Updating device firmware
See the Introduction section for a more general overview of Device Management Update.
This chapter guides you through the process of updating device firmware. It discusses:
This section explains how to prepare your device to receive updates with Device Management Update client. To configure the client on a device, you will need the appropriate firmware image and bootloader for your device, as well as unique identifiers for the device type and a certificate used to authenticate updates.
The updatable firmware images contain the OS, the Update client and the user application. There are two types of firmware images: full and delta. The image you initially flash to a device is the full one, and you can perform subsequent delta updates using smaller, partial images. The bootloader accesses new firmware written by the Update client and checks that there were no errors while Update client was writing the new firmware to the device. It checks the integrity of the active firmware and each new image, copying the newest image to the active application memory region. It then forwards control to the start of the application binary, so that the application containing Update client now has control and can receive further updates.
This section introduces you to firmware manifests. These manifests encode the information that devices need to make decisions before applying an update, such as whether to trust and accept the update, and when and how to apply it. It then discusses the manifest tool used to create firmware manifests.
This section also explains how to create and monitor update campaigns. An update campaign defines which device or devices receive a firmware update and the firmware image that is installed. It is built around the firmware manifest and a filter that determines which devices receive the manifest.
Arm provides a secure firmware update solution and our security model describes these responsibilities and relationships within the system. Security in firmware updates explains how public key cryptography is used to verify an update’s validity, ensuring the authenticity of the firmware, its manifest and image. An authenticity certificate, signed by a Certificate Authority or self-signed, is stored and used for verifying updates, and this section discusses generating authenticity certificates, verifying update manifests and an ultimate source of trust. Finally, this section introduces you to securing Device Management Update on Linux, offering best practices and important considerations for mitigating several classes of threats. It discusses physical security, local security and Device Management Update security.
This section provides a number of tutorials introducing you to the Device Management Update development workflow, and showing you how to use Device Management Portal to create and manage update campaigns that update firmware on devices connected to Device Management. It begins by explaining how to set up and prepare your development environment for building update firmware. It discusses how to get a device certificate and API key, as well as create the default authentication certificates for Device Management Update, which includes installing and initializing the manifest tool. You are then ready to explore the following tutorials:
-
Integrating Device Management Update client into your user application: This tutorial shows you how to configure your user application to use Device Management Update client. It explains how to authorize the user application to install the firmware update, use callbacks to monitor the download progress of the firmware update and handle errors from Device Management Update client.
-
Preparing images: This tutorial discusses how to prepare, build and update images on an Mbed OS device and on a Raspberry Pi 3. It explains how to create the full and delta firmware and update images.
-
Preparing manifests: This tutorial shows you how to create a firmware manifest by using the manifest tool, as well as how to test a firmware update on a single device and prepare a manifest file for use in a campaign.
-
Running update campaigns: This tutorial explains how to create an update campaign, which relies on a device filter to target specific devices.
-
Updating firmware using Device Management Client Lite. This tutorial shows you how to create and upload a firmware binary and manifest to Device Management Client Lite on the device, create a device filter, and create and manage an update campaign.
Getting started: using the Mbed development tools
The fastest way to get started with Update is to use the Mbed development tools. They integrate with the manifest tool and the update APIs, and rely on Mbed OS and its bootloader, as well as Device Management Update client. Please see:
- A quick connect guide for the Online Compiler.
- A review of the Mbed CLI commands.