DOI: 10.17587/prin.14.583-591

Risks of Using Linux OS with Enabled Firmware Update Mechanism (Linux Vendor Firmware Service)

R. S. Smirnov , Developer, mail@romansmirnov.org, Rosseti-Tsifra JSC, Moscow, 107023, Russian Federation

Corresponding author: Roman S. Smirnov, Developer, Rosseti-Tsifra JSC, Moscow, 107023, Russian Federation E-mail: mail@romansmirnov.org

The article discusses the mechanism for updating the built-in software (firmware) in distributions of the Linux operating system (OS). Considering the import "substitution strategy" in Russia proposed in technology sector and the active transition to this OS, including in solutions related to the digitalization of the energy sector, the problem of additional control over the firmware update process, incl. in used domestic distributions (AstraLinux, AltLinux). At the moment most popular mechanism of automatic firmware update is Linux Vendor Firmware Service (LVFS), article includes brief description of its update process. Using software developed for complete monitoring LVFS metadata were found multiply inconsistencies of current scheme of firmware update — deleting of files from index, replacement of already uploaded images with same id. Also basing on client agent metadata it is possible to organize targeted substitution of binary images transferred by service directly to hardware bypassing built-in monitoring tools. Finally it is concluded that there are potential vulnerabilities in this mechanism and a solution is proposed in the form of organizing own service with additional layer for verification of "firmware" during process of its distribution. If scheme with additional security layer over base of popular and well proved by practice LVFS will be successful it can be used in industrial applications with including in future in appropriate standards as reference model.

Keywords: embedded software, altlinux, astralinux, power industry digitalization, Linux OS, Linux vendor firmware service, fwupd, LVFS

pp. 583–591

For citation:
Smirnov R. S. Risks of Using Linux OS with Enabled Firmware Update Mechanism (Linux Vendor Firmware Service), Programmnaya Ingeneria, 2023, vol. 14, no. 12, pp. 583—591. DOI: 10.17587/prin.14.583-591.

References:

• Official website of LVFS, available at: https://fwupd.org/ (accessed 08/22/2023).
• Astra Linux BULLETIN No. 2023-0426SE17 (operational update 1.7.4), available at: https://wiki.astralinux.ru/pages/viewpage. action?pageId=263044494 (date of access 22.08.2023).
• Official ALT Linux repository, version c10f1, available at: http:// ftp.altlinux.org/pub/distributions/ALTLinux/c10f1/branch/files/x86_64/ RPMS/fwupd-1.8.10-alt1.x86_64.rpm (date of access 22.08.2023).
• Larabel M. Linux Vendor Firmware Service Serves Up 40 Millionth Download, Phoronix Media, 01.12.2021, available at: https://www.phoronix. com/news/LVFS-40-Million-Downloads (date of access 22.08.2023).
• Larabel M. LVFS Has Served More Than 52 Million Firm­ware Files To Linux Users, Phoronix Media, 31.05.2022, available at: https://www.phoronix.com/news/LVFS-Fwupd-52-Million (date of access 22.08.2023).
• LVFS Terms of Use, available at: https://lvfs.readthedocs. io/en/latest/claims.html (date of access 22.08.2023).
• Loskutov A. B., Kulikov A. L., Ilyushin P. V. From the GOELRO plan to the digitalization of the country's electric power complex, Electricity, 2020, no. 12, pp. 14—30. DOI: 10.24160/0013­5380-2020-12-14-30 (in Russian).
• Digital Substation Initiative launched to modernize power grid infrastructure, Transformers magazine, 26.06.2020, available at: https://transformers-magazine.com/tm-news/digital-substation-initiative-launched-to-modernise-power-grid-infrastructure/ (date of access 22.08.2023) (in Russian).
• FWMonitor software repository, available at: http://github. com/SmirnovRoman/FWMonitor (date of access 22.08.2023).
• Yohan A., Lo N.-W. An Over-the-Blockchain Firmware Update Framework for IoT Devices, 2018 IEEE Conference on De­pendable and Secure Computing (DSC), Kaohsiung, Taiwan, 2018, pp. 1—8. DOI: 10.1109/DESEC.2018.8625164.