Signed Firmware Status Notification

Source: OCPP 1.6 Security Whitepaper Edition 2 (2020-03-31) — Use Case L01 (Secure Firmware Update), Sections 5.19 / 5.20 (Messages)

Overview

The Charge Point uses SignedFirmwareStatusNotification.req to inform the Central System about the progress of a secure firmware update started by SignedUpdateFirmware.req. This message is the OCPP 2.0.1 FirmwareStatusNotification ported into OCPP 1.6 — it was renamed to avoid clashing with the legacy FirmwareStatusNotification.req from OCPP 1.6 (which is used only for the unsigned update path).

Whenever the CP enters a new state in the firmware update process, it SHALL send a SignedFirmwareStatusNotification.req with the new status. Every notification for a specific update SHALL contain the same requestId as the SignedUpdateFirmware.req that started the update.

The requestId field is mandatory unless status = Idle. Idle is only returned in response to an ExtendedTriggerMessage.req for FirmwareStatusNotification when there is no firmware update ongoing. Possible "last sent" values when triggered:

• Last sent status was Installed → CP returns Idle.
• Last sent status was anything else → CP returns the last sent status.

Behavioural rules:

• On entering the Invalid Certificate state, the CP SHALL also send a SecurityEventNotification.req(InvalidFirmwareSigningCertificate).
• On entering the Invalid Signature state, the CP SHALL also send a SecurityEventNotification.req(InvalidFirmwareSignature).
• If a reboot is required before installing, the CP SHALL send InstallRebooting before rebooting.
• If installDateTime was set in the future, the CP SHALL send InstallScheduled and install the firmware at the specified time.
• The CP MAY omit Installing if the bootloader cannot send OCPP messages.

Sequence Diagram

Excerpt of Figure 13. Secure firmware update happy flow

Charge Point  ──── SignedFirmwareStatusNotification.req ────▶  Central System
                   (status, requestId?)
Charge Point  ◀─── SignedFirmwareStatusNotification.conf ────  Central System

(repeated for each state: Downloading → Downloaded → SignatureVerified
 → Installing → Installed)

Initiator

Charge Point → Central System

Fields

FirmwareStatusEnumType values

Intermediate states (update process not finished):

• Downloaded — New firmware has been downloaded by the Charge Point.
• Downloading — Firmware is being downloaded.
• DownloadScheduled — Downloading of new firmware has been scheduled.
• DownloadPaused — Downloading has been paused.
• Installing — Firmware is being installed.
• InstallRebooting — Charge Point is about to reboot to activate new firmware. MAY be omitted if the reboot is integral to the install.
• InstallScheduled — Installation is scheduled for installDateTime.
• SignatureVerified — Firmware signature successfully verified.

End states (update process stopped):

• Installed — Successful end state. New firmware has successfully been installed.
• DownloadFailed — Failure end state. Charge Point failed to download firmware.
• InstallationFailed — Failure end state. Installation of new firmware has failed.
• InstallVerificationFailed — Failure end state. Verification of the new firmware (e.g. checksum) failed and installation will not proceed.
• InvalidSignature — Failure end state. The firmware signature is not valid.

Other:

• Idle — Charge Point is not performing firmware update related tasks. SHALL only be used in a SignedFirmwareStatusNotification.req triggered by ExtendedTriggerMessage.req.

Examples

{
  "status": "Downloading",
  "requestId": 123
}

{
  "status": "Installed",
  "requestId": 123
}

{
  "status": "Idle"
}

{}

Schema

Source: schemas/SignedFirmwareStatusNotification.json, schemas/SignedFirmwareStatusNotificationResponse.json (OCPP 1.6 Security Whitepaper, JSON Schema draft-06)