Merge pull request #198 from boschrexroth/release/3.6.1

Release/3.6.1

Author: albrecht-j

README.md

@@ -31,6 +31,26 @@ If your ctrlX App Build Environment is running, you can log in and install the c
 
 __These installation steps are required on both an App Build Environment and an Ubuntu Server or Desktop System.__
 
+### Prerequisite for the following Scripts
+
+The following packages must be installed so that the following scripts can be executed. When using the __App Build Environment__, packages are installed when setting up an instance.
+
+```bash
+	sudo apt-get update
+	sudo apt-get install -y \
+	     zip \
+  	     unzip \
+  	     p7zip-full \
+         git \
+         apt-transport-https \
+  	     whois \
+         net-tools \
+         pkg-config \
+         jq \
+         sshpass \
+         dpkg-dev
+```
+
 ### Clone and Install the ctrlX AUTOMATION SDK
 
 Start a console session, change to your destination directory and enter:

doc/images/uefi-concept-fwupdate.png

@@ -152,6 +152,25 @@ Scopes provided by the package
             "name": "View hello world",
             "description": "View (but not modify) hello world",
             "i18n": "scopes.view"
+          },
+          {
+            "identifier": "ctrlx-helloworld.web.all.x",
+            "name": "Operate hello world",
+            "description": "Execute hello world",
+            "i18n": "scopes.operate",
+            "requiredScopes": [
+              {
+                "identifier": "ctrlx-tools.all.rwx",
+                "purpose": "This scope is essential for executing hello world, as it provides access to the necessary tools."
+              }
+            ]
+          },
+          {
+            "identifier": "ctrlx-helloworld.web.rwx",
+            "name": "Legacy Hello World Permissions",
+            "description": "Full access to hello world.",
+            "i18n": "scopes.rwx",
+            "deprecated": true
           }
         ]
       }
@@ -173,12 +192,21 @@ The Definiton of the scopes-declaration object:
 
 Defition of the scope object:
 
-| Field         | Descriptions                        | 
-| -------       | ------------------------------------|  
-|**identifier** | string, the identifier of the scope |
-|**name**       | string, the name of the scope       |
-|**description**| string, description of the scope    |
-|**i18n**       | string, i18n tag, see [language files](#language files) and [translation](#translation)|
+| Field            | Descriptions                        | 
+| -------          | ------------------------------------|  
+|**identifier**    | string, the identifier of the scope |
+|**name**          | string, the name of the scope       |
+|**description**   | string, description of the scope    |
+|**i18n**          | string, i18n tag, see [language files](#language files) and [translation](#translation)|
+|**requiredScopes**| array, array of requiredScope objects referencing other scopes that are required for this scope to function |
+|**deprecated**    | boolean, indicates if the scope is deprecated. |
+
+Defition of the requiredScope object:
+
+| Field            | Descriptions                        | 
+| -------          | ------------------------------------|  
+|**identifier**    | string, the identifier of the referenced required scope |
+|**purpose**       | string, a detailed explanation of why this scope is required. |
 
 If access is restricted to specific resources, define scopes. When using the Identity Management, an administrator can configure the users and groups allowed to access specific resources. The following example shows two simple scopes (read/write, all settings, read-only settings). In every routine, the web server has to check whether the provided token includes the scope.
 
@@ -264,6 +292,60 @@ The following snippet shows the definition of the admin scope. You can see (and
           ]
       }
     ```
+#### Required Scopes
+
+Multiple scopes may be required to perform a particular action. To streamline the scope assignment process for the administrator, it is important to provide clear details of the required scopes. This information specifies the additional permissions required for certain functionalities and ensures that users and groups have the appropriate access rights to perform actions effectively.
+
+!!! Example
+
+    ```json
+      {
+        "identifier": "ctrlx-helloworld.web",
+        "name": "Helloworld Scopes",
+        "description": "Scopes for the Hello World App",
+        "scopes": [
+          {
+            "identifier": "ctrlx-helloworld.web.all.x",
+            "name": "Operate hello world",
+            "description": "Execute hello world",
+            "i18n": "scopes.operate",
+            "requiredScopes": [
+              {
+                "identifier": "ctrlx-tools.all.rwx",
+                "purpose": "This scope is essential for executing hello world, as it provides access to the necessary tools."
+              }
+            ]
+          }
+        ]
+      }
+    ```
+#### Deprecated Scope
+
+A deprecated scope is a permission that was once available for an application but is no longer utilized in its current and future versions. 
+
+!!! Remark
+    - **When a scope is labelled as "deprecated", this permission may not be assigned to any users or groups.**
+    - **The existing assignments of deprecated scopes can be removed from users and groups by administrator.**
+
+!!! Example
+
+    ```json
+      {
+        "identifier": "ctrlx-helloworld.web",
+        "name": "Helloworld Scopes",
+        "description": "Scopes for the Hello World App",
+        "scopes": [
+          {
+            "identifier": "ctrlx-helloworld.web.rwx",
+            "name": "Legacy Hello World Permissions",
+            "description": "Full access to hello world.",
+            "i18n": "scopes.rwx",
+            "deprecated": true
+          }
+        ]
+      }
+    ```
+
 ### Services
 
 <!-- md:version 1.0 -->
@@ -676,7 +758,7 @@ The definition of certificatestores object
 
 |Field          |Description                                                                                             |
 |---------------|--------------------------------------------------------------------------------------------------------|
-|**id**         |string,Use a unique ID, as it is used to identify the store via the REST interface. Example: <br> - opcua <br> - vpnmanager|
+|**id**         |string (max. 128 characters), Use a unique ID, as it is used to identify the store via the REST interface. Example: <br> - opcua <br> - vpnmanager|
 |**title**      |string, name used in the front end. Example: <br> - OPCUA <br> - VPN Manager|
 |**description**|string, displayed in the front end. To describe the application and provide further information|
 |**scopesR**    |array of strings, a list of scopes that allow the user to have read access to this certificate store, Example: <br> - rexroth-solutions.web.all.r <br> - example.permission.r|

doc/images/uefi-permissions.png

@@ -35,7 +35,7 @@ and the denylist has to be empty.
     sudo -s
     mkdir -p /etc/writable/integrity
     echo [] >/etc/writable/integrity/denylist.json
-    snap restart rexroth-deviceadminw.web
+    snap restart rexroth-deviceadmin.web
 ```
 
 After clearing the denylist it's possible to test storage extension without signed apps.

doc/images/uefi-trusted-certs-upload.png

@@ -0,0 +1,94 @@
+# UEFI firmware updates for ctrlX OS Standard
+
+UEFI firmware needs to be updatable in the field in order to apply security patches, e.g. in case of another [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)) / [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)) vulnerability.
+
+On ctrlX CORE devices UEFI firmware updates are contained in the `Hardware Support` app (gadget snap). When you install a new version of the `Hardware Support` app that contains a UEFI firmware update, you will find the option to install the UEFI firmware update under `Settings > Apps > Update UEFI firmware`.
+
+On ctrlX OS Standard devices it is not possible to ship UEFI firmware updates via the `Hardware Support` app as the same app is running on devices of multiple ctrlX OS partners with different UEFI firmware implementations.
+
+Nevertheless, ctrlX OS Standard offers a secure and convenient way to deploy UEFI firmware updates.
+
+## Prerequisites
+
+UEFI firmware updates must be UEFI update capsules and must comply to the [UEFI specification](https://uefi.org/specs/UEFI/2.11/08_Services_Runtime_Services.html#update-capsule).
+
+!!! Hint
+    We strongly recommend to use update capsules with the [Firmware Management Protocol (FMP)](https://uefi.org/specs/UEFI/2.11/23_Firmware_Update_and_Reporting.html) and with required authentication (`IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED`).
+    This provides an additional layer of security where the UEFI firmware itself will verify the integrity of the update capsule before executing it.
+    You will need to inquire with your UEFI firmware vendor if FMP with required authentication is supported.
+
+## Preparing a UEFI firmware update for ctrlX OS Standard
+
+When uploading a UEFI firmware update to a ctrlX OS Standard device it will be checked if the update is from a trusted origin.
+
+The certificates for trusted origins should be deployed onto the ctrlX OS Standard device during manufacturing, but can also be updated with the appropriate user permissions during runtime.
+
+The UEFI firmware update must be provided as a `.fwupdate` archive.
+
+### Provisioning UEFI firmware signature validation certificates
+
+Your user on the ctrlX OS Standard device requires the `Certificates & Keys > Manage` permission to upload new trusted certificates for UEFI firmware updates.
+Make sure this permission is only available for authorized users to prevent misuse.
+
+![`Certificates & Keys > Manage` permission required.](./images/uefi-permissions.png)
+
+The private and public key with which UEFI firmware updates are signed should be owned and maintained by the ctrlX OS Standard device manufacturer.
+
+An example how to generate P-384 ECDSA public and private keys with SHA-384 and the corresponding certificate can be found in [this example shell script using `openssl`](/public/scripts/firmware-generate-keys.sh).
+
+!!! Hint
+    Only P-384 ECDSA keys and SHA-384 are currently supported.
+
+!!! Danger
+    Take care of your private ctrlX OS UEFI firmware key and establish measures to protect against misuse and key leakage, like using an HSM.
+
+To add a new trusted certificate for UEFI firmware updates go to `Settings > Certificate & Keys > UEFI firmware signature validation certificates`. 
+
+![Settings > Certificate & Keys > UEFI firmware signature validation certificates](./images/uefi-trusted-certs.png)
+
+Upload your certificate in category `Trusted`.
+
+![Upload as category `Trusted`](./images/uefi-trusted-certs-upload.png)
+
+!!! Hint
+    You can also manage your certificates with REST via the [ctrlX OS - Apps Management API](https://boschrexroth.github.io/rest-api-description/ctrlx-automation/ctrlx-core/).
+
+### Packaging a UEFI firmware update as a `.fwupdate` archive
+
+The UEFI firmware update must be provided in a proprietary `.fwupdate` archive to ctrlX OS Standard.
+
+The `.fwupdate` is a `tar` archive that contains:
+
+- `*.bin` file: The UEFI firmware update itself.
+- `*.signature` file: A detached signature for the digest of the UEFI firmware update
+
+![Contents of a `.fwupdate` archive](./images/uefi-concept-fwupdate.png)
+
+UEFI firmware updates are usually provided as [Cabinet](https://en.wikipedia.org/wiki/Cabinet_(file_format)) archives by UEFI firmware vendors.
+In addition to the update itself they often contain metadata information for [Windows (as a `firmware.inf` file)](https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/authoring-an-update-driver-package) and for [LVFS (as a `*.metainfo.xml` file)](https://lvfs.readthedocs.io/en/latest/metainfo.html#metadata).
+
+Using the [`firmware-signing-tool.sh` script](/public/scripts/firmware-signing-tool.sh) you can repackage a UEFI firmware update from a `Cabinet` into a `.fwupdate`archive and create the detached signature.
+
+!!! Hint
+    Make sure all the required dependencies are installed by running [`install-ctrlx-os-dev-tools.sh`](/public/scripts/install-ctrlx-os-dev-tools.sh).
+
+!!! Danger
+    ctrlX OS Standard does not prevent potential UEFI firmware downgrades. As a ctrlX OS Standard device manufacturer it is your responsibility to inform your device operators about your process to install UEFI firmware updates in a forward-only manor.
+    Update capsules with FMP support can express [Version dependencies](https://uefi.org/specs/UEFI/2.11/23_Firmware_Update_and_Reporting.html#dependency-expression-instruction-set) so that the UEFI firmware itself can prevent potential downgrades. Contact your UEFI firmware vendor for more details.
+
+### Installing a `.fwupdate` archive on ctrlX OS
+
+!!! Hint
+    On ctrlX OS variants that deliver UEFI firmware updates via the `Hardware Support` app the following workflow is not supported.
+
+Upload your `.fwupdate` archive under `Settings > Apps` with `Upload UEFI firmware`.
+
+![`Settings > Apps > Upload UEFI firmware`](./images/uefi-upload-fwupdate.png)
+
+On successful upload a new button `Update UEFI firmware` will appear. 
+Click it and carefully read and confirm the pop-ups to start the UEFI firmware update process.
+
+![`Settings > Apps > Update UEFI firmware`](./images/uefi-update-firmware.png)
+
+!!! Hint
+    An uploaded `.fwupdate` is not persisted on the device. If you restart the device before starting the UEFI firmware update as described above you will have to reupload the `.fwupdate` archive.