pw_software_update: Get started#

pw_software_update: Secure software delivery

Hello Bundles!#

A bundle represents a single software release instance – including all target files of the software build and metadata needed to match, verify and install the build on a target device.

The following illustrates how a bundle is created, signed, inspected, and verified using pw update ... commands.

  1. First let’s make a working directory under your Pigweed dir. The pw update command is not yet visible outside the Pigweed directory.

$ cd ~/pigweed
$ source activate.sh

$ mkdir hello_bundles
$ cd hello_bundles
  1. Create signing keys for “root” and “targets” roles.

Note

Here keys are generated locally for demonstration purposes only. In production, you must use a proper key management service (such as Google Cloud KMS) to generate, control access to, and log usage of software signing keys.

$ mkdir keys
$ pw update generate-key keys/root_key
$ pw update generate-key keys/targets_key
$ tree
.
└── keys
    ├── root_key
    ├── root_key.pub
    ├── targets_key
    └── targets_key.pub
  1. Now that we have the keys, let’s find them an owner by creating the root metadata.

# Assign a single key to each "root" and "targets" roles.
$ pw update create-root-metadata --append-root-key keys/root_key.pub \
   --append-targets-key keys/targets_key.pub -o root_metadata.pb

# Sign the root metadata with the root key to make it official.
$ pw update sign-root-metadata --root-metadata root_metadata.pb \
   --root-key keys/root_key

# Review the generated root metadata (output omitted for brevity).
$ pw update inspect-root-metadata root_metadata.pb
  1. Now we are ready to create a bundle.

# Start with an empty bundle.
$ pw update create-empty-bundle my_bundle.pb

# Add root metadata.
$ pw update add-root-metadata-to-bundle \
   --append-root-metadata root_metadata.pb --bundle my_bundle.pb

# Add some files.
$ mkdir target_files
$ echo "application bytes" > target_files/application.bin
$ echo "rtos bytes" > target_files/rtos.bin
$ pw update add-file-to-bundle --bundle my_bundle.pb --file target_files/application.bin
$ pw update add-file-to-bundle --bundle my_bundle.pb --file target_files/rtos.bin
$ tree
   .
   ├── keys
      ├── root_key
      ├── root_key.pub
      ├── targets_key
      └── targets_key.pub
   ├── my_bundle.pb
   ├── root_metadata.pb
   └── target_files
       ├── application.bin
       └── rtos.bin

# Sign our bundle with the "targets" key.
$ pw update sign-bundle --bundle my_bundle.pb --key keys/targets_key

# Review and admire our work (output omitted).
$> pw update inspect-bundle my_bundle.pb
  1. Finally we can verify the integrity of our bundle.

Note

Here we are using python3 -m pw_software_update.verify because the pw verify-bundle command is WIP.

$ python3 -m pw_software_update.verify --incoming my_bundle.pb
   Verifying: my_bundle.pb
   (self-verification)
   Checking content of the trusted root metadata
          Checking role type
          Checking keys database
          Checking root signature requirement
          Checking targets signature requirement
          Checking for key sharing
   Verifying incoming root metadata
          Checking signatures against current root
          Total=1, threshold=1
          Verified: 1
          Checking content
          Checking role type
          Checking keys database
          Checking root signature requirement
          Checking targets signature requirement
          Checking for key sharing
          Checking signatures against current root
          Total=1, threshold=1
          Verified: 1
          Checking for version rollback
          Targets key rotation: False
   Upgrading trust to the incoming root metadata
   Verifying targets metadata
          Checking signatures: total=1, threshold=1
          Verified signatures: 1
          Checking content
          Checking role type
   Checking targets metadata for version rollback
   Verifying target file: "application"
   Verifying target file: "rtos"
   Verification passed.

🎉🎉 Congratulations on creating your first pw_software_update bundle! 🎉🎉

To learn more, see pw_software_update: Design.