Technical Documentation: Firmware update
The update process is generic for any kind of update (for example: firmware update, configuration update or application update). It runs through different stages controlled by the update service of the Proficloud. Every step is transparently reported to the UI.
Update request command
At the first stage the device firmware is asked if an update from the cloud with given meta data (update type, update version, update size, etc.) is allowed and can be performed. The device firmware checks the free space on the device, the up- or downgrade conventions and the state (for example the run state at PLCs) and responses “allowed” or “not allowed”.
On the download request the actual download will be executed via a temporary signed HTTP endpoint (with TLS server authentication). If the download was successful the device responses the success message.
Download check request
After a successful download, the downloaded image will be checked with device specific tools. The PLCnext implementation for example checks the sha256 checksum and the signature of the Rauc bundle used for firmware updates. The result of the check will be responded to the Proficloud.
The last request performs the actual installation of the update. Only after the confirmed installation success (could require an automated reboot) the device responses the successful installation of the update.
To design the update process as secure as possible, every command has several security features:
- Commands contain a trigger and expiry date: Time is a very important security factor. If the system time of the device is wrong TLS certificates could not be verified correctly. In addition to that the trigger and expiry dates stops attackers to send a captured command at a later time than it should.
- Command signed: Every command sent form the Proficloud is signed by a CA which is related to a single organization account (https://tools.ietf.org/html/rfc7515). After a manual transfer of the public CA certificate to the device, the device can verify that the received command was sent from the specified account of the Proficloud.
- TLS secured connection: The whole MQTT communication between Proficloud and device is TLS secured with client certificate authentication.