In the last talk before lunch, my colleague Enrico Jörns talked about the RAUC (Robust Auto Update Controller) framework.

While customers might disagree, the most important reason for updating is deploying security updates and bugfixes, not features. Updating should be as robust as possible; unattended updates should not brick your device. In addition, unauthorized modification should be avoided. Often people start with a shell script (well, there is never enough time to develop an update system, right?), but over the time it turned out that this also often misses a lot of important corner cases regarding NAND handling, sudden power loss, out-of-memory situations etc. An updating concept always starts with a controlled environment (i.e. Yocto, PTXdist, Buildroot) and a lot of (mostly automated) testing of the generated root filesystem. Then you need to verify identity, both of the device (is it the right image for it?) and of the update service (is this authorized to update this device?). In order to achieve atomicity, RAUC makes use of redundancy. A+B scenarios have the advantage that it is really robust (you can fallback if something goes wrong), but needs enough space for two systems. One of the design criteria for RAUC was that it is designed as a framework, so you can use it with many different bootloaders (Barebox, U-Boot, Grub), media (USB stick, NAND, eMMC, ...). RAUC contains an update daemon that runs on the device under Linux, plus a D-Bus connected command line tool to talk to RAUC. Updates are put into bundles (compressed and mountable squashfs) which are signed with X.509 signatures and can basically contain anything. Bundles contain things to put into slots (i.e. rootfs, app-fs, bootloader). Enrico outlined that RAUC also supports different integrity mechanisms (IMA/EVM, DM-Verity), even those where files are re-hashed with a key which is only available on the target. Finally, RAUC can be integrated with the Hawkbit deployment server. For integration, there is meta-rauc for Yocto, and it is also integrated in PTXdist mainline.