iot-fleet-ota
:::warning [UNTESTED] — v0.5 paper-correct
native_sim build verified. HiL verification gates on a staged Mender server.
:::
Secure OTA firmware update with rollback. The production-readiness proof for "how do we update 10 000 units in the field?". Targets every E1M-X SoM family.
Source: examples/iot-fleet-ota/.
Trust model
| Piece | Role |
|---|---|
| OPTIGA Trust M | On-SoM secure element. ECDSA-P256 private key generated inside the chip at SoM-mfg, never leaves. Without physical access to a provisioned OPTIGA, no attacker can produce a signature this device will accept. |
| ECDSA-P256 | Signing algorithm. Public half is read out of the OPTIGA at provisioning and pinned in the host's MCUboot configuration. |
| MCUboot | Bootloader signature verification. Refuses to swap into a slot whose signature doesn't match the pinned key. |
| Mender | Update-server backend. Streams the signed image down; the device applies through MCUboot's standard slot-swap. |
board.yaml
som:
sku: E1M-V2N101
preset: e1m-x-evk
cores:
a55_cluster:
app: ./linux
image: alp-image-edge
peripherals: [i2c]
libraries: [mbedtls] # required by iot.tls: true (validator rule R3)
iot: { wifi: true, mqtt: true, tls: true }
boot:
method: mcuboot
signing:
algorithm: ecdsa_p256 # OPTIGA-rooted, validator rule R2 enforces family allow-list
key_file: keys/release-mcuboot.pub.pem
slots:
primary: { size_kib: 480 }
secondary: { size_kib: 480 }
swap_algorithm: scratch
scratch_size_kib: 32
anti_rollback: false
build_type: Release
ota:
provider: mender # mender | hawkbit | mcumgr — provider-driven dispatch (ADR 0009)
artifact_name: alp-iot-fleet-ota-1.0.0
server:
url: https://hosted.mender.io
tenant: ${MENDER_TENANT_TOKEN} # injected at build/CI time, not committed
poll_interval_s: 1800
chips:
- optiga_trust_m
- eeprom_24c128
diagnostics:
log_level: info
The boot: + ota: blocks land as declarative artefacts in v0.6: the loader emits the matching SB_CONFIG_* MCUboot overlay, the MENDER_* weak-assignments in the Yocto slice's local.conf, and (when targeting a Zephyr core) the CONFIG_MENDER_MCU_CLIENT=y Kconfig for the Zephyr-side dispatch — see board.yaml reference: OTA block for the full per-provider emit matrix.
See also
production-deployment— full factory-to-field lifecycle<alp/security.h>·<alp/chips/optiga_trust_m.h>- Tutorial 12 — Mender OTA
- Examples overview
Questions about this page? Discuss in Community Forum