3.2.7. Design To Reliably Update Device Firmware¶
| ID | Priority | Best Practice |
|---|---|---|
| BP 3.2.7.1 | Required | Use a mechanism to deploy and monitor firmware updates |
| BP 3.2.7.2 | Highly Recommended | Implement firmware rollback capabilities in devices |
| BP 3.2.7.3 | Highly Recommended | Implement support for incremental updates to target device groups |
| BP 3.2.7.4 | Highly Recommended | Implement dynamic configuration management for devices |
Architecture Notes - BP 3.2.7.1 - Use a mechanism to deploy and monitor firmware updates¶
When performing over-the-air (OTA) updates to remote devices’ firmware, we should always ensure that the updates are controlled and reversible to avoid functional impact of the device to the user, or the device entering a non-recoverable state. Use tools that allow you to deploy and track management tasks in your device fleet.
Recommendation 3.2.7.1.1 - Use a cloud-based update orchestrator
- You can use AWS IoT Jobs to send remote actions to one or many devices at once, control the deployment of jobs to your devices, and track the current and past status of job executions for each device.
- Using Amazon FreeRTOS OTA using AWS IoT Jobs: By using AWS IoT Jobs for Amazon FreeRTOS, you have reliability and security provided out of the box where OTA update job will send firmware to your end device over secure MQTT or HTTPS and system reserved topics are provided to keep track on the status of the job schedule.
- Using custom IoT jobs with AWS IoT connected devices: By using AWS IoT Jobs with one or more devices connected to AWS IoT gives you the ability to track the full roll out of the update.
Architecture Notes - BP 3.2.7.2 - Implement firmware rollback capabilities in devices¶
Augment hardware with software to hold two versions of firmware and the ability to switch between them. Devices can rapidly roll back to older firmware if the new firmware has issues.
Recommendation 3.2.7.2.1 - Leverage a RTOS with functionality to roll back device firmware
By combining OTA agents provided by Amazon FreeRTOS or using AWS IoT Device SDK, you can create flexibility to hold two versions of firmware with the hardware that is capable of storing it.
Architecture Notes - BP 3.2.7.3 - Implement support for incremental updates to target device groups¶
It’s a good practice to test new firmware on a small group of devices. Using a smaller group of devices for firmware updates helps ensure that the firmware as well as the upgrade process is well tested before the entire fleet is updated.
Recommendation 3.2.7.3.1 - Leverage a cloud orchestrator in conjunction with device settings augmentation. Cloud services can help you control and manage jobs in tandem with the devices running the jobs.
- The AWS IoT Jobs API provides a granular level of control from the cloud to the device for carrying out firmware update incrementally and roll back as needed.
- A job document created as part of AWS IoT job details the remote operations the device needs to perform. This includes shutting down rollouts based on timeouts, number of updates per device among other things. Devices can use this information to reject or accept firmware updates.
Architecture Notes - BP 3.2.7.4 - Implement dynamic configuration management for devices¶
Deploying software changes to devices constitutes a high-risk operation due to the recovery cost associated with remotely deployed devices. When possible, prefer mechanisms for making changes using command-and-control channels to reduce the risk that comes with software deployments and firmware upgrades. This approach enables you to push some changes to devices while minimizing the risk of entering fault states that require on-premises recovery actions. Configuration changes reduces the amount of bandwidth compared to firmware updates.
Recommendation 3.2.7.4.1 - Utilize Cloud tools to command and control devices. Changing configuration of devices is less error prone and easier to trace back than updating firmware.
- Use Secure Tunneling or Systems Manager to facilitate patching of the operating system instead of pushing a new image to be loaded on the device.
- Use Device Shadows to command and control devices rather than sending commands directly to device.
- Use AWS IoT Device Defender and AWS IoT Device Management jobs to rotate expiring device certificates instead of pushing a new image with updated certificates.
- Secure Tunneling
- Device Shadows
- Device Defender