AWS IoT OTA Update

Hi,

I try to make our OTA Updates for the device more secure. I follow this guideline and the OTA works fine so far: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/libraries/networking/aws_fota.html

we use nrf9160 with aws iot cloud

what I want to do: In the json file now a URL to a S3 bucket file is defined. This can be accessed public. How can I secure this file so it can be only accessed by the devices in our iot group?

I thought a lot about this and cant find a logical way because its really hard to identify the device on this point. maybe someone did this before and has some kind of best practice for me.

thanks and best regards

daniel

Top Replies

Øyvind over 2 years ago in reply to danielboe +1

Sorry, I might have been too quick with my answer on this. Will need to investigate some more in regards to using presigned URLs with AWS IoT. I need to verify if the following statement is still relevant…

Parents

0 Øyvind over 2 years ago

Hello Daniel,

I will look into your case. Could you please provide what version of the nRF Connect SDK you are running? Can you provide more details on the JSON file? If needed we can convert this ticket to private if there are details you do not want to share.

Kind regards,
Øyvind
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Øyvind over 2 years ago

Hello Daniel,

I will look into your case. Could you please provide what version of the nRF Connect SDK you are running? Can you provide more details on the JSON file? If needed we can convert this ticket to private if there are details you do not want to share.

Kind regards,
Øyvind
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 danielboe over 2 years ago in reply to Øyvind
Hi, we work on SDK Version 2.0.0 and I attach you our sample OTA json. I think at the moment no need to convert to private here.

{ "operation": "app_fw_update", "fwversion": "1.2.3", "size": 222222, "location": { "protocol": "http:", "host": "<bucket>.s3.eu-central-1.amazonaws.com", "path": "<updatefile>.bin" } }
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Øyvind over 2 years ago in reply to danielboe
The one solution that is often mentioned by our AWS developers is to use e.g. AWS Signature Version 4.

Note that you need to increase some sizes in order for it to work, due to the length of the file path.
CONFIG_AWS_FOTA_PAYLOAD_SIZE=2048 CONFIG_AWS_FOTA_FILE_PATH_MAX_LEN=2048 CONFIG_DOWNLOAD_CLIENT_MAX_FILENAME_SIZE=2048 CONFIG_DOWNLOAD_CLIENT_MAX_HOSTNAME_SIZE=256

Let me know how that works for you!

Kind regards,
Øyvind
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 danielboe over 2 years ago in reply to Øyvind

is this feature working with the aws iot ota updates? Or do I need to implement this by myself? If it is implemented, do you habe a example on the nrf9160 side how to implement this?

thanks and best regards

daniel
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Øyvind over 2 years ago in reply to danielboe

Sorry, I might have been too quick with my answer on this. Will need to investigate some more in regards to using presigned URLs with AWS IoT.

I need to verify if the following statement is still relevant

The problem is that the download client depends on the download URL being split in host and path on the cloud side, however AWS IoT jobs and pre-signed URLs do not support this, they generate a full URL. In addition, pre-signed URLs only work with HTTPs (TLS), this is typically something we want to avoid because of the overhead.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Øyvind over 2 years ago in reply to Øyvind

OK, sorry for the back and forth. The pre-signed URLs are what you are looking for, however, this is not supported yet in the download manager due to the long path. I do not have a timeline yet, but it does look like it will be implemented in the next version of nRF Connect SDK.

Kind regards,
Øyvind
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel