Configuration Storage

Configuration data is assumed to be sensitive unless the unencrypted attribute is explicitly set to true in a configuration JSON payload. Fleet-wide configuration is uploaded to the server and then encrypted with a secret symmetric encryption key. Later, when a device requests this information, the server will decrypt it and deliver it to the device over its TLS encrypted connection. Device configuration has a much better approach. The contents of each configuration file will be encrypted with the device’s public key using the Elliptical Curve Integrated Encryption Scheme by fioctl. This means only the user of fioctl and the device will be able to decrypt the value. can’t.

The Factory will keep track of the last 10 config changes made to the fleet and each device so that some basic change history can be tracked. Additionally, the maximum size of a “config” (files and data) is 1Mb.

The device stores configuration persistently under /var/sota/config.encrypted. Device specific configuration options will be encrypted. At boot, each file in the configuration is extracted into /var/run/secrets/<filename>. This is tmpfs and is only available when the the device is running.


Configuration is managed by fioctl which communicates via the REST API.

LmP devices run a configuration daemon, fioconfig. This daemon checks in with the server every 5 minutes. The HTTP request includes a timestamp of its current configuration. The server will send back one of two responses:

  • 304 - This means nothing has changed since the last request. There will be an empty response body.
  • 200 - Something has changed since the last request. The response body will be the updated configuration.

Fioconfig’s logic for a configuration change is:

  • Save “encrypted” file to /var/sota (fleet-wide and “unencrypted” values aren’t encrypted).
  • For each file in the new configuration:
    • Decrypt if needed
    • If different from /var/run/secrets/<file>
      • Write new file
      • Call the the on-changed handler (if provided)

Since /var/run/secrets is lost between boots, a systemd oneshot job is invoked during the boot process to extract the “encrypted” persistent configuration. It will call “onchanged” handlers.


        |                  |
        | |
        |                  |
          |            |
          |            |
          |            |
          |            |
+---------+----+    +--+-----------+
|              |    |              |
| LmP Device   |    | LmP Device   |    . . .
|              |    |              |
+--------------+    +--------------+