|
|
\section{Concept for implementing OTA updates}
The firmware for all \textit{ESP8266} based devices in the hackerspace are all based on the same framework. \textit{Sming} provides the base library for this \textit{ESPer} framework, which provides components and functionality shared by all devices. This allows to reuse code providing functionality which is common in multiple devices.
To implement \textit{OTA} updates under the given requirements, we define a topology, which integrates our build infrastructure, firmware repository, and controller with the IoT WiFi network, which the devices are connected to. For our reference implementation, we particularly chose lightweight and common software projects to allow for easy exchangeability of the individual components. The base topology used is shown in Figure \ref{fig:topology}.
\begin{figure}[htbp] \centering\fbox{\includegraphics[width=.98\linewidth]{topology.pdf}} \caption{The base network topology.} \label{fig:topology} \end{figure}
The source code of the \textit{ESPer} project is published into a \textit{Git} source code repository. From there, the continuous integration system is responsible for automatically building and publishing the firmware binary files, as soon as updated source code is available. It is also in charge of assembling and publishing meta-information required for the update process. Both systems are described in detail in the following section. Updates to the devices firmware is either triggered actively (manual or by the CI system) or on a regular schedule by the devices themselves. This process is described in section \ref{flashlayout}.
For monitoring and maintenance purposes, each device publishes a set of information to a well-known \textit{MQTT} topic after connecting to the network. Beside data like device type, chip and flash ID, the published data includes details about the bootloader, SDK and firmware version as well as relevant details from the bootloader configuration, like the currently booted ROM slot and the default ROM slot to boot from. This allows administrators to find devices with outdated bootloaders and helps to find missing or failed updates.
\subsection{Common framework and build infrastructure}
The framework includes a build system, which allows to configure basic parameters for all devices, including, but not limited to, the Wi-Fi access parameters, the \textit{MQTT} connection settings and the updater URLs. By sharing the same code, all devices ensure to have a common behavior when it comes to reporting the device status or interacting with the home-automation controller. This eases configuration and allows to collect information about all devices at a central location.
As development on the devices usually happens in cycles, some of the projects would miss updates of the framework and therefor would not benefit from newly added features or fixed problems. Regular updating of the framework version and rebuilding the firmware would often result in an easy gain of these benefits, but requires manual interaction. Further, problems could arise if the application programming interface (API) of the framework changes. In this situation, the device firmware must be updated to use the changed API, which can be an unpleasant and complex task and leads to higher latency for firmware updates. To prevent these problems, the device firmware of all devices in the hackerspace is integrated with the framework into a larger project. By doing so, each device specific code is always linked to the latest version of the framework. The according device type is provided as a string through a global constant at compile time and it must never be changed during operation. Device specific code is organized in a sub-folder for each device type. To build the software, a \textit{Makefile} \cite{make} is used, which provides a simple way for reproducible builds. When a new build process is started, the build system scans for all device specific folders and calls the original build process for each of them. After the build of the firmware has finished, the build system also creates a fail for each device containing the build version and the firmware signatures.
To avoid interferences between different build environments on developers computers and roll out new versions as early as possible, the code has been integrated into a continuous integration (CI) system. The CI, which is based on \textit{drone} \cite{drone} and provided as part of the hackerspace infrastructure, allows to execute commands on each version published into the \textit{Git} repository. In the specific case, whenever a new version gets checked-in into the release branch, the \textit{Makefile} is used to build the binary firmware files and publish them to the firmware repository server.
Therefore, a \textit{drone} configuration file as shown in Listing~\ref{lst:drone} has been added to the source code as \texttt{.drone.yml}.
\subsection{Device setup and flash layout}\label{flashlayout}
Microcontroller boards based on the \textit{ESP8266} MCU are mostly following the same layout: the MCU is attached to a flash chip which contains the bootloader, firmware and other application data. The memory mapping mechanism of the MCU allows only a single page of 1 MB of flash to be mapped at the same time \cite{ESP8266_Memory_Map} and the selected range must be aligned to 1 MB blocks.
\begin{figure}[htbp] \centering\includegraphics[scale=0.6]{flash_layout.pdf} \caption{The flash layout used for two ROMs.} \label{fig:memory_layout} \end{figure}
As the binary to download and flash possibly exceeds the size of free memory heap space, the received data must be written to flash directly. In contrast, executing the code from the memory mapped flash while writing the same area with the downloaded update leads to errors, as the executed code changes immediately to the updated one. To avoid this, we chose the memory layout shown in Figure~\ref{fig:memory_layout}. The flash is split into half to contain two firmware ROMs with different versions, one being executed and one which is being downloaded. This standby firmware also acts as a safety mechanism if the download fails or is interrupted as the previous version stays intact and can still be used (refer to requirement \ref{req2}). In case of an error the old firmware is kept unchanged and will be used until the successful download of a newer firmware succeeds. In addition to the two firmware ROMs, the flash provides room for the bootloader and its configuration.
\subsection{Cryptographically securing the firmware update} To ensure only valid firmware is running on the device, the update process is calculating and checking the firmwares signature. To do so, \textit{curve25519} \cite{curve25519} and \textit{sha512} \cite{sha512} is used which is a modern secure method for signatures \cite{crypto-ftw}.
The signature is created by the build system for each of the two firmware ROMs during build time and is provided as meta-information beside the firmware binaries. Therefor the build system must be equipped with the private key used to create the signatures. In contrast, the Microcontroller does only need to know the according public key.
|