Link Search Menu Expand Document

Thistle OTA Update

The Thistle OTA (Over-The-Air) update mechanism is an end-to-end update platform, handling the entire chain from the binary to the safe distribution on each device it is deployed on.

End-to-End Trust Model

The update mechanism relies on daemon software running on the end-devices. This software is written in Rust, a memory-safe language that offers very high performance and lightweight binaries. Special attention has been put into software supply chain security, and all binaries are bit-for-bit reproducible.

In order to simplify the packaging, signature, and upload of each update bundle, the Thistle Release Helper should be used.

Filesystem update or file update

Two modes of operations are supported by the Thistle Update Platform : full filesystem update, and a file update system. The full filesystem update mechanism will install an entire new system image on the device, and the file update mechanism will update a individual files on the device.

In both modes of operation, updates are fully A/B verified, meaning that an issue occurring during the update will not represent a broken device - and we will always fallback to the previous known working state. These errors can be intrinsic (e.g. failed to boot after a filesystem update), or customer defined with the help of multiple scripts.

Full system A/B boot process

Platform resilience

While the Thistle Platform is built with resilience in mind, users have the option of specifying a backup_manifest_url in the device configuration file. This fallback plan allows a device to download an update manifest from a secondary source if Thistle’s Platform cannot be reached for any reason. This also allows fielded devices with no internet access to perform a local updates.

Security model

As shown in the top diagram, the Thistle update mechanism ensures an end-to-end trust from the manufacturer to the end-device. To establish this trust mechanism, each end-device will cryptographically verify that the update bundle (manifest) has been signed by the manufacturer, with their private key.

Establishing trust from the manufacturer to the end-device ensures that the content installed on the device is directly what the manufacturer intended - and can not be tampered with by any third party, not even by the Thistle Infrastructure.

The default signature scheme relies on minisign, a safe and trusted toolchain to perform signature verification. We also support the use of YubiKey to sign the update bundle, as well as Key Management System support.

Device Provisioning

Two modes of provisioning are supported by the Thistle Update Platform, either using a pre-provisioning workflow, or an a posteriori provisioning workflow (TOFU). See the dedicated device provisioning page for more information.