Edge Security Release Notes

Version-3.2.9

New Features

[125973] Technical Upgrades

The following are the upgrades to the security components:

1. Curl Upgrade in Android to 7.78
2. New Mocana libs are updated to TrustCore-GA-0521-U2-HF1
3. Changes done in the SecStore Engine to support the new openssl version in the base image
4. Cmake version updated to 2.8.12

Resolved Issues

[122598] - [Genix] Failed to upload files with SSE errors

This issue is resolved.

Version-3.2.8

Resolved Issues

[100024] - Error with uploading files from 10 devices in parallel (file uploader)

This issue where the file uploader failed to upload files from 10 devices in parallel is now resolved.

[103369] - SSL handshake failure in secstore engine during TPM operations

TPM operations are successful, as the issue with SSL handshake failure in secstore engine is now resolved.

[109547] - Fixed issue with unnecessary info logs related to TMP operations

Before, 8 info logs related to TPM operations were printed for each file upload functionality, even though the error log level was set to "ERROR". The issue is now fixed, and none of the INFO logs are printed for TPM operations during file upload, when the log level is set to "ERROR".

[111311] - Mutual authentication fails when the log level parameter is set to empty in configuration

"ERROR" log level is considered as the default configuration when the log level parameter is not set in the configuration. This resolves the mutual authentication issue.

[112076] - Private Key Found in Mocana Library

The issue is now resolved, and Mocana Library does not have any private keys.

Version-3.2.7

Resolved Issues

[96498] - Log updated to display correct message after attempting to enable swarm autolock when it was already enabled

An incorrect log message was being displayed when trying to enable swarm autolock and it was already enabled. Previously displaying an ERROR message, we have updated the log to instead display an INFO message with the following text: "Docker swarm Autolock is already enabled".

Version-3.2.6

Resolved Issues

[91145] - DPCM cannot acquire certificate if IDServiceURL is empty issue is resolved

DPCM failed to acquire a certificate because of the value check for the "IDServiceURL", as the parameter value was empty.

We have removed the value check on "IDServiceURL" when both "REGISTER_DEV_ID" and "DEVICEID_DUPLICATION_CHECK_REQUIRED" are set to "0", which allows DPCM to proceed with acquiring a certificate.

[94379] - Ownership of device certificate file fails during upgrade

Ability device certificates could not be renewed as the certificate owners changed to incorrect users when upgrading.

Now, ownership of device certificates will remain unchanged after upgrading to new packages.

Version-3.2.5

Resolved Issues

[89890] - nanotap.service fails to start when /var/ability/rpc/mocunix file already exists

Before nanotap.service is started, the existance of a file /var/ability/rpc/mocunix is checked. If the file is present, it is removed before nanotap.service is started.

[90201] - TPM ownership failure in B&R HW with a password string starting with a hyphen

TPM ownership failure with a password string starting with a hyphen character is resolved.

[91259] - Cannot re-install sec-svc-tpm20 after successful enrollment

If a previous installation of sec-svc-tpm20 was successful and DPCM Service is running, the previous package can now be removed and re-installed.

The use case with the following sequence works fine now:

1. sec-svc-tpm20 (3.2.4) is installed
2. DPCM Enrollment is done (bringing up all the services)
3. Remove sec-svc-tpm20 (3.2.4) package without purge
4. Reinstall sec-svc-tpm20 (3.2.4) package

Version-3.2.4

Resolved Issues

[82147] - Edge Proxy stills shows INFO messages from secstore engine for every file uploaded when the proxy log level is set to ERROR

Edge Proxy Secstore engine now displays logs as per the log level set in edge.env file.

[83882] - Unable to install sec-svc-tpm20 debian package if the previous version was removed

When a previous installation of sec-svc-tpm20 is removed  just after configuring dpcm.config, but dpcm service or sec storage service is not started/ running.

In such scenario, when installation of sec-svc-tpm20 is attempted again, the installation fails with "dpcm.config file is not found" error. This issue is fixed now by backup of config files during pre-installation of package.

[86073] - DPCM fails to register deviceID to Global ID Generator service behind AKAMAI WAF environments

SNI Flag is added and the issue with the signing algorithm requested by AKAMAI WAF is fixed in this release, now DPCM shall be able to connect to the GIG server behind AKAMAI WAF.

[87300] - Nanotap service produces too many error logs during restart / no internet connection

During the startup sequence, the error log "Trying connection with Nanotap server" was appearing every 10ms. Now, retry is handled in the background and reported to logs once in the 30s.

[85268] - BnR Take ownership was failing with Error "Failed to create EK. rc = 0x9a2" "Credentials file encoded"

Error -09xa2 is related to the TPM authentication error with the generated password. The fix handles this variety of passwords.

Known Issues

[90201] - TPM Take Ownership fails in BnR HW with ERROR: -lhpwd value starts with invalid character

In Some B&R HW, TPM Take Ownership is failing with error ERROR: -lhpwd value starts with invalid character.

[91259] - Unable to install sec-svc-tpm20 (3.1.1-1) debian package if the previous version was removed in a running edge setup

Scenario: When a previous installation of sec-svc-tpm20 is successful and DPCM Service is started/ running. In this scenario, if the package is removed and installed, back up of config files will happen, but the installation fails to proceed with the error "Failed to start nanotap.service: unit nantop.service not found". Workaround: Direct Installation of a new package is recommended on a running DPCM Service for upgrade scenarios without running the remove command. This issue will be fixed in the next update.

Version-3.2.3

New Features

[75019] - Support for Ubuntu 20.04 for Edge Security Components

New Functionality

Ability Edge can be installed & used on a Ubuntu 20.04 environment in addition to Ubuntu 18.04 environment supported currently.

• x86 package supports both Ubuntu 18.04 & Ubuntu 20.04
• ARM package supports only Ubuntu 20.04. ARM18.04 package shall be distributed only based on the need

Planned Deprecations Announcement

TPM 1.2 packages are deprecated as of this release. All development should move to TPM2.0 solutions.

Resolved Issues

[76676] - Edge Secstore_Service now supports "rsa_pss_rsae_sha256" signature Hash algorithm to support Huawei cloud

Edge Secstore_Service now supports "rsa_pss_rsae_sha256" signature Hash algorithm to enable mTLS with Huawei cloud’s IotPlatform. Secstore_Service supports by default "rsa_pkcs1_sha256" that is used by Azure cloud. The server response (Azure/Huawei) will determine which algorithm is utilized, there is no manual intervention/configuration needed.

[82148] - The dpcm.config file was altered during upgrade process of the edge security components

The dpcm.config file was altered while performing an auto upgrade of the edge security components from version 3.1.0 to 3.1.1, this issue is now fixed.

[84368] - TLS handshake failure in SecStoreEngine with the Edge agent on ARM Hardware

A TLS handshake failure occurred with the Edge Agent was used on ARM Hardware. The issue is now resolved.

The TLS handshake is successful with using either the "rsa_pss_rsae_sha256" and "rsa_pkcs1_sha256" signature algorithms on ARM and X86 hardware.

Version-3.1.1

Resolved Issues

[73483] - "edge.env" file corruption

Modification of edge.env file (cert path) by DPCM Service is fixed in 3.0.4 (cloud 20.07.2) and 3.1.1 (cloud 20.10) versions. Modified timestamp of the edge.env file is now not changed during restart of the edge / dpcm service.

Known Issues and Limitations

[76676] - Edge Secstore_Service does not support "rsa_pss_rsae_sha256" signature Hash algorithm

Edge Secstore_Service does not support "rsa_pss_rsae_sha256" signature Hash algorithm. Secstore_Service supports by default "rsa_pkcs1_sha256" that is used by Azure cloud.

For Huawei cloud -Force edge to select rsa_pkcs1_sha256 as a workaround.

Version-3.1.0

New Features

[66995] - Support for Ability Edge on VMWare environment

New Functionality

Support for vTPM (TPM2.0) in VMWare environments.

Issues found with Edge security components when using VMWare's vTPM(TPM2.0) are fixed in this version.

[76321] - Securing Docker Swarm logs for Edge Secrets

New Functionality

For Edge Secrets, the keys belonging to various modules are stored in Docker Secrets. Docker secrets are persisted at rest in "raft" logs. To ensure that the "raft" logs are protected by TPM(HBRoTfor MCSR compliance), the "raft" logs are protected using the auto-lock feature of docker swarm.

Known Issues and Limitations

[76676] - Edge Secstore_Service does not support "rsa_pss_rsae_sha256" signature Hash algorithm

Edge Secstore_Service does not support "rsa_pss_rsae_sha256" signature Hash algorithm. Secstore_Service supports by default "rsa_pkcs1_sha256" that is used by Azure cloud.

For Huawei cloud -Force edge to select rsa_pkcs1_sha256 as a workaround.

[76559] - Edge setup fails with Docker swarm error when re-installing an already running edge.

When re-installing an edge, tpm clear & ownership is successful but secstore throws errors and other containers are not called, which causes blocking edge set up due to a docker swarm error.

During re-installing, Following steps shall be executed:

1. After restart & clear the TPM from BIOS.
2. "Secstoretpm20.service" and nanotap.services shall be in disabled state (and not in running state) before triggering abb-iot-edge-setup.