Uptane: Securing Software Updates for Automobiles
Background
Initially, based on the secure framework TUF (The Update Framework, originally introduced in 2010), Uptane is an open-source software update system designed to provide secure software updates for ground vehicles. It is considered the de facto standard for secure software updates for automotive. The Uptane Alliance was formally instituted to standardize the design. As a result, the Uptane Standard for Design and Implementation Volume 1.0 was released by the IEEE/ISTO Federation in July 2019 (IEEE-ISTO 6100.1.0.0). Currently, the Alliance joined with the Linux Foundation Joint Development Foundation to continue running the project.
Summary
The Uptane standard provides guidelines for implementing Uptane in most systems capable of updating software on connected units in ground vehicles, including passenger vehicles, light-duty trucks, heavy-duty trucks, and motorcycles.
The standard starts with providing a number of illustrative use-cases for Uptane, such as initializing Update at the factory using software updates over-the-air, updating ECUs on demand, with a complete image or with multiple deltas.
The second part of the standard looks at threat models and attack strategies, in order to provide insight into why systems should be designed in a resilient manner. Attacker goals, capabilities and a description of threats (eavesdropping, denying installation of updates, interfering with ECU functionality, and controlling an ECU or vehicle) provide the basis for this information.
The last part focuses on the detailed design of the Uptane framework, without going into specific implementation details. At a high level, Uptane requires:
- Two software repositories:
- An Image repository containing binary images to install, and signed metadata about those images
- A Director repository connected to an inventory database that can sign metadata on-demand for images in the Image repository
- Repository tools for generating Uptane-specific metadata about images
- A public key infrastructure supporting the required metadata production/signing roles on each repository:
- Root – Certificate authority for the Uptane ecosystem. Distributes public keys for verifying all the other roles’ metadata
- Timestamp – Indicates whether there are new metadata or images
- Snapshot – Indicates images released by the repository at a point in time, via signing metadata about targets metadata
- Targets – Indicates metadata about images, such as hashes and file sizes
- A secure way for ECUs to know the time
- An ECU capable of downloading images and associated metadata from the Uptane
- An in-vehicle client on a Primary ECU capable of verifying the signatures on all update metadata and downloading updates on behalf of its associated Secondary ECUs. The primary ECU MAY be the same ECU that communicates with the
- A client or library on each Secondary ECU capable of performing either full or partial verification of metadata
Note
Uptane is integrated in Automotive Grade Linux, which is supported by a number of automotive OEMs and suppliers. It has been further audited in 2016-2017 by Cure53 (audit of an Advanced Telematic Systems/HERE Inc. implementation of Uptane), in 2017 (assessment of Kolide’s TUF implementation), and in 2018 (by the Southwest Research Institute).