alex/esp-idf
alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2024-10-05 20:47:46 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'docs/update_cn_for_security_docs' into 'master'

Browse Source 
docs: Update CN for security docs

Closes DOC-6633

See merge request espressif/esp-idf!26972
This commit is contained in:
Wang Ziyan 2023-11-14 23:03:12 +08:00
commit 0334dc92ff
2 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/en/security/security.rst
View File

@ -185,14 +185,14 @@ UART Download Mode
Root certificates list update could have following reasons:
- New firmware has different set of remote endpoint(s).
- Existing certificate has expired.
- The existing certificate has expired.
- The certificate has been added or retracted from the upstream certificate bundle.
- The certificate list changed due to market share statistics (``CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN`` case).
Some guidelines to consider on this topic:
- Please consider enabling :ref:`OTA rollback <ota_rollback>` and then keep the successful connection to the OTA update server as the checkpoint to cancel the rollback process. This ensures that the newly updated firmware can successfully reach till the OTA update server, otherwise rollback process will go back to the previous firmware on the device.
- If you plan to enable the :ref:`CONFIG_MBEDTLS_HAVE_TIME_DATE` option then please consider to have sufficient number of trusted certificates and the time sync mechanism (SNTP) in place.
- If you plan to enable the :ref:`CONFIG_MBEDTLS_HAVE_TIME_DATE` option, then please consider to have the time sync mechanism (SNTP) and sufficient number of trusted certificates in place.
Product Security
----------------

17
docs/zh_CN/security/security.rst
View File

@ -177,6 +177,23 @@ UART 下载模式
强烈建议基于 X.509 证书验证服务器身份,谨防与 **伪造** 服务器建立通信。
根证书管理
^^^^^^^^^^^^^
内嵌在应用程序内的根证书必须谨慎管理。更新根证书列表或 :doc:`../api-reference/protocols/esp_crt_bundle` 都可能影响与远程端点的 TLS 连接,包括与 OTA 更新服务器的连接。在某些情况下,此类问题可能会在后续 OTA 更新中出现,导致设备永远无法进行 OTA 更新。
根证书列表更新可能出于以下原因:
- 新固件的远程端点不同。
- 现有证书过期。
- 证书已从上游证书包中添加或撤销。
- 市场份额统计数据的变化引起证书列表的变化(``CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN`` 情况)。
其他相关建议:
- 请考虑启用 :ref:`ota_rollback`,将成功连接至 OTA 更新服务器作为取消回滚过程的检查点,从而确保更新后的固件成功连接至 OTA 更新服务器。否则,回滚过程将导致设备回退到之前的固件版本。
- 如果计划启用 :ref:`CONFIG_MBEDTLS_HAVE_TIME_DATE` 选项,请确保具备时间同步机制 (SNTP) 和足够的受信任证书。
产品安全
----------------