Device Management Client 3.2.0
- Implemented support for compressed delta updates.
- This feature can reduce the size of firmware update images as the image will have only the changed parts rather than the full image.
- Implemented SSL session resume.
- This feature reduces the need for full handshakes (and thus amount of data transferred and time used for reconnections) as long as the session is valid.
- Session information is stored in the configured secure storage, so consider the potential flash wearing.
- To minimize flash wearing, session information is only stored when it changes.
Device Management Client example
- Updated to Mbed OS 5.12.4.
- Added delta tool to the example application.
Factory Configurator Client example
- Updated to Mbed OS 5.12.4.
- [Linux] network Ethernet interface information is available in the
Device Management Connect client
- Relaxed the enforcement of client configuration. Only
SN_COAP_MAX_BLOCKWISE_SIZEis considered as a mandatory application configuration due to bootstrap and update (CoAP download) dependencies.
LIFETIME(default 3600 seconds),
TRANSPORT_MODE(default TCP) now have defaults. The application does not need to define them if default values are acceptable.
- Added new public APIs to the
MbedCloudClientclass to request Enrollment over Secure Transport (EST) (
est_request_enrollment) and free the resulting certificate chain context (
Device Management Update client
- Added the delta update feature into Update client.
- Fixed HTTP download for very small files.
- Implemented a check to reject zero bytes firmware.
- Fixed installation authorization logic which was proceeding without waiting for the application callback.
- Fixed manifest manager to report correct error codes.
- Fixed PAL include files.
- Optimized flash and RAM footprint for CoAP source.
- Added a check to ensure that
SN_COAP_MAX_BLOCKWISE_PAYLOAD_SIZEis aligned with the storage page size.
- Added code to read the active firmware metadata header from file. This enables e-2-e testing with filesystem storage in a Linux host.
- Added heap and stack statistic trace messages.
Factory configurator client
- Naming restrictions for KCM APIs are now identical for KVStore and Pelion Secure Storage solutions (ESFS-SOTP):
kcm_item_namemust only include characters
- The max
kcm_item_namelength is 100 bytes.
- This deprecates Pelion Secure Storage naming restrictions.
- New APIs:
kcm_asymmetric_signcomputes ECDSA raw signature on hash digest using associated private key name. Supports keys with EC SECP256R1 curve only.
kcm_asymmetric_verifyverifies ECDSA raw signature on hash digest using associated private key name. Supports keys with EC SECP256R1 curve only.
kcm_generate_randomgenerates a random number into a given buffer.
kcm_ecdh_key_agreementcomputes a shared secret using the elliptic curve Diffie Hellman algorithm.
- Fixed a bug in conversion of private key from DER to raw.
kcm_item_close_handlereceives a pointer to the handle instead of the handle. This is a bugfix for crash when
kcm_item_close_handleis called twice.
Platform Adaptation Layer (PAL)
New cryptographic APIs implemented for PSA and non-PSA variants:
pal_parseECPrivateKeyFromHandleparses EC private key from PAL private key handle.
pal_parseECPublicKeyFromHandleparses EC public key from PAL public key handle.
pal_asymmetricSigncomputes ECDSA raw signature of a previously hashed message. Supports keys with EC SECP256R1 curve only.
pal_asymmetricVerifyverifies the ECDSA raw signature of a previously hashed message. Supports keys with EC SECP256R1 curve only.
pal_ECDHKeyAgreementcomputes raw shared secret key using elliptic curve Diffie–Hellman algorithm.
- Fixed unnessary dependencies to
pal_x509CertCheckExtendedKeyUsagethat checks the usage of certificate against
- [Linux] When creating threads, use the system provided
PTHREAD_STACK_MINas a minimum value. Previously, the application was allowed to define values smaller than the system-defined minimum.
- Implemented SSL session resume feature. This feature is enabled by default. Use the
PAL_USE_SSL_SESSION_RESUMEflag to control it.
- Removed the dependency of requiring Mbed CLI to be globally installed. This allows also virtualenv installations of Mbed CLI to work with the provided meta-layers.
- Changed the meta-layer to use SSH authentication for Mbed CLI when needed. This is mostly needed when pulling in meta-layers from private repositories.
- Changed the
meta-mbed-cloud-client.libfile to use
httpsformat instead of
Delta update related:
- Modified application makefiles to call the new script for building a
- Added the
build-raspberry-update-rootfs-tar.shscript for building a
rootfscontents to be used for delta purposes.
- Edited the local configuration sample and
rootfsinto "read-only" mode so that delta firmware update can be applied into the device.
- Edited the Update client
metalayer recipeto include the
Preparescript in the image for delta processing.
- [PAL tests] PAL filesystem and PAL update tests currently support external SD card as storage. Support for other storages will be added in future release.
- Delta update feature requires manifest-tool version 1.5.0 or later. If used with Mbed OS version 5.12 or earlier, the Mbed CLI tool may downgrade the manifest-tool to an earlier version not supporting delta features.
We recommend that you read the Mbed OS release notes for known issues and their latest status.
- PSA is in preview level and as such not ready for production yet.
- You cannot update the pre-compiled PSA binary through firmware update. You can only update the application itself.
- Cypress PSoC6:
- Issues with storage. Random failures can occur in testing.
- The native Wi-Fi driver is feature-rich and as such it is quite large (400 KB) and with PSA included (220 KB) there is not much space for the OS and application.
- Client has been tested with ESP8266 (due to flash size) without flow control, because flow-control does not work with this board yet. ESP8266 without flow-control will not work reliably.
- NXP LPC55S69:
- The board has only 640 KB flash. PSA takes 192 KB out of it.
- You can use the Client example (with firmware update and bootloader) with
releaseprofile due to the flash size limitation.
- Only ARMC6 is supported for compilation.
- You can use the board in PSA mode (without real HW PSA implementation).
- The configuration file that allows this is placed under
configs-psafolder in the example.
- The PSA mode adds RAM consumption (static +3.5 KB) and flash/ROM consumption (+18.5 KB).
- Arm and partners are optimizing the solution in future releases.
- Firmware update installation for very large images on Raspberry Pi3B or Pi3B+ may fail with
mmc0 timeoutfailure. This is a generic Raspberry Pi3 issue, see RPI issue #2392.
- Firmware update from one Linux distribution version to another does not work. For example, firmware update from Yocto distribution Morty to Rocko is not currently possible, as there are Linux version-dependent files (device tree) in the
BOOTpartition. Therefore, you must update within one major version of a distribution.
glibcversions 2.23 and 2.24 have a bug in thread creation. It can cause random crashes with Linux.
- If possible, update
glibcto version 2.25 (or newer). See sourceware issue 20116 for details.
- We have implemented a workaround for this issue to decrease its likelihood. This issue may still occur under certain circumstances.
- If possible, update
- The Device Management Client application must run as
rootto have access rights to perform the firmware update.
- This is not the most secure way to handle this issue, so a more secure implementation will come later.
- Yocto distribution has only been tested in developer certificate mode.
Device Management 3.1 Client Third Party IP report
Device Management Client uses some open source third-party IP (TPIP). This table lists the TPIP and sources:
|bsdfiff||BSD 2 clause||Diff algorithm used for delta update image generation.|
|LZ4||BSD 2 clause (lz4.c and lz4.h under /lib in LZ4)||Compression algorithm used for compressing delta update images.|
|cn-cbor||MIT||Factory configurator client (FCC) uses
|Unity||MIT||Platform Adaptation Layer (PAL) tests use Unity framework from ThrowTheSwitch. The code is at mbed-cloud-client/mbed-client-pal/Test/Unity.|