for security bugs that can't be fixed in Gecko or Gaia. Ideally are never needed for shipping devices.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=778084
Wiki: https://wiki.mozilla.org/Gaia/System/Updates/Gonk
Frequency: Immediate for critical security bugs. Quarterly for any non-critical security bugs, if needed. If there are no bug fixes in a given quarter, there is no quarterly update.
Integrity checking: Update packages will be signed .mar files (inside the mar file will be a zip file containing the update)
Update server(s): Currently AUS, production undecided.
Delivery: Updates will be provided over a private APN? (what about Wifi?)

Process overview:

1. Device checks for new update manifest (e.g. http://update.boot2gecko.org/nightly/update.xml)
2. Download update via existing firefox delivery mechanism (updater & mar)
3. If there is an update, it is downloaded over http, probably via cdn.
4. Downloaded .mar file is checked against the hash in the manifest
5. Updater runs to check signatures and update details
6. Sets up recovery partition (copy files and create recovery commands)
7. Reboot in to recovery mode
8. Recovery checks a signature of the oem key
9. return back to normal mode after installation
10. status checking afterwards

Backup keys possible in mar file, but not in android

Gecko/Gaia Updates

Purpose: Automatic updates of b2g "userspace" (gecko, built-in apps and dependencies; not third-party apps)
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=715816
Wiki: https://wiki.mozilla.org/Gaia/System/Updates/GeckoGaia
Frequency:

• 42 weeks (ESR) > update cycle > 6 weeks (Firefox)
• Current proposal is 18 weeks

Integrity checking: MAR Signing as above & Gaia apps also signed as per packaged apps. Update server(s): Not decided yet.
Delivery: Updates will be provided over a private APN. (Wifi? Download to PC then USB update?)
Update flow: https://wiki.mozilla.org/images/4/46/SystemUpdates_Flow1.pdf

Downloading checking signature of updates as per the process above.
Installation process:

1. 1. system partition is read-only
   2. updater mounts the partition as read-write, copies files across
   3. remounts partition as read-only
   4. b2g process is restarted
   5. in case of error the device is rebooted (not normally required though)

|SecReview alt solutions=- Why three signatures?

• support for contractual relationships

- Who has final say in the case of disagreement on timing or content of updates?

• open question, to discuss with carriers

|SecReview solution chosen=' |SecReview threats considered=' |SecReview threat brainstorming=Update is modified in transit or prior to being applied

• SSL used for the update manifest (including hash of update content)
• Updates signed (potentially by all 3 keys)

Updates not available in timely fashion

• How urgent update process will work is an open question, currently being negotiated with partners.
  • Open question on how frequency will work with multiple carriers. Possibly have Gecko/Gaia updates Mozilla signed only.

Open questions: Who will host updates? Will users be able to get updates over WiFi or USB? }}

Action Items

Action Item Status	In Progress
Release Target	`
Action Items
bbondy::Check to make the update is not significantly larger than expected to prevent disk space being exhausted::https://bugzilla.mozilla.org/show_bug.cgi?id=801855 Resolved pauljt:: Fuzz mar format::804046 Resolved

{{#set:|SecReview action item status=In Progress

|Feature version=` |SecReview action items=bbondy::Check to make the update is not significantly larger than expected to prevent disk space being exhausted::https://bugzilla.mozilla.org/show_bug.cgi?id=801855 Resolved
pauljt:: Fuzz mar format::804046 Resolved }}