sys/suit: initial support for SUIT firmware updates

[kaspar030]

Contribution description

This PR contains initial support for updating RIOT using an implementation of SUIT draft version 4.

This currently only supports a limited use case: one component, two slots (one active one passive). Basically, it allows SUIT compliant infrastructure and tooling to update a RIOT node.

Note: The implementation should not yet be considered production ready.

The implementation is based on a draft spec that will change in the near future. The implementation has also not yet gone through any security audit.
This should still be usable for less security sensitive deployments, and by getting this into master, we hope to get more exposure and feedback going towards production readiness.

The RIOT-fp project commits to maintaining and improving this implementation.

The PR is grouped in three commits:

• one commit adding the sys/suit module, including manifest handling and a CoAP based update service
• one commit adding necessary tooling (key- and manifest-generation) to dist/tools/suit
• one commit adding examples/suit_update, show-casing SUIT usage in addition to providing an automated test case.

The commit history looks quite large due to the large list of dependencies. This PR should serve as tracking PR as long as there are open dependencies.

Testing procedure

The PR ships with an example application in examples/suit_update, which includes testing instructions using an automated test, which tests updating each slot over ethos.
The test is also run by the CI.

Apart from verifying that updating works for a given node, it would be very helpful to get feedback on the documentation and whether it describes the necessary steps in your setup.

Issues/PRs references

Depends on #11801, #11802, #11803, #11805, #11816, #11707, #11690, #11697, and riotdocker #73

[kaspar030]

• removed dependency to nanocoap: make coap_get_block2() actually fill struct #11802, updated graph

[kaspar030]

CI is missing some python libraries for manifest generation... RIOT-OS/riotdocker#73

[kaspar030]

• riotboot_flashwrite issues are fixed in riotboot: set FLASHFILE to RIOTBOOT_EXTENDED_BIN if riotboot feature is used #11690
• libcose issues will be dealt with in pkg/libcose: bump version #11801

[kaspar030]

• rebased to remove dependency on nanocoap: make coap_get_block2() actually fill struct #11802 and to include updated riotboot: set FLASHFILE to RIOTBOOT_EXTENDED_BIN if riotboot feature is used #11690
• fixed digest extraction

[fjmolinas]

While reviewing #11805 I realized res is uninitialized if MODULE_SUIT_V4 is not used.

[fjmolinas]

still needs addressing

[kaspar030]

• rebased with sys/riotboot: add initial image digest verification #11805 merged

[kaspar030]

Found an issue with the key generation targets not being properly serialized before "clean".
Split out a new "CLEAN" variable into #11829.

[kaspar030]

The dependency graph is getting smaller! 😄

[kaspar030]

• rebased after pkg/libcose: bump version #11801 merged. Only the CI PR left!

[jcarrano]

This PR has way too many lines with no tests. Please provide tests.

[fjmolinas]

There's an issue with nanocoap_server choosing the wrong source address for a coap reply. IMO this is unrelated, but causes the test to fail. We're investigating.

I had pointed out the initial issue IRL to @kaspar030

To be clear what was happening is that aiocoap was sending a trigger to the devices EUI64 link local address, so [fe80::20d:46ff:fe3b:adf0%riot0] but for some reason the ACK received by aiocoap did not come from the EUI64 link local address but from [fe80::2%riot0] and there was no more observed traffic after that, the test stalled.

aiocoap-client -m POST "coap://[fe80::20d:46ff:fe3b:adf0%riot0]/suit/trigger" \
	--payload "coap://[fd00:dead:beef::1]/fw/samr21-xpro/$(basename /home/francisco/workspace/RIOT/examples/suit_update/bin/samr21-xpro/suit_update-riot.suitv4_signed.latest.bin)" && \
	echo "Triggered [fe80::20d:46ff:fe3b:adf0%riot0] to update."
WARNING:coap:Received Type.ACK from <UDP6EndpointAddress [fe80::2%riot0]:5683 with local address>, but could not match it to a running exchange

All ACK from the device are with [fe80::2%riot0], so aiocoap keeps POSTS to the original address expecting a response from [fe80::20d:46ff:fe3b:adf0%riot0].

At first it answers correctly to the block requests from [fe80::20d:46ff:fe3b:adf0%riot0], but at some point it answers with destination unreachable (port unreachable)

This issue appears sometimes after flashing, setting up the network and launching the tests. When it appears setting-up the network again multiple times ends up fixing it.

I would say this would be fixed by #12404. EDIT: will test

[fjmolinas]

I'm having issues in finding a reliable way to reproduce this issue. I've tried testing a bunch on time rebased on #12404, and I haven't been able to reproduce the bug.

It shows up (edit: in this PR withouth #12404) from time to time when executing the setup for the automatic tests and launching. (I have to re-do the setup each time for it to work)

sudo dist/tools/ethos/setup_network.sh riot0 2001:db8::/64

BOARD=samr21-xpro make -C examples/suit_update test

BOARD=samr21-xpro make -C examples/suit_update test

[kaspar030]

I've pushed a commit to disable testing on CI until the source address selection is resolved.

[fjmolinas]

All my request changes have been addressed and I have no issues with the code (I trust @aabadie review of the python code).

There is still work to be done, parts of the standard to be supported and the tests can be improved. But there are already PR's and current work to address this. The code is completely isolated so it should not impact any other feature, so I find it safe to merge this during soft-feature-freeze. This will also make it easy to improve and change the code base in the feature. This is a good initial support for suit and ota.

I have tested this code extensively: locally, over ethos and in wireless setups, with nodes continuously updating. There are some issues regarding network setup, explicitly when multiple addresses are present (link-local or global), but this is an issue with the source address selection, so unrelated (although it impacts this PR), I have stated the details of this issue and #12404, #12408 partially address this issue. I agree with disabling it in murdock since we are not sure it can be reliably ran in the CI. Running it locally still allows verifying the code and its functionality. IMO this is not a reason to block this PR.

The documentation is detailed in explaining the usage, and has been tested multiple times, and improved accordingly. The feature is tagged as @experimental, so should be treated as such by users.

What is your stance here @aabadie?

[aabadie]

What is your stance here @aabadie?

I think it's time to move forward with secure ota and suit. I know @fjmolinas tested this work extensively and I also did it a bit. This is working well.
The python code is good enough to be merged.
There's room for improvement, of course, but it can and will come in follow-up PRs, for sure.

ACK!

[miri64]

https://ci.riot-os.org/RIOT-OS/RIOT/11818/3addde53777b489a901b1cecf1ff43ef4ddb4569/output/compile/tests/pkg_u8g2/esp32-wemos-lolin-d32-pro:gnu.txt Is the worker out of disk space, or what happened here?

[kaspar030]

Is the worker out of disk space, or what happened here?

Seems like it ran out of tmpfs space.

[fjmolinas]

@kaspar030 go ahead and click the button :) !

[kaspar030]

Congrats everyone! 😄

[miri64]

🎉

[bergzand]

🎉

[emmanuelsearch]

Yay! Congrats to all involved! 🎉

[benpicco]

This contains a uint8_t flashpage_buf[FLASHPAGE_SIZE]; with FLASHPAGE_SIZE being up to 8k on some platforms - is it a good idea to put that on the stack?

[benpicco]

Where does that number come from?

[benpicco]

What is this used for? 😉

[benpicco]

This is not in any header - should be static?

[benpicco]

Should we export that so it can be used without the suit thread?

[benpicco]

Why the added 64?