Canonical has released Ubuntu Core 20, an embedded variant of Ubuntu 20.04 LTS, adding secure boot and full disk encryption. There is also a Smart Start service to help launch Ubuntu Core based products.

Canonical announced the release of Ubuntu Core 20, its minimalist, containerized version of Ubuntu Linux for IoT devices and embedded systems. Following earlier releases such as Ubuntu Core 18 from 2019, Ubuntu Core 20 is based on Ubuntu 20.04 LTS, the long-term support release that preceded the recent Ubuntu 20.10.

The key improvement to Ubuntu Core 20 is device security, with new features including secure boot, full disk encryption, and secure device recovery. Canonical has also launched an Ubuntu Core service called Smart Start that provides “a fixed-price engagement to launch a device that covers consulting, engineering and updates for the first 1000 devices on certified hardware.”

Ubuntu Core security architecture with secure boot and full disk encryption
(click image to enlarge)

Because Ubuntu Core is primarily designed for the still relatively small number of embedded devices that offer a range of different apps, it is not as widely used as desktop Ubuntu in the embedded community. However, “tens of thousands” of industrial and consumer IoT devices run Ubuntu Core with the distribution available on systems from Bosch Rexroth, Dell, ABB, Rigado, Plus One Robotics, Jabil, and more, says Canonical. Ubuntu Core has been forked for hacker board projects, such as FriendlyElec’s FriendlyCore, which runs on many of its NanoPi SBCs.

Testimonial quotes were provided by Advantech, Bosch Rexroth, Intel, Plus One Robotics, and Rigado (see farther below). Raspberry Pi CEO Eben Upton offers a thumbs up, recommending a pairing of Ubuntu Core with the Raspberry Pi Compute Module.

 
Secure boot and full disk encryption

Ubuntu Core is already one of the more secure embedded Linux distros around. Its “snap” apps are containerized, and it offers transactional updates, among other security features. Snaps are securely confined, read-only, tamper-proof application images, that are digitally signed to ensure integrity.

Update controls allow app publishers and device vendors to validate updates across the ecosystem before they are applied. Snaps are also transactional, so failures are automatically rolled back. A universal or device-specific white label snap app store is also baked into the distribution.

As with Ubuntu Core 18, which featured a reduced attack surface, security is the main attraction of the latest release. Ubuntu Core 20 authenticates the boot process by default, with authentication based on the verification of digital signatures. Ubuntu Core supports both hardware and software root of trust for secure boot and enables security admins to create and store the digital keys used to validate the boot sequence in a secure element, a TPM device, or a software TEE.

Ubuntu Core uses digital signatures to cryptographically ensure data integrity. Private key based cryptographic signatures “can attest to the actual data at the time of signing,” says Canonical. “At any point in the workflow, the integrity of signed data can be validated, thereby ensuring the integrity prior to applying software and firmware updates.”

The new secure boot and full disk encryption features are available out of the box on certified devices such as Raspberry Pi boards, a variety of Intel NUC computers, and other Arm and x86 based devices from Dell, Qualcomm, Eurotech, Rigardo, Meallanox, and Interactive Strength. (TPM support is currently required for full disk encryption certification.) Canonical charges a fee for certifying other devices.

 
Smart Start

The Smart Start service is designed to help companies quickly bring to market their first Ubuntu Core powered devices. Services include training, embedded engineering, app development, backend hosting, software update infrastructure, maintenance, and after-sales customer support. Optional, extra-cost services include secure boot kernel livepatch, full disk encryption, and board bring-up, including customized kernels and BSP integration.

Smart Start conceptual diagram
(click image to enlarge)

Projects can typically be ported to Ubuntu Core within two weeks. The typical service offering costs $30,000 for up to 1,000 devices, which includes the development of three custom snaps. Canonical also lists weekly and monthly fees for security updates and app store services. Additional pricing is also detailed for secure boot, device enablement, FIPS certification, kernel livepatch, and MicroK8s implementation.

Canonical has increasing competition in edge IoT solutions that use Linux container technologies. Other examples include balena (formerly Resin.io) and Nubix.io’s free, lightweight Nubix edge-container platform for IoT. Last week, Zededa launched its Zededa cloud-native stack for orchestrating distributed edge computers. Based on the open source, Linux-based EVE-OS from the Linux Foundation’s LF Edge project, Zededa supports Docker, Kubernetes, and VMs, and features an app store and zero trust security. As with Smart Start, there is also a service offering.

“Building Bosch’s new ctrlX AUTOMATION app store with Ubuntu Core and snaps creates a software-defined industrial manufacturing platform with an open ecosystem, faster time to production and stronger security throughout the device lifecycle,” stated Hans-Michael Krause, Director Product Management PLC and IoT at Bosch Rexroth. “Industrial machine builders using this platform can break down the traditional barriers between IT and OT and free themselves from proprietary systems.”

“Secure boot built into Ubuntu Core 20 by default will make it easier for us to deploy new devices and deliver the high security levels our customers demand,” stated Justin Rigling, CTO at Rigado.

 
Further information

Ubuntu Core 20 is available now for free download, and the Smart Start service is available starting at $30,000. More information may be found in Canonical’s announcement, as well as the Ubuntu Core product page and Smart Start page. Canonical is hosting a webinar on Ubuntu Core to be held Feb. 24.