ATS Garage security: The Uptane framework
The most important concept in Uptane is that there are two sets of metadata, from separate sources, that must agree with each other and have valid cryptographic signatures.
The first comes from the TUF Repository. The TUF Repository contains metadata for update packages that are valid install targets, and its metadata is signed by a chain of trust with offline keys.
The second comes from the Director, which controls what updates (selected from the valid install targets) should actually be installed on devices. The Director uses online keys, and is part of the ATS Garage service.
Signing updates of system images
ATS Garage manages the Director for you. When you create an update campaign, we update the Director behind the scenes, signing the metadata for each image-device tuple in the campaign.
The TUF keys should be managed on your side; we provide tooling to help you do just that. When you build a new device, bitbake automatically signs the image for you, using TUF keys that you specify in the build’s
local.conf. Your initial key is created by ATS Garage, delivered to you inside your
credentials.zip file, and kept online for convenience and bootstrapping; for any production use you should rotate your TUF key and store it securely offline.