![Page 1: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/1.jpg)
A Scalable, Cloud-Based
Device Reprogramming
Architecture
![Page 2: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/2.jpg)
About Me James Simister Director of Consulting Services
•Panasonic Research & Development
Company of America, Salt Lake City Lab
– Software Developer for 30+ years
– 20 years experience with Linux
– 15 years working with embedded systems
– Interests: Networking, Security, Cloud, …
![Page 3: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/3.jpg)
1. Google definition, emphasis added
Introduction What Is a Device?
•A thing made or adapted for a particular
purpose, especially a piece of mechanical
or electronic equipment.1
•Any piece of electronic equipment capable
of executing code to perform some
function.
![Page 4: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/4.jpg)
Introduction Is There a Problem?
•Abundance
– Breadth: More kinds of devices available
– Depth: More demand for each kind
•Device lifetime of 10+ (20+) years
![Page 5: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/5.jpg)
Introduction Is There a Problem?
•Time-to-market
– Increasingly demanding
– Dropped/incomplete features & enhancements
•Crowd-funded projects, small start-ups
– Lack of experienced engineers
– Lack of security experts
![Page 6: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/6.jpg)
Introduction What Is Device Reprogramming?
•Changing software (firmware) of a device
– Updates
– Enhancements
– Add [or remove] features
– Bug fixes
• Application errors, security vulnerabilities, etc.
![Page 7: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/7.jpg)
Introduction Device Reprogramming: Challenges
•Current cost vs. future capabilities
•CPU capability/speed
•Memory & storage (disk/flash) capacity
•Connectivity & accessibility
•Bandwidth
![Page 8: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/8.jpg)
Update Strategy Manual or Automatic?
Manual Updates
•User in full control
•Inform user
•Motivate user
•Unknown timing
Automatic Updates
•Mfr. in full control
•Mandatory
•Scheduled
•Controlled
![Page 9: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/9.jpg)
General Requirements Fundamental Issues
•Security
– How do you prevent attack (or loss of control)?
•Reliability
– How do you account for failure?
•Scalability
– How do you handle millions of updates?
![Page 10: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/10.jpg)
Security How Do You Prevent Attack? Trusted Sources
•Where did the update originate?
•Should the user/device trust the source?
•Would source tampering be evident?
•Hashes, Digital Signatures
•Proof-Carrying Code
•Verification/Validation
![Page 11: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/11.jpg)
Security How Do You Prevent Attack? Trusted Targets
•Where did the update go?
•Is the target authorized to accept update?
•Are the assets protected?
•Authentication
•Authorization
•Confidentiality
![Page 12: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/12.jpg)
Security How Do You Prevent Attack? Trusted Channels
•Who has access to the infrastructure?
•Would in-transit tampering be evident?
•Can the installation be verified?
•End-to-end key distribution & encryption
•Non-repudiation
![Page 13: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/13.jpg)
Reliability How Do You Account for Failure?
•Failure is not an option
•Failure is reality
![Page 14: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/14.jpg)
Reliability How Do You Account for Failure? Gracefully Adapt
•Storage issues
•Adjust size, bandwidth
•Retry, with back-off
•Verification
•Validation
![Page 15: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/15.jpg)
Reliability How Do You Account for Failure? Roll Back
•Keep the previous image, revert
•Update again, to previous image
•Update the updater
– Try again
![Page 16: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/16.jpg)
Scalability How Do You Handle Millions of Updates? Convenience
•Enhancements
•Minor bug fixes
•Deploy slowly, at your convenience
•Low server capacity & bandwidth
![Page 17: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/17.jpg)
Scalability How Do You Handle Millions of Updates? Urgency
•Security vulnerabilities
•Major bugs
•Deploy quickly
•High server capacity & bandwidth
![Page 18: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/18.jpg)
Scalability How Do You Handle Millions of Updates? Shared, Cloud-Based Infrastructure
•Scale up to meet demand
•Scale down to reduce costs
•Share costs of setup & maintenance
•Pay for what you use
![Page 19: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/19.jpg)
Requirements→Implementation Defining a General Process for Scalable, Cloud-Based Device Reprogramming
1. Publish the update image
2. Determine population of eligible targets
3. Determine scheduling constraints
4. Reprogram each eligible target
5. Report progress
![Page 20: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/20.jpg)
Requirements→Implementation Reprogramming Each Eligible Target
A. Obtain authorization for update
B. Failsafe transition to Reprogram mode
– Failure reverts to Normal mode, no change
C. Transfer new image and update
D. Failsafe transition to Normal mode
– Failure reverts to Reprogram mode, retry
![Page 21: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/21.jpg)
Requirements→Implementation Two Images: Normal, Reprogram
•Reprogram image significantly smaller
– Custom Linux kernel and/or initrd
– Reduce dependencies & features
– Objectives:
• Obtain updated image
• Roll back
![Page 22: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/22.jpg)
Requirements→Implementation Bootloader, Hardware Support
•Atomic switching of boot image
•Atomic acceptance of booted image
– Failure reverts to last accepted boot image
•Power failure detection, protection
– Guarantee atomicity, quality of writes
![Page 23: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/23.jpg)
The Update Process 1. Publish the Update Image
•OpenDOF provider
– Image owner retains full ownership, control
– Complete security model
• Image owner (Trusted Source)
• Device (Trusted Target)
• Sessions (Trusted Channel)
![Page 24: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/24.jpg)
The Update Process 2. Determine Population of Eligible Targets
•Version Service using OpenDOF libraries
– Devices report type and software version
– Authorized clients may query database
• Devices of specific type
• Devices running specific software version
• Devices not running specific software version
![Page 25: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/25.jpg)
The Update Process 3. Determine Scheduling Constraints
•Population size
•Time constraints
•Cost constraints
•Determine required scale
![Page 26: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/26.jpg)
The Update Process 4A. Obtain Authorization
•Update Service using OpenDOF libraries
– Notifies device of time frame to update
– May include additional authorizations by
• Manufacturer
• Service provider
• User
• Device
![Page 27: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/27.jpg)
The Update Process 4B. Failsafe Transition to Reprogram mode
•Atomically switch to Reprogram mode
•Reboot
•Reconnect
•Update Service accepts booted image
– Verification of connectivity
![Page 28: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/28.jpg)
The Update Process 4C. Transfer Image and Update
•OpenDOF requestor to image provider
– Transfer image blocks
– Leverage UDP
• Reduce buffering
• Block caching
– Verify image, signatures, etc.
![Page 29: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/29.jpg)
The Update Process 4D. Failsafe Transition to Normal mode
•Atomically switch to Normal mode
•Reboot
•Reconnect
•Update Service verifies new version
•Update Service accepts booted image
– Verification of connectivity
![Page 30: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/30.jpg)
The Update Process 5. Create a Report
•Update Service tracks progress of devices
•Generate report
– Scheduled
– Started
– Succeeded
– Failed
![Page 31: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/31.jpg)
Summary A Scalable, Cloud-Based Device Reprogramming Architecture
•General, robust update process
•Services to automate process
– Image
– Version
– Update
•Flexible OpenDOF libraries & protocols
![Page 32: A Scalable, Cloud-Based Device Reprogramming Architecture](https://reader033.vdocuments.site/reader033/viewer/2022042204/6258c684ac2a67292e39794c/html5/thumbnails/32.jpg)
Questions & Answers
https://opendof.org/