End-to-End Trust Model
The update mechanism relies on daemon software running on the end-devices. This software is written in Rust, a memory-safe language that offers very high performance and lightweight binaries. Special attention has been put into software supply chain security, and all binaries are bit-for-bit reproducible. In order to simplify the packaging, signature, and upload of each update bundle, the Thistle Release Helper should be used.Filesystem update or file update
Two modes of operations are supported by the Thistle Update Platform: full filesystem update, and a file update system. The full filesystem update mechanism will install an entire new system image on the device, and the file update mechanism will update individual files on the device. In both modes of operation, updates are fully A/B verified, meaning that an issue occurring during the update will not represent a broken device - and we will always fallback to the previous known working state. These errors can be intrinsic (e.g. failed to boot after a filesystem update), or customer defined with the help of multiple scripts.Platform resilience
While the Thistle Platform is built with resilience in mind, users have the option of specifying abackup_manifest_url
in the device configuration file. This fallback plan allows a device to download an update manifest from a secondary source if Thistle’s Platform cannot be reached for any reason. This also allows fielded devices with no internet access to perform local updates.