Closed Bug 783638 (b2g-multi-signatures) Opened 7 years ago Closed 5 years ago

[tracking] B2G Updates: Enable MAR security (signing / verification)

Categories

(Firefox OS Graveyard :: General, defect, P1)

x86
macOS
defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: marshall, Unassigned)

References

Details

(Keywords: feature, Whiteboard: [LOE:M][tech-p3])

This is a security requirement for Gecko updates in B2G:
https://wiki.mozilla.org/B2G/Architecture/Runtime_Security#B2G_Update

There are a number of requirements for this:
1. Build-time MAR verification enablement
2. Custom code and build changes for packaging and reading the signing cert(s). We can probably just package cert(s) directly in /system/b2g, but I'm open to alternatives (right now they are embedded into the updater.exe, but only for windows)
3. Define MOZ_VERIFY_MAR_SIGNATURE for the various talos configs in b2g/config/mozconfigs
4. Package update-settings.ini into /system/b2g (we will need some more clarification about the proper settings for this file)
blocking-basecamp: --- → ?
This feels more like a tracking bug but we can at least start the client-side work here.
blocking-basecamp: ? → +
We will need the new B2G update channel IDs to update the various mozconfigs
Depends on: 778341
Whiteboard: [LOE:M] → [LOE:M] [WebAPI:P0]
Keywords: feature
Assignee: marshall → netzen
Depends on: 795921
Depends on: 792452
Summary: B2G Updates: Enable MAR security (signing / verification) for B2G → [tracking] B2G Updates: Enable MAR security (signing / verification)
Depends on: 797477
Depends on: 793709
Summary: [tracking] B2G Updates: Enable MAR security (signing / verification) → (b2g-multi-signatures) [tracking] B2G Updates: Enable MAR security (signing / verification)
Alias: b2g-multi-signatures
Summary: (b2g-multi-signatures) [tracking] B2G Updates: Enable MAR security (signing / verification) → [tracking] B2G Updates: Enable MAR security (signing / verification)
Depends on: 798413
Depends on: 798415
Blocks: 799652
Blocks: 799655
No longer blocks: 799652, 799655
Depends on: 799652, 799655
No longer depends on: 778341
Should we remove bug 799652 and bug 799655 from the depends-on list? I don't think we're going to do either of them soon.
Priority: -- → P1
Whiteboard: [LOE:M] [WebAPI:P0] → [LOE:M]
No longer depends on: 799652, 799655
We're marking this bug with the C1 milestone since it follows the criteria of "unfinished feature work" (see https://etherpad.mozilla.org/b2g-convergence-schedule).

If this work is not finished by Nov19, this bug will need an exception and will be called out at the upcoming Exec Review.
Target Milestone: --- → B2G C1 (to 19nov)
Is this a meta-bug, or will any work actually happen in this bug?
Nothing to do here, it's just for tracking.
Thanks. Cleared blocking flag, and confirmed that the bugs that block this one are themselves blockers.
blocking-basecamp: + → ---
Target Milestone: B2G C1 (to 19nov) → ---
Assignee: netzen → nobody
Technology we thought we needed, but until then it's an important tool in our technical tool box.
Whiteboard: [LOE:M] → [LOE:M][tech-p3]
Resolving since we have support for this now, but we don't use it.  No dependent bugs left.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.