Last Comment Bug 783638 - (b2g-multi-signatures) [tracking] B2G Updates: Enable MAR security (signing / verification)
(b2g-multi-signatures)
: [tracking] B2G Updates: Enable MAR security (signing / verification)
Status: RESOLVED FIXED
[LOE:M][tech-p3]
: feature
Product: Firefox OS
Classification: Client Software
Component: General (show other bugs)
: unspecified
: x86 Mac OS X
: P1 normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on: 792452 793709 795921 797477 798413 798415
Blocks: b2g-v-next b2g-gecko-updates b2g-fota-updates
  Show dependency treegraph
 
Reported: 2012-08-17 11:53 PDT by Marshall Culpepper [:marshall_law]
Modified: 2015-04-15 10:41 PDT (History)
16 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description Marshall Culpepper [:marshall_law] 2012-08-17 11:53:41 PDT
This is a security requirement for Gecko updates in B2G:
https://wiki.mozilla.org/B2G/Architecture/Runtime_Security#B2G_Update

There are a number of requirements for this:
1. Build-time MAR verification enablement
2. Custom code and build changes for packaging and reading the signing cert(s). We can probably just package cert(s) directly in /system/b2g, but I'm open to alternatives (right now they are embedded into the updater.exe, but only for windows)
3. Define MOZ_VERIFY_MAR_SIGNATURE for the various talos configs in b2g/config/mozconfigs
4. Package update-settings.ini into /system/b2g (we will need some more clarification about the proper settings for this file)
Comment 1 Chris Jones [:cjones] inactive; ni?/f?/r? if you need me 2012-08-17 12:03:42 PDT
This feels more like a tracking bug but we can at least start the client-side work here.
Comment 2 Marshall Culpepper [:marshall_law] 2012-08-21 17:32:02 PDT
We will need the new B2G update channel IDs to update the various mozconfigs
Comment 3 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2012-10-15 13:29:40 PDT
Should we remove bug 799652 and bug 799655 from the depends-on list? I don't think we're going to do either of them soon.
Comment 4 Alex Keybl [:akeybl] 2012-11-07 15:12:58 PST
We're marking this bug with the C1 milestone since it follows the criteria of "unfinished feature work" (see https://etherpad.mozilla.org/b2g-convergence-schedule).

If this work is not finished by Nov19, this bug will need an exception and will be called out at the upcoming Exec Review.
Comment 5 Dietrich Ayala (:dietrich) 2012-11-08 15:15:37 PST
Is this a meta-bug, or will any work actually happen in this bug?
Comment 6 Brian R. Bondy [:bbondy] 2012-11-08 15:20:21 PST
Nothing to do here, it's just for tracking.
Comment 7 Dietrich Ayala (:dietrich) 2012-11-09 16:29:26 PST
Thanks. Cleared blocking flag, and confirmed that the bugs that block this one are themselves blockers.
Comment 8 Chris Jones [:cjones] inactive; ni?/f?/r? if you need me 2013-02-26 00:08:44 PST
Technology we thought we needed, but until then it's an important tool in our technical tool box.
Comment 9 Brian R. Bondy [:bbondy] 2015-04-15 10:41:44 PDT
Resolving since we have support for this now, but we don't use it.  No dependent bugs left.

Note You need to log in before you can comment on or make changes to this bug.