HERE OTA Connect aligns with the Uptane security framework. Uptane was developed in response to the clear need for a comprehensive security model for automotive updates, and is the first security system that provides serious compromise resilience in that space[1].

Uptane structure

The most important concept in Uptane is that there are two sets of metadata, from separate sources, that must agree with each other and have valid cryptographic signatures.

The first comes from the TUF Repository[2]. The TUF Repository contains metadata for update packages that are valid install targets, and its metadata is signed by a chain of trust with offline keys.

The second comes from the Director, which controls what updates (selected from the valid install targets) should actually be installed on devices. The Director uses online keys, and is part of the OTA Connect service.

Signing updates of system images

OTA Connect manages the Director for you. When you create an update campaign, we update the Director behind the scenes, signing the metadata for each image-device tuple in the campaign.

The TUF keys should be managed on your side; we provide tooling to help you do just that. When you build a new device, bitbake automatically signs the image for you, using TUF keys that you specify in the build’s local.conf[3]. Your initial key is created by HERE OTA Connect, delivered to you inside your credentials.zip file, and kept online for convenience and bootstrapping; for any production use you should rotate your TUF key and store it securely offline[4].

Primary and secondary ECUs

In the Uptane framework, an ECU is categorized as either a primary or a secondary ECU. In most cases, a vehicle has one primary ECU and several secondary ECUs. The primary ECU is responsible for downloading and distributing software to the secondary ECUs. In many cases, the Telematics Control Unit (TCU) serves the role of primary ECU. A primary ECU also verifies and distributes the Uptane-compliant metadata associated with each piece of software.

Secondary ECUs, such as the Transmission or Body control modules, receive the software and should also perform some form of metadata verification. If the ECU has sufficient processing capabilities, it should perform a full verification of the Uptane-compliant metadata, otherwise it should at least perform a partial verification.

To get an overview of the ECUs detected in a device, open the OTA Connect web application and navigate to the device details for the device. This view shows the ECUs grouped according to whether they are primary and secondary ECUs.


1. "Uptane is the first compromise-resilient software update security system for the automotive industry.", https://uptane.github.io
2. It’s called the TUF repository because it uses The Update Framework.
3. The TUF keys are packed inside the zip file specified by the SOTA_PACKED_CREDENTIALS line.
4. Proceed with caution! Once you take the key offline, HERE Technologies cannot recover it.