Skip to main content

iot-fleet-ota

:::warning [UNTESTED] — v0.5 paper-correct native_sim build verified. HiL verification gates on a staged Mender server. :::

Secure OTA firmware update with rollback. The production-readiness proof for "how do we update 10 000 units in the field?". Targets every E1M-X SoM family.

Source: examples/iot-fleet-ota/.

Trust model

PieceRole
OPTIGA Trust MOn-SoM secure element. ECDSA-P256 private key generated inside the chip at SoM-mfg, never leaves. Without physical access to a provisioned OPTIGA, no attacker can produce a signature this device will accept.
ECDSA-P256Signing algorithm. Public half is read out of the OPTIGA at provisioning and pinned in the host's MCUboot configuration.
MCUbootBootloader signature verification. Refuses to swap into a slot whose signature doesn't match the pinned key.
MenderUpdate-server backend. Streams the signed image down; the device applies through MCUboot's standard slot-swap.

board.yaml

som:
sku: E1M-V2N101

preset: e1m-x-evk

cores:
a55_cluster:
app: ./linux
image: alp-image-edge
peripherals: [i2c]
libraries: [mbedtls] # required by iot.tls: true (validator rule R3)
iot: { wifi: true, mqtt: true, tls: true }

boot:
method: mcuboot
signing:
algorithm: ecdsa_p256 # OPTIGA-rooted, validator rule R2 enforces family allow-list
key_file: keys/release-mcuboot.pub.pem
slots:
primary: { size_kib: 480 }
secondary: { size_kib: 480 }
swap_algorithm: scratch
scratch_size_kib: 32
anti_rollback: false
build_type: Release

ota:
provider: mender # mender | hawkbit | mcumgr — provider-driven dispatch (ADR 0009)
artifact_name: alp-iot-fleet-ota-1.0.0
server:
url: https://hosted.mender.io
tenant: ${MENDER_TENANT_TOKEN} # injected at build/CI time, not committed
poll_interval_s: 1800

chips:
- optiga_trust_m
- eeprom_24c128

diagnostics:
log_level: info

The boot: + ota: blocks land as declarative artefacts in v0.6: the loader emits the matching SB_CONFIG_* MCUboot overlay, the MENDER_* weak-assignments in the Yocto slice's local.conf, and (when targeting a Zephyr core) the CONFIG_MENDER_MCU_CLIENT=y Kconfig for the Zephyr-side dispatch — see board.yaml reference: OTA block for the full per-provider emit matrix.

See also

Questions about this page? Discuss in Community Forum