/****************************************************************************
**
** Copyright (C) 2016 The Qt Company Ltd.
** Contact: https://www.qt.io/licensing/
**
** This file is part of the Qt OTA Update module of the Qt Toolkit.
**
** $QT_BEGIN_LICENSE:GPL$
** Commercial License Usage
** Licensees holding valid commercial Qt licenses may use this file in
** accordance with the commercial license agreement provided with the
** Software or, alternatively, in accordance with the terms contained in
** a written agreement between you and The Qt Company. For licensing terms
** and conditions see https://www.qt.io/terms-conditions. For further
** information use the contact form at https://www.qt.io/contact-us.
**
** GNU General Public License Usage
** Alternatively, this file may be used under the terms of the GNU
** General Public License version 3 or (at your option) any later version
** approved by the KDE Free Qt Foundation. The licenses are as published by
** the Free Software Foundation and appearing in the file LICENSE.GPL3
** included in the packaging of this file. Please review the following
** information to ensure the GNU General Public License requirements will
** be met: https://www.gnu.org/licenses/gpl-3.0.html.
**
** $QT_END_LICENSE$
**
****************************************************************************/
/*!
\page qtota-index.html
\title Over-The-Air Update
Over-The-Air (OTA) update is a mechanism of distributing software updates
over a wireless network without requiring physical access to a device.
The target device needs to have a support for the OTA to be able to update
wirelessly.
The \l {http://code.qt.io/cgit/qt/qtotaupdate.git/} {Qt OTA Update} module provides tools
that assist in enabling OTA update functionality in an embedded linux images build with
\l {http://code.qt.io/cgit/yocto/meta-boot2qt.git/} {meta-boot2qt}. Generating new updates
for OTA enabled devices is completely automated, given an ordinary linux sysroot as an input.
This includes OTA updates for linux kernel, system libraries, user space applications,
translation fixes, anything that is part of the sysroot. The offering includes
\l {Qt OTA Update C++ Classes} {C++} and \l {Qt OTA Update QML Types} {QML} APIs to make
integration with your Qt-based application a breeze.
The OTA solution is based on \l {https://ostree.readthedocs.org/en/latest/} {OSTree}. If you
would like to learn more about OSTree workings refer to the OSTree Documentation. There you
can read about the anatomy of an OSTree repository and the deployment system, booting, and
other internals of the project, as well as how OSTree compares to other update solutions.
The following blog post series contain additional details on the Qt OTA Update module:
\l {https://blog.qt.io/blog/2016/05/31/over-the-air-updates-part-1-introduction/}
{Over-the-Air Updates, Part 1: Introduction}\br
\l {https://blog.qt.io/blog/2016/06/28/over-the-air-updates-part-2-device-integration-api-and-creating-updates/}
{Over-the-Air Updates, Part 2: Device Integration, API and Creating Updates}\br
\l {https://blog.qt.io/blog/2016/11/11/air-updates-part-3-repository-configuration-handling/}
{Over-the-Air Updates, Part 3: Repository Configuration and Handling}
\section1 Features of the Update System
\list
\li Atomic Upgrades (all or nothing) - if an update did not fully complete,
for example due to a power failure, the system will boot into an unmodified
tree. The currently running tree is never modified, the update will become
active on a system reboot.
\li Secure - GPG signing and pinned TLS with client and server side authentication
support.
\li Efficient Handling of Disk Space - see the \c {/ostree} and the \c {/var}
in \l {Layout of an OTA Enabled Sysroot}.
\li Snapshot-based - traditional package managers (dpkg/rpm) build filesystem
trees on the client side. In contrast, the primary focus of OSTree is on
\e {replicating trees} composed on a server.
\li Bandwidth Optimized - only the new files and the files that have changed are
downloaded. When resuming from an interrupted download, only the missing files
are fetched.
\li Configuration Management - see the \c {/etc} in \l {Layout of an OTA
Enabled Sysroot}.
\li Rollback Support - atomically rollback to the previous version (tree) if
something goes wrong.
\li Updates Processing in Background - no unnecessary downtime for a user.
\li OS updates via OTA, with support for agnostic application delivery mechanism on top.
\endlist
\section1 Requirements
\list 1
\li Filesystem.
OSTree operates in userspace, and will work on top of any Linux filesystem
that supports hard and symbolic links. For OSTree to function reliably, the
filesystem needs to be able to recover to a consistent state after an unclean
shutdown. Any journaling or log-structured filesystem, when configured properly,
is capable of such recovery.
\li Boot Loader.
Supported boot loaders are: U-Boot, GRUB 2. \br
\endlist
\section1 Quick Start Guide
This guide will lead you through the full workflow of how to use the provided
OTA tools.
\list
\li Adding the OTA capability to a device before shipping it to a customer.
\li Generating an update from the new version of your product's sysroot.
\li Delivering this update to a customer device via OTA.
\li Securing a delivery of an update.
\li Support for custom update delivery mechanisms.
\endlist
\section2 Installation
OTA package is distributed with \l {Qt for Device Creation}. The OTA-related files are
installed under \c Tools/ota directory in the main SDK install location, referred to as
\c SDK_INSTALL_DIR in this guide.
When executing scripts, we will refer to the current working directory as
WORKDIR. We will be using the \c qt-ostree tool from the installation.
To see a full list of available command line arguments run the following
command:
\badcode
./qt-ostree --help
\endcode
Instead of providing a full path to \c qt-ostree each time we refer to it in
the guide, we will assume to be already in the
\c SDK_INSTALL_DIR/Tools/ota/qt-ostree directory.
\section2 Work on Your Product
Build your product on top of the \B2Q stack, or build your own custom embedded
linux image. When the image is ready for the \e {first release}, continue to the
\l {Enabling OTA Functionality on a Device}. Your product should also pre-integrate
an updater based on the Qt OTA Update module. You can find demo updater applications
in the \c SDK_INSTALL_DIR/Tools/ota/examples/ directory. Alternatively, you can
install an updater at a later point as a non-system application.
\section2 Enabling OTA Functionality on a Device
When preparing a device for shipping and subsequent updates are to be delivered
via OTA, you first need to enable this feature in the sysroot:
\list 1
\li Generate OSTree boot compatible initramfs image (skip this step if not using
initramfs for booting).
The device should be powered on, booted into your current product (the sysroot to be
released), and connected to a machine from which you will run the \c generate-initramfs
tool. The \l {https://en.wikipedia.org/wiki/Dracut_(software)} {Dracut} framework is
used to generate the initramfs image based on the currently running kernel. The image
uses systemd as an init system. You can, of course, provide your own (not necessarily
Dracut-based) initramfs, as long as you include the required \l {The Booting Process}
{OSTree boot logic}.
To generate the initramfs image, run:
\badcode
cd SDK_INSTALL_DIR/Tools/ota/dracut/
./generate-initramfs
\endcode
This will produce an \c initramfs-${device}-${release} file in the
working directory. The generated initramfs file will be needed in the later steps.
\target Boot loader integration.
\li Boot loader integration.
OSTree maintains bootloader-independent drop-in configuration files in a format
as defined by \l {https://www.freedesktop.org/wiki/Specifications/BootLoaderSpec/}
{The Boot Loader Specification}. Not all boot loaders support The Boot Loader
Specification, so OSTree contains code to generate native configuration files
from the bootloader-independent configurations.
The boot script used by your device has to be changed to use the configurations that are
managed by OSTree. This will ensure that, after OTA updates or rollbacks, the correct
kernel version (and corresponding boot files) will be selected at boot time.
\list
\li \b {U-Boot}
U-Boot tools package is required. In Ubuntu, this can be installed with the following
command:
\badcode
sudo apt-get install u-boot-tools
\endcode
OSTree maintains the \c uEnv.txt file, which the U-Boot environment should
import. If custom changes to \c uEnv.txt are required, use the \c --uboot-env-file
argument from the \c {qt-ostree} tool. The provided file will be appended to OSTree's
managed \c uEnv.txt.
OSTree maintains the following fields in \c uEnv.txt:
\list
\li \c ${kernel_image}: Path to the Linux kernel image.
\li \c ${ramdisk_image}: Path to the initramfs image (optional).
\li \c ${bootargs}: Parameters passed to the kernel command line.
\li \c ${bootdir}: Path to other files in the \c {\boot} directory
that belong to the same release and should be accessible
from U-Boot (DTBs, boot scripts).
\endlist
An example \c uEnv.txt when booting with initramfs:
\badcode
kernel_image=/ostree/qt-os-590db09c66551670019a487992f4dae9cb2067e241f7c7fefd6b3d35af55895b/vmlinuz
bootdir=/ostree/qt-os-590db09c66551670019a487992f4dae9cb2067e241f7c7fefd6b3d35af55895b/
ramdisk_image=/ostree/qt-os-590db09c66551670019a487992f4dae9cb2067e241f7c7fefd6b3d35af55895b/initramfs
bootargs=ostree=/ostree/boot.1/qt-os/590db09c66551670019a487992f4dae9cb2067e241f7c7fefd6b3d35af55895b/0
\endcode
A sample U-Boot logic that uses the imported OSTree's environment variables:
\raw HTML
if ${fs}load ${dtype} ${disk}:${part} ${script} uEnv.txt ; then
env import -t ${script} ${filesize}
else
echo "Error loading uEnv.txt"
exit
fi
fdt_file=<device_tree_filename>
${fs}load ${dtype} ${disk}:${part} ${kernel_addr} ${kernel_image}
${fs}load ${dtype} ${disk}:${part} ${fdt_addr} ${bootdir}/${fdt_file}
${fs}load ${dtype} ${disk}:${part} ${initramfs_addr} ${ramdisk_image}
# Don't overwrite bootargs set by OSTree in uEnv.txt.
setenv bootargs ${bootargs} <additional_bootargs>
bootz ${kernel_addr} ${initramfs_addr} ${fdt_addr}
\endraw
Enabling OSTree support requires minimal effort when using a default boot script
as the base. A default boot script here means whatever the device is currently using
for booting. The \c {qt-ostree} tool does not change the kernel image format, only
the path and the file name changes. If the original script uses the \c bootm command for
loading the kernel image, then the OSTree-enabled script should use \c bootm too.
\li \b {GRUB 2}
Whenever the boot loader configuration files need to be updated on a GRUB 2 based system,
OSTree executes \c ostree-grub-generator to convert bootloader-independent configuration
files into native grub.cfg format. A default script, used by the \c qt-ostree tool is
\c SDK_INSTALL_DIR/Tools/ota/qt-ostree/ostree-grub-generator.
You can customize this script to match your requirements and provide it to \c qt-ostree
via \c --grub2-cfg-generator. The \c ostree-grub-generator file contains additional
details, the script itself is about 40 lines long.
\endlist
You should expect to find all the files that are required for the boot process under the
\c {/boot} directory. Before starting to write the boot loader integration code, you can
run the \c qt-ostree tool without providing any boot loader specific files and
\l {The generated sysroot} {examine} the generated sysroot (see step 3). Particularly,
inspect what gets installed in the \c {/boot} directory, as this location is of special
interest to the boot loader integration code. The \c {/boot} directory may contain symbolic
links to files in the \c {loader/} directory (for example, \c {uEnv.txt -> loader/uEnv.txt}).
It is safe to read these symbolic links, as OSTree will ensure that the link target
changes atomically on system updates and rollbacks.
For more examples refer to \l {Device Integration Examples}.
\target The Booting Process
\b {The Booting Process}
OSTree includes a special \c ostree= kernel argument that points to the corresponding tree
(see the \c {/ostree} in \l {Layout of an OTA Enabled Sysroot}). When not using initramfs,
the kernel command will also contain the \c init= argument, pointing to the \c ostree-prepare-root
binary. The same binary is used from initramfs context. The \c ostree-prepare-root binary
parses the \c ostree= kernel command line argument to find the correct versioned tree. It
sets up the necessary mounts, notably the read-only mount on the \c {/usr} path, and makes
the versioned tree to appear as a real \c {"/"} root directory in the booted system.
After \c ostree-prepare-root (run as PID 1) completes, it passes control to the real init
process. In initramfs context, once \c ostree-prepare-root is done, systemd's
\c initrd-switch-root.target will take over. In initramfs, \c ostree-prepare-root is
used as a user space utility (as opposed to PID 1, when booting without initramfs).
\li Convert your sysroot into an OTA enabled sysroot.
The conversion is done using the \c qt-ostree tool.
\badcode
sudo ./qt-ostree \
--sysroot-image-path ${PATH_TO_SYSROOT} \
--create-ota-sysroot \
--ota-json ${OTA_METADATA} \
--initramfs ../dracut/initramfs-${device}-${release} \
--uboot-env-file ../examples/device-integration/nitrogen6x/6x_bootscript
\endcode
\target {The generated sysroot}
The generated sysroot can be examined by mounting the \c {boot.${BOOTFS_TYPE}} and
the \c {rootfs.${ROOTFS_TYPE}} filesystem images found in \c {WORKDIR}.
In this guide we assume that the system is based on U-Boot boot loader.
Notes on the arguments passed to \c {qt-ostree}:
\list
\li \b {\c --sysroot-image-path}
\list
\li A path to your sysroot. Binary image (\c {*.img})
and archive image (\c {*.tar.gz}) is accepted as
well as a path to an extracted sysroot.
\endlist
\li \b {\c --create-ota-sysroot}
\list
\li This option tells \c qt-ostree to create a binary image
that contains a bootable OTA enabled sysroot. You will have to
deploy the generated image to a device; in this guide, we use
an SD card as memory media (see step 4).
\endlist
\li \b {\c --ota-json}
\list
\li A JSON file containing arbitrary metadata about the system.
Use OtaClient::remoteMetadata to access the entire JSON file for
manual parsing.
\endlist
\li \b {\c --initramfs}
\list
\li The initramfs image that we generated in the step 1. If initramfs is
not used for booting, it may be necessary to provide additional
kernel command line arguments (for example, \c {--kernel-args "rootwait root=/dev/sda2"}).
The kernel arguments set with \b {\c --kernel-args} are passed to
the bootloader integration code. If additional kernel arguments are
resolved directly from boot scripts, then \c {--kernel-args} can be omitted.
\endlist
\li \b {\c --uboot-env-file}
\list
\li A custom U-Boot boot script or \c uEnv.txt file, see \l {Boot loader
integration}. This argument is optional as U-Boot environment can be
stored directly on the board's persistent storage dedicated for U-boot
environment, or defined when building the U-Boot binary.
\endlist
\endlist
\li Deploy the generated OTA image to an SD card.
Plug in an SD card or a reader to the development host, and use the
following command to find out its device name.
\badcode
lsblk -d
\endcode
Make sure to unmount all partitions on a device.
\badcode
sudo umount /dev/?*
\endcode
And then deploy the image.
\badcode
sudo dd bs=4M if= of=/dev/ && sync
\endcode
\li Test that everything went according to the plan.
Boot from the SD card and run the following command \e {from the device}:
\badcode
ostree admin status
\endcode
The output should be something similar to:
\badcode
* qt-os 36524faa47e33da9dbded2ff99d1df47b3734427b94c8a11e062314ed31442a7.0
origin refspec: qt-os:linux/qt
\endcode
This indicates that the deployment was successful.
\note You should also verify that application(s) are working as expected
and do not write outside the \l {Layout of an OTA Enabled Sysroot}
{permitted paths}.
\endlist
\section2 Preparing a New Update for an OTA Enabled Device
When preparing a \e {new update} for a device that already has OTA enabled, the
workflow is as follows:
\list 1
\li Work on your sysroot as you normally would. When the product is ready
for a release, continue to the next step.
\li Generate an update.
This is done by using the \c qt-ostree tool.
\badcode
sudo ./qt-ostree \
--sysroot-image-path ${PATH_TO_SYSROOT} \
--ota-json ${OTA_METADATA} \
--initramfs ../dracut/initramfs-${device}-${release} \
--start-trivial-httpd
\endcode
The above command will create a new commit in the OSTree repository at \c
{WORKDIR/ostree-repo/}, or create a new repository if one does not exist.
Use the \c --ostree-repo argument to provide a custom path. This repository
is the OTA update source and can be exported to a production server at any time.
OSTree repositories can be served via a static HTTP server.
Notes on the arguments passed to \c {qt-ostree}:
\list
\li \b {\c --initramfs}
\list
\li When doing \e {minor releases} that do not update the
kernel:
Use the same initramfs that you already have generated
for this kernel version in the earlier steps.
\li When doing a \e {major release} that updates a kernel:
It is advised to regenerate initramfs for each new
kernel release, so that the kernel and initramfs
versions \e match.
\endlist
As before, if not using initramfs, it may be necessary to provide
additional kernel command line arguments via \b {\c --kernel-args}.
\li \b {\c --sysroot-image-path}
\list
\li Provide a path to the \e {new version} of your sysroot.
\endlist
\li \b {\c --start-trivial-httpd}
\list
\li Starts a simple web server which you can access on the
local host at address specified in \c WORKDIR/httpd/httpd-address
file. This command line argument is useful for quick testing purposes,
in production with more advanced requirements (for example, TLS
authentication) you will need to use a different web server solution.
\endlist
\endlist
Updating the contents of the \c {/boot} directory is supported only for major releases -
when kernel/initramfs versions change. The kernel/initramfs version is considered to
change when \c bootcsum changes in the following expression:
\badcode
bootcsum=$(cat vmlinuz initramfs | sha256sum | cut -f 1 -d ' ')
\endcode
\l {The generated sysroot} {Examine} the generated sysroot to see which files are installed
in this directory by \c {qt-ostree} and might need to be updated together with kernel/initramfs.
\li Use Qt OTA APIs to update devices.
\li Go back to step 1.
\endlist
\section2 Securing a Delivery of an Update
OTA is a component of a system and not a security framework. It is always the final product
that needs to be analyzed for security implications and requirements. The Qt OTA Update module
supports the following security/authentication mechanisms:
\list
\li \b {GNU Privacy Guard (GPG)}
GPG signing helps to ensure that the data was transmitted in-full, without
damage or file corruption and that the data was sent by a trusted party. A
set of trusted keys is stored as keyring files on a device. Look for \c {--gpg-*}
command line arguments in the output of \c {./qt-ostree --help}.
In Ubuntu, the required packages can be installed with the following command:
\badcode
sudo apt-get install gnupg2
\endcode
\li \b {Transport Layer Security (TLS)}
TLS protects data from tampering and eavesdropping. TLS authentication can be used on the
server side to restrict the access to the server (client authentication) and on client side
to verify the identitiy of an update server (server authentication).
Look for \c {--tls-*} command line arguments in the output of \c {./qt-ostree --help}.
\endlist
To learn more about the security topics from the above list, consult dedicated resources.
For the corresponding client side API see OtaRepositoryConfig.
\section2 Offline Updates and Custom Delivery Mechanisms
Updating devices via OtaClient::update() requires a target device to be connected to the
Internet and this mechanism is limited to HTTP(S) only (OtaRepositoryConfig::url). An
alternative approach is to generate a self-contained update package. A self-contained
package support can be enabled by passing \c {--create-self-contained-package} to the
\c {qt-ostree} tool. This will generate a \c {WORKDIR/superblock} binary file. Generating
a self-contained update package is required when:
\list
\li A device has no network connection and is intended to be
updated via external media such as a USB drive.
\li Some other protocol or proprietary mechanism is used to
deliver software to a device.
\endlist
As all APIs in the Qt OTA Update module, applying a self-contained update package is an
atomic process, and is done via OtaClient::updateOffline().
\section1 Layout of an OTA Enabled Sysroot
There are two directories on a device for a safe storage of local files:
\c {/var} and \c {/etc}.
The sysroot generated by OTA tools adds convenience symbolic links in the
\c {/} root directory, including symbolic links pointing to the \c {/var}.
\b {Important:}
\list
\li Do not create or modify files in other locations, these files will be
garbage collected on the next upgrade.
\li Do not directly modify the contents of the \c {/ostree} and the \c {/boot}
directory. This can result in a system that fails to boot.
\endlist
\table
\header \li Directory \li Description
\row \li \c {/usr}\unicode {0xA0}[read\unicode {0x2011}only]
\li Everything that is part of the OS - mounted read-only to prevent
inadvertent corruption. It's recommended that an operating system
ships all of its content in /usr. The contents of this directory are
updated via OTA.
\row \li \c {/etc}
\li Host-specific system-wide configuration files. OTA \e preserves all
local changes by doing a 3-way merge. \br \br
\b {How a 3-way merge works:}
First OSTree checks on the \e {currently booted tree} which configuration
files have been changed, removed or added by a user by comparing the
/etc with the read-only /usr/etc/. The /usr/etc is where OSTree stores
default configurations of the tree as composed on the server (each
tree has its own read-only copy of the /usr/etc). The advantage of
having read-only /usr/etc is that you always have access to system
defaults.
Then OSTree takes /etc of the \e {OTA update}, which is a separate
copy from your running /etc (each tree has its own writable copy of
the /etc) as a base and applies your local changes on top. It doesn’t
attempt to understand the contents of files – if a configuration file
on a device has been modified in any way, that wins.
\row \li \c {/var}
\li The only directory that is \e preserved and \e shared across upgrades.
This is where user and application data should be stored.
\note OSTree does not update the contents of /var, it is the
responsibility of the OS to manage and upgrade /var if required.
\row \li \c /ostree
\li The location of the OSTree repository on a device and where the
bootable versioned filesystem trees are installed. These trees \e
share all common files via hard links into the OSTree repository.
This means each version is deduplicated; an upgrade process only
costs disk space proportional to the new files, plus some constant
overhead.
\note /ostree is a symbolic link to /sysroot/ostree.
\row \li \c /boot
\li Contains the boot loader configuration files, kernel, initramfs, and
other files that are required for the boot process.
\row \li \c /sysroot
\li Physical / root directory mount point.
\row \li \c /
\li Versioned filesystem tree's mount point.
\endtable
\section1 Device Integration Examples
Find examples for real embedded devices in the \c
SDK_INSTALL_DIR/Tools/ota/examples/device-integration/ directory.
*/