iot-fleet-ota
[UNTESTED] — v0.5 paper-correctnative_sim build verified. HiL verification gates on a staged Mender server.
Secure OTA firmware update with rollback. The production-readiness proof for "how do we update 10 000 units in the field?". Targets every E1M-X SoM family.
Source: examples/iot-fleet-ota/.
Trust model
| Piece | Role |
|---|---|
| OPTIGA Trust M | On-SoM secure element. ECDSA-P256 private key generated inside the chip at SoM-mfg, never leaves. Without physical access to a provisioned OPTIGA, no attacker can produce a signature this device will accept. |
| ECDSA-P256 | Signing algorithm. Public half is read out of the OPTIGA at provisioning and pinned in the host's MCUboot configuration. |
| MCUboot | Bootloader signature verification. Refuses to swap into a slot whose signature doesn't match the pinned key. |
| Mender | Update-server backend. Streams the signed image down; the device applies through MCUboot's standard slot-swap. |
board.yaml
schema_version: 2
som:
sku: E1M-V2N101
carrier:
name: E1M-X-EVK
cores:
a55_cluster:
os: yocto
app: ./linux
image: alp-image-edge
peripherals: [i2c]
iot: { wifi: true, mqtt: true, tls: true }
chips:
- optiga_trust_m
- eeprom_24c128
diagnostics:
log_level: info
See also
production-deployment— full factory-to-field lifecycle<alp/security.h>·<alp/chips/optiga_trust_m.h>- Tutorial 12 — Mender OTA
- Examples overview
Questions about this page? Discuss in Community Forum