> ## Documentation Index
> Fetch the complete documentation index at: https://docs.thistle.tech/llms.txt
> Use this file to discover all available pages before exploring further.

# Thistle OTA Update Overview

> Overview of Thistle's OTA Update solution

The Thistle OTA (Over-The-Air) update mechanism is an end-to-end update
platform, handling the entire chain from the binary to the safe distribution on
each device it is deployed on.

<img src="https://mintcdn.com/thistletechnologies/RuOvvatuLqT9Z9Z-/images/chain.svg?fit=max&auto=format&n=RuOvvatuLqT9Z9Z-&q=85&s=859951893f396db0b4e708463af55724" alt="Update Distribution" width="1867" height="718" data-path="images/chain.svg" />

## End-to-End Trust Model

The update mechanism relies on daemon software running on the end-devices. This
software is written in Rust, a memory-safe language that offers very high
performance and lightweight binaries. Special attention has been put into
software supply chain security, and all binaries are bit-for-bit reproducible.

In order to simplify the packaging, signature, and upload of each update bundle,
the Thistle Release Helper should be used.

## Filesystem update or file update

Two modes of operations are supported by the Thistle Update Platform: full
filesystem update, and a file update system. The full filesystem update
mechanism will install an entire new system image on the device, and the file
update mechanism will update individual files on the device.

In both modes of operation, updates are fully A/B verified, meaning that an
issue occurring during the update will not represent a broken device - and we
will always fallback to the previous known working state. These errors can be
intrinsic (e.g. failed to boot after a filesystem update), or customer defined
with the help of multiple scripts.

<img src="https://mintcdn.com/thistletechnologies/RuOvvatuLqT9Z9Z-/images/abboot.svg?fit=max&auto=format&n=RuOvvatuLqT9Z9Z-&q=85&s=7aaf2488fcb898979f35a9f9d21fd7fb" alt="A/B Boot Process" width="1177" height="1096" data-path="images/abboot.svg" />

## Platform resilience

While the Thistle Platform is built with resilience in mind, users have the
option of specifying a `backup_manifest_url` in the [device configuration
file](/update/configuration_file). This fallback plan allows a device to
download an update manifest from a secondary source if Thistle's Platform cannot
be reached for any reason. This also allows fielded devices with no internet
access to perform local updates.

## Security model

The Thistle update mechanism ensures an end-to-end trust from the manufacturer
to the end-device. To establish this trust mechanism, each end-device will
cryptographically verify that the update bundle (manifest) has been signed by
the manufacturer, with their private key.

Establishing trust from the manufacturer to the end-device ensures that the
content installed on the device is directly what the manufacturer intended - and
cannot be tampered with by any third party, not even by the Thistle
Infrastructure.

The default signature scheme relies on
[minisign](https://jedisct1.github.io/minisign/), a safe and trusted toolchain
to perform signature verification. We also support the use of [YubiKey to sign
the update bundle](https://github.com/thistletech/trh-y), as well as [Key
Management System support](https://github.com/thistletech/trh-k).

## Device Provisioning

Two modes of provisioning are supported by the Thistle Update Platform, either
using a pre-provisioning workflow, or an a posteriori provisioning workflow
(TOFU). See the dedicated [device provisioning
page](/update/device_provisioning) for more information.