draft-ietf-suit-architecture-01.txt   draft-ietf-suit-architecture-02.txt 
SUIT B. Moran SUIT B. Moran
Internet-Draft Arm Limited Internet-Draft Arm Limited
Intended status: Informational M. Meriac Intended status: Informational M. Meriac
Expires: January 3, 2019 Consultant Expires: July 20, 2019 Consultant
H. Tschofenig H. Tschofenig
Arm Limited Arm Limited
D. Brown D. Brown
Linaro Linaro
July 02, 2018 January 16, 2019
A Firmware Update Architecture for Internet of Things Devices A Firmware Update Architecture for Internet of Things Devices
draft-ietf-suit-architecture-01 draft-ietf-suit-architecture-02
Abstract Abstract
Vulnerabilities with Internet of Things (IoT) devices have raised the Vulnerabilities with Internet of Things (IoT) devices have raised the
need for a solid and secure firmware update mechanism that is also need for a solid and secure firmware update mechanism that is also
suitable for constrained devices. Incorporating such update suitable for constrained devices. Incorporating such update
mechanism to fix vulnerabilities, to update configuration settings as mechanism to fix vulnerabilities, to update configuration settings as
well as adding new functionality is recommended by security experts. well as adding new functionality is recommended by security experts.
This document lists requirements and describes an architecture for a This document lists requirements and describes an architecture for a
skipping to change at page 1, line 41 skipping to change at page 1, line 41
symmetric key approach for very constrained devices. symmetric key approach for very constrained devices.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 3, 2019. This Internet-Draft will expire on July 20, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this 10, 2008. The person(s) controlling the copyright in some of this
skipping to change at page 2, line 38 skipping to change at page 2, line 38
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions and Terminology . . . . . . . . . . . . . . . . . 3 2. Conventions and Terminology . . . . . . . . . . . . . . . . . 3
3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Agnostic to how firmware images are distributed . . . . . 6 3.1. Agnostic to how firmware images are distributed . . . . . 6
3.2. Friendly to broadcast delivery . . . . . . . . . . . . . 6 3.2. Friendly to broadcast delivery . . . . . . . . . . . . . 7
3.3. Use state-of-the-art security mechanisms . . . . . . . . 7 3.3. Use state-of-the-art security mechanisms . . . . . . . . 7
3.4. Rollback attacks must be prevented . . . . . . . . . . . 7 3.4. Rollback attacks must be prevented . . . . . . . . . . . 7
3.5. High reliability . . . . . . . . . . . . . . . . . . . . 7 3.5. High reliability . . . . . . . . . . . . . . . . . . . . 8
3.6. Operate with a small bootloader . . . . . . . . . . . . . 8 3.6. Operate with a small bootloader . . . . . . . . . . . . . 8
3.7. Small Parsers . . . . . . . . . . . . . . . . . . . . . . 8 3.7. Small Parsers . . . . . . . . . . . . . . . . . . . . . . 8
3.8. Minimal impact on existing firmware formats . . . . . . . 8 3.8. Minimal impact on existing firmware formats . . . . . . . 9
3.9. Robust permissions . . . . . . . . . . . . . . . . . . . 8 3.9. Robust permissions . . . . . . . . . . . . . . . . . . . 9
3.10. Operating modes . . . . . . . . . . . . . . . . . . . . . 9 3.10. Operating modes . . . . . . . . . . . . . . . . . . . . . 9
4. Claims . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4. Claims . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5. Communication Architecture . . . . . . . . . . . . . . . . . 11 5. Communication Architecture . . . . . . . . . . . . . . . . . 11
6. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 14 6. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 15
7. Device Firmware Update Examples . . . . . . . . . . . . . . . 15 7. Device Firmware Update Examples . . . . . . . . . . . . . . . 16
7.1. Single CPU SoC . . . . . . . . . . . . . . . . . . . . . 16 7.1. Single CPU SoC . . . . . . . . . . . . . . . . . . . . . 16
7.2. Single CPU with Secure - Normal Mode Partitioning . . . . 16 7.2. Single CPU with Secure - Normal Mode Partitioning . . . . 16
7.3. Dual CPU, shared memory . . . . . . . . . . . . . . . . . 16 7.3. Dual CPU, shared memory . . . . . . . . . . . . . . . . . 16
7.4. Dual CPU, other bus . . . . . . . . . . . . . . . . . . . 16 7.4. Dual CPU, other bus . . . . . . . . . . . . . . . . . . . 16
8. Example Flow . . . . . . . . . . . . . . . . . . . . . . . . 17 8. Example Flow . . . . . . . . . . . . . . . . . . . . . . . . 17
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
10. Security Considerations . . . . . . . . . . . . . . . . . . . 18 10. Security Considerations . . . . . . . . . . . . . . . . . . . 19
11. Mailing List Information . . . . . . . . . . . . . . . . . . 19 11. Mailing List Information . . . . . . . . . . . . . . . . . . 19
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 21
13.1. Normative References . . . . . . . . . . . . . . . . . . 21 13.1. Normative References . . . . . . . . . . . . . . . . . . 21
13.2. Informative References . . . . . . . . . . . . . . . . . 21 13.2. Informative References . . . . . . . . . . . . . . . . . 21
13.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 21 13.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
When developing IoT devices, one of the most difficult problems to When developing IoT devices, one of the most difficult problems to
solve is how to update the firmware on the device. Once the device solve is how to update the firmware on the device. Once the device
is deployed, firmware updates play a critical part in its lifetime, is deployed, firmware updates play a critical part in its lifetime,
particularly when devices have a long lifetime, are deployed in particularly when devices have a long lifetime, are deployed in
remote or inaccessible areas or where manual intervention is cost remote or inaccessible areas where manual intervention is cost
prohibitive or otherwise difficult. The need for a firmware update prohibitive or otherwise difficult. Updates to the firmware of an
may be to fix bugs in software, to add new functionality, or to re- IoT device are done to fix bugs in software, to add new
configure the device. functionality, and to re-configure the device to work in new
environments or to behave differently in an already deployed context.
The firmware update process, among other goals, has to ensure that The firmware update process, among other goals, has to ensure that
- The firmware image is authenticated and attempts to flash a - The firmware image is authenticated and integrity protected.
malicious firmware image are prevented. Attempts to flash a modified firmware image or an image from an
unknown source are prevented.
- The firmware image can be confidentiality protected so that - The firmware image can be confidentiality protected so that
attempts by an adversary to recover the plaintext binary can be attempts by an adversary to recover the plaintext binary can be
prevented. Obtaining the plaintext binary is often one of the prevented. Obtaining the firmware is often one of the first steps
first steps for an attack to mount an attack. to mount an attack since it gives the adversary valuable insights
into used software libraries, configuration settings and generic
functionality (even though reverse engineering the binary can be a
tedious process).
More details about the security goals are discussed in Section 5 and
requirements are described in Section 3.
2. Conventions and Terminology 2. Conventions and Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC "OPTIONAL" in this document are to be interpreted as described in RFC
2119 [RFC2119]. 2119 [RFC2119].
This document uses the following terms: This document uses the following terms:
skipping to change at page 4, line 27 skipping to change at page 4, line 33
bootloader is a security critical component its functionality may bootloader is a security critical component its functionality may
be split into separate stages. Such a multi-stage bootloader may be split into separate stages. Such a multi-stage bootloader may
offer very basic functionality in the first stage and resides in offer very basic functionality in the first stage and resides in
ROM whereas the second stage may implement more complex ROM whereas the second stage may implement more complex
functionality and resides in flash memory so that it can be functionality and resides in flash memory so that it can be
updated in the future (in case bugs have been found). The exact updated in the future (in case bugs have been found). The exact
split of components into the different stages, the number of split of components into the different stages, the number of
firmware images stored by an IoT device, and the detailed firmware images stored by an IoT device, and the detailed
functionality varies throughout different implementations. functionality varies throughout different implementations.
- Microcontroller (MCU for microcontroller unit): An MCU is a
compact integrated circuit designed for use in embedded systems.
A typical microcontroller includes a processor, memory (RAM and
flash), input/output (I/O) ports and other features connected via
some bus on a single chip. The term 'system on chip (SoC)' is
often used for these types of devices.
- System on Chip (SoC): An SoC is an integrated circuit that
integrates all components of a computer, such as CPU, memory,
input/output ports, secondary storage, etc.
- Homogeneous Storage Architecture (HoSA): A device that stores all
firmware components in the same way, for example in a file system
or in flash memory.
- Heterogeneous Storage Architecture (HeSA): A device that stores at
least one firmware component differently from the rest, for
example a device with an external, updatable radio, or a device
with internal and external flash memory.
The following entities are used: The following entities are used:
- Author: The author is the entity that creates the firmware image. - Author: The author is the entity that creates the firmware image.
There may be multiple authors in a system either when a device There may be multiple authors in a system either when a device
consists of multiple micro-controllers or when the the final consists of multiple micro-controllers or when the the final
firmware image consists of software components from multiple firmware image consists of software components from multiple
companies. companies.
- Device: The device is the recipient of the firmware image and the - Firmware Consumer: The firmware consumer is the recipient of the
manifest. The goal is to update the firmware of the device. A firmware image and the manifest.
single device may need to obtain more than one firmware image and
manifest to succesfully perform an update.
- Communicator: The communicator component of the device interacts - Device: A device refers to the entire IoT product, which consists
with the firmware update server. It receives firmware images and of one or many MCUs, sensors and/or actuators. Many IoT devices
triggers an update, if needed. The communicator either polls a sold today contain multiple MCUs and therefore a single device may
firmware update server for the most recent manifest/firmware or need to obtain more than one firmware image and manifest to
manifests/firmware images are pushed to it. Note that the succesfully perform an update. The terms device and firmware
firmware update process may involve multiple stages since one or consumer are used interchangably since the firmware consumer is
multiple manifests may need to be downloaded before the one software component running on an MCU on the device.
communicator can fetch one or multiple firmware images/software
components.
- Status Tracker: The status tracker offers device management - Status Tracker: The status tracker offers device management
functionality that includes keep track of the firmware update functionality that includes keep track of the firmware update
process. This includes fine-grained monitoring of changes at the process. This includes fine-grained monitoring of changes at the
device, for example, what state of the firmware update cycle the device, for example, what state of the firmware update cycle the
device is currently in. device is currently in.
- Firmware Server: Entity that stores firmware images and manifests. - Firmware Server: The firmware server stores firmware images and
Some deployments may require storage of the firmware images/ manifests and distributes them to IoT devices. Some deployments
manifests on more than one entities before they reach the device. may require a store-and-forward concept, which requires storing
the firmware images/manifests on more than one entity before
they reach the device.
- Device Operator: The actor responsible for the day-to-day - Device Operator: The actor responsible for the day-to-day
operation of a fleet of IoT devices. operation of a fleet of IoT devices.
- Network Operator: The actor responsible for the operation of a - Network Operator: The actor responsible for the operation of a
network to which IoT devices connect. network to which IoT devices connect.
In addition to the entities in the list above there is an orthogonal In addition to the entities in the list above there is an orthogonal
infrastructure with a Trust Provisioning Authority (TPA) distributing infrastructure with a Trust Provisioning Authority (TPA) distributing
trust anchors and authorization permissions to various entities in trust anchors and authorization permissions to various entities in
skipping to change at page 5, line 42 skipping to change at page 6, line 19
- "A trust anchor represents an authoritative entity via a public - "A trust anchor represents an authoritative entity via a public
key and associated data. The public key is used to verify digital key and associated data. The public key is used to verify digital
signatures, and the associated data is used to constrain the types signatures, and the associated data is used to constrain the types
of information for which the trust anchor is authoritative." of information for which the trust anchor is authoritative."
- "A trust anchor store is a set of one or more trust anchors stored - "A trust anchor store is a set of one or more trust anchors stored
in a device. A device may have more than one trust anchor store, in a device. A device may have more than one trust anchor store,
each of which may be used by one or more applications." each of which may be used by one or more applications."
Furthermore, the following abbreviations are used in this document:
- Microcontroller (MCU for microcontroller unit) is a small computer
on a single integrated circuit, which is often used for mass
volumne IoT devices.
- System on Chip (SoC) is an integrated circuit that integrates all
components of a computer, such as CPU, memory, input/output ports,
secondary storage, etc.
- Homogeneous Storage Architecture (HoSA): A device that stores all
firmware components in the same way, for example in a file system
or in flash memory.
- Heterogeneous Storage Architecture (HeSA): A device that stores at
least one firmware component differently from the rest, for
example a device with an external, updatable radio, or a device
with internal and external flash memory.
3. Requirements 3. Requirements
The firmware update mechanism described in this specification was The firmware update mechanism described in this specification was
designed with the following requirements in mind: designed with the following requirements in mind:
- Agnostic to how firmware images are distributed - Agnostic to how firmware images are distributed
- Friendly to broadcast delivery - Friendly to broadcast delivery
- Use state-of-the-art security mechanisms - Use state-of-the-art security mechanisms
skipping to change at page 6, line 49 skipping to change at page 7, line 7
3.1. Agnostic to how firmware images are distributed 3.1. Agnostic to how firmware images are distributed
Firmware images can be conveyed to devices in a variety of ways, Firmware images can be conveyed to devices in a variety of ways,
including USB, UART, WiFi, BLE, low-power WAN technologies, etc. and including USB, UART, WiFi, BLE, low-power WAN technologies, etc. and
use different protocols (e.g., CoAP, HTTP). The specified mechanism use different protocols (e.g., CoAP, HTTP). The specified mechanism
needs to be agnostic to the distribution of the firmware images and needs to be agnostic to the distribution of the firmware images and
manifests. manifests.
3.2. Friendly to broadcast delivery 3.2. Friendly to broadcast delivery
This architecture does not specify any specific broadcast protocol This architecture does not specify any specific broadcast protocol.
however, given that broadcast may be desirable for some networks, However, given that broadcast may be desirable for some networks,
updates must cause the least disruption possible both in metadata and updates must cause the least disruption possible both in metadata and
payload transmission. payload transmission.
For an update to be broadcast friendly, it cannot rely on link layer, For an update to be broadcast friendly, it cannot rely on link layer,
network layer, or transport layer security. In addition, the same network layer, or transport layer security. In addition, the same
message must be deliverable to many devices, both those to which it message must be deliverable to many devices, both those to which it
applies and those to which it does not, without a chance that the applies and those to which it does not, without a chance that the
wrong device will accept the update. Considerations that apply to wrong device will accept the update. Considerations that apply to
network broadcasts apply equally to the use of third-party content network broadcasts apply equally to the use of third-party content
distribution networks for payload distribution. distribution networks for payload distribution.
skipping to change at page 9, line 30 skipping to change at page 9, line 41
3.10. Operating modes 3.10. Operating modes
There are three broad classifications of update operating modes. There are three broad classifications of update operating modes.
- Client-initiated Update - Client-initiated Update
- Server-initiated Update - Server-initiated Update
- Hybrid Update - Hybrid Update
Client-initiated updates take the form of a communicator on a device Client-initiated updates take the form of a firmware consumer on a
proactively checking for new firmware imagines provided by firmware device proactively checking (polling) for new firmware images.
servers.
Server-initiated updates are important to consider because timing of Server-initiated updates are important to consider because timing of
updates may need to be tightly controlled in some high- reliability updates may need to be tightly controlled in some high- reliability
environments. In this case the communicator, potentially in environments. In this case the status tracker determines what
coordination with the status tracker, determines what devices qualify devices qualify for a firmware update. Once those devices have been
for a firmware update. Once those devices have been selected the selected the firmware server distributes updates to the firmware
firmware server distributes updates to those devices. consumers.
Note: This assumes that the firmware server is able to reach the Note: This assumes that the status tracker is able to reach the
device, which may require devices to keep reachability information at device, which may require devices to keep reachability information at
the communicator and / or at the firmware server up-to-date. This the status tracker up-to-date. This may also require keeping state
may also require keeping state at NATs and stateful packet filtering at NATs and stateful packet filtering firewalls alive.
firewalls alive.
Hybrid updates are those that require an interaction between the Hybrid updates are those that require an interaction between the
device and the firmware server / communicator. The communicator firmware consumer and the status tracker. The status tracker pushes
pushes notifications of availability of an update to the device, and notifications of availability of an update to the firmware consumer,
the device then downloads the image from the firmware server when it and it then downloads the image from a firmware server as soon as
wants. possible.
An alternative approach is to consider the steps a device has to go An alternative view to the operating modes is to consider the steps a
through in the course of an update: device has to go through in the course of an update:
- Notification - Notification
- Pre-authorisation - Pre-authorisation
- Dependency resolution - Dependency resolution
- Download - Download
- Installation - Installation
The notification step consists of the communicator informing the The notification step consists of the status tracker informing the
device that an update is available. This can be accomplished via firmware consumer that an update is available. This can be
polling (client-initiated), push notifications (server-initiated), or accomplished via polling (client-initiated), push notifications
more complex mechanisms. (server-initiated), or more complex mechanisms.
The pre-authorisation step involves verifying whether the entity The pre-authorisation step involves verifying whether the entity
signing the manifest is indeed authorized to perform an update. The signing the manifest is indeed authorized to perform an update. The
device must also determine whether it should fetching and processing firmware consumer must also determine whether it should fetch and
of the firmware image (unless it has been attached already to the process a firmware image, which is referenced in a manifest.
manifest itself).
A dependency resolution phase is needed when more than one component A dependency resolution phase is needed when more than one component
can be updated or when a differential update is used. The necessary can be updated or when a differential update is used. The necessary
dependencies must be available prior to installation. dependencies must be available prior to installation.
The download step is the process of acquiring a local copy of the The download step is the process of acquiring a local copy of the
firmware image. When the download is client-initiated, this means firmware image. When the download is client-initiated, this means
that the device chooses when a download occurs and initiates the that the firmware consumer chooses when a download occurs and
download process. When a download is server-party initiated, this initiates the download process. When a download is server-initiated,
means that either the communicator / firmware server tells the device this means that the status tracker tells the device when to download
when to download or that it initiates the transfer directly to the or that it initiates the transfer directly to the firmware consumer.
device. For example, a download from an HTTP-based firmware server For example, a download from an HTTP-based firmware server is client-
is client-initiated. A transfer to a LwM2M Firmware Update resource initiated. Pushing a manifest and firmware image to the transfer to
[LwM2M] is server-initiated. the Package resource of the LwM2M Firmware Update object [LwM2M] is
server-initiated.
If the Device has downloaded a new firmware image and is ready to If the firmware consumer has downloaded a new firmware image and is
install it it may need to wait for a trigger from a Communicator to ready to install it, it may need to wait for a trigger from the
install the firmware update, may trigger the update automatically, or status tracker to initiate the installation, may trigger the update
may go through a more complex decision making process to determine automatically, or may go through a more complex decision making
the appropriate timing for an update (such as delaying the update process to determine the appropriate timing for an update (such as
process to a later time when end users are less impacted by the delaying the update process to a later time when end users are less
update process). impacted by the update process).
Installation is the act of processing the payload into a format that Installation is the act of processing the payload into a format that
the IoT device can recognise and the bootloader is responsible for the IoT device can recognise and the bootloader is responsible for
then booting from the newly installed firmware image. then booting from the newly installed firmware image.
Each of these steps may require different permissions. Each of these steps may require different permissions.
4. Claims 4. Claims
Claims in the manifest offer a way to convey instructions to a device Claims in the manifest offer a way to convey instructions to a device
skipping to change at page 11, line 41 skipping to change at page 11, line 49
- Only allow a firmware installation if dependencies have been met. - Only allow a firmware installation if dependencies have been met.
- Choose the mechanism to install the firmware, based on the type of - Choose the mechanism to install the firmware, based on the type of
firmware it is. firmware it is.
5. Communication Architecture 5. Communication Architecture
Figure 1 shows the communication architecture where a firmware image Figure 1 shows the communication architecture where a firmware image
is created by an author, and uploaded to a firmware server. The is created by an author, and uploaded to a firmware server. The
firmware image/manifest is distributed to the device either in a push firmware image/manifest is distributed to the device either in a push
or pull manner using the communicator residing on the device. The or pull manner using the firmware consumer residing on the device.
device operator keeps track of the process using the status tracker. The device operator keeps track of the process using the status
This allows the device operator to know and control what devices have tracker. This allows the device operator to know and control what
received an update and which of them are still pending an update. devices have received an update and which of them are still pending
an update.
Firmware + +----------+ Firmware + +-----------+ Firmware + +----------+ Firmware + +-----------+
Manifest | |-+ Manifest | |-+ Manifest | |-+ Manifest | |-+
+--------->| Firmware | |<---------------| | | +--------->| Firmware | |<---------------| | |
| | Server | | | Author | | | | Server | | | Author | |
| | | | | | | | | | | | | |
| +----------+ | +-----------+ | | +----------+ | +-----------+ |
| +----------+ +-----------+ | +----------+ +-----------+
| |
| |
| |
-+-- ------ -+-- ------
---- | ---- ---- ---- ---- | ---- ---- ----
// | \\ // \\ // | \\ // \\
/ | \ / \ / | \ / \
/ | \ / \ / | \ / \
/ | \ / \ / | \ / \
/ | \ / \ / | \ / \
| v | | | | v | | |
| +------------+ | | +------------+ |
| |Communicator| | | | | | Firmware | | | |
| +--------+---+ | Device | +--------+ | | | Consumer | | Device | +--------+ |
| | | | Management| | | | | +------------+ | Management| | | |
| | Device |<----------------------------->| Status | | | | |<------------------------->| Status | |
| | | | | | Tracker| | | | Device | | | | Tracker| |
| +--------+ | || | | | | +------------+ | || | | |
| | || +--------+ | | | || +--------+ |
| | | | | | | |
| | \ / | | \ /
\ / \ / \ / \ /
\ / \ Device / \ / \ Device /
\ Network / \ Operator / \ Network / \ Operator /
\ Operator / \\ // \ Operator / \\ //
\\ // ---- ---- \\ // ---- ----
---- ---- ------ ---- ---- ------
----- -----
skipping to change at page 13, line 21 skipping to change at page 13, line 21
^ * ^ *
* * * *
************************************************************ ************************************************************
End-to-End Security End-to-End Security
Figure 2: End-to-End Security. Figure 2: End-to-End Security.
Whether the firmware image and the manifest is pushed to the device Whether the firmware image and the manifest is pushed to the device
or fetched by the device is a deployment specific decision. or fetched by the device is a deployment specific decision.
The following assumptions are made to allow the device to verify the The following assumptions are made to allow the firmware consumer to
received firmware image and manifest before updating software: verify the received firmware image and manifest before updating
software:
- To accept an update, a device needs to verify the signature - To accept an update, a device needs to verify the signature
covering the manifest. There may be one or multiple manifests covering the manifest. There may be one or multiple manifests
that need to be validated, potentially signed by different that need to be validated, potentially signed by different
parties. The device needs to be in possession of the trust parties. The device needs to be in possession of the trust
anchors to verify those signatures. Installing trust anchors to anchors to verify those signatures. Installing trust anchors to
devices via the Trust Provisioning Authority happens in an out-of- devices via the Trust Provisioning Authority happens in an out-of-
band fashion prior to the firmware update process. band fashion prior to the firmware update process.
- Not all entities creating and signing manifests have the same - Not all entities creating and signing manifests have the same
skipping to change at page 13, line 49 skipping to change at page 13, line 50
- For confidentiality protection of firmware images the author needs - For confidentiality protection of firmware images the author needs
to be in possession of the certificate/public key or a pre-shared to be in possession of the certificate/public key or a pre-shared
key of a device. The use of confidentiality protection of key of a device. The use of confidentiality protection of
firmware images is deployment specific. firmware images is deployment specific.
There are different types of delivery modes, which are illustrated There are different types of delivery modes, which are illustrated
based on examples below. based on examples below.
There is an option for embedding a firmware image into a manifest. There is an option for embedding a firmware image into a manifest.
This is a useful approach for deployments where devices are not This is a useful approach for deployments where devices are not
connected to the Internet and cannot contact a dedicated server for connected to the Internet and cannot contact a dedicated firmware
download of the firmware. It is also applicable when the firmware server for the firmware download. It is also applicable when the
update happens via a USB stick or via Bluetooth Smart. Figure 3 firmware update happens via a USB stick or via Bluetooth Smart.
shows this delivery mode graphically. Figure 3 shows this delivery mode graphically.
/------------\ /------------\ /------------\ /------------\
/Manifest with \ /Manifest with \ /Manifest with \ /Manifest with \
|attached | |attached | |attached | |attached |
\firmware image/ \firmware image/ \firmware image/ \firmware image/
\------------/ +-----------+ \------------/ \------------/ +-----------+ \------------/
+--------+ | | +--------+ +--------+ | | +--------+
| |<.................| Firmware |<................| | | |<.................| Firmware |<................| |
| Device | | Server | | Author | | Device | | Server | | Author |
| | | | | | | | | | | |
skipping to change at page 17, line 9 skipping to change at page 17, line 13
commonly used to offload specific work to other CPUs. Firmware commonly used to offload specific work to other CPUs. Firmware
dependencies are similar to the other solutions above, sometimes dependencies are similar to the other solutions above, sometimes
allowing only one image to be upgraded, other times requiring several allowing only one image to be upgraded, other times requiring several
to be upgraded atomically. Because the updates are happening on to be upgraded atomically. Because the updates are happening on
multiple CPUs, upgrading the two images atomically is challenging. multiple CPUs, upgrading the two images atomically is challenging.
8. Example Flow 8. Example Flow
The following example message flow illustrates the interaction for The following example message flow illustrates the interaction for
distributing a firmware image to a device starting with an author distributing a firmware image to a device starting with an author
uploading the new firmware to Firmware Server and creating a uploading the new firmware to firmware server and creating a
manifest. The firmware and manifest are stored on the same Firmware manifest. The firmware and manifest are stored on the same firmware
Server. server.
+--------+ +-----------------+ +------------+ +----------+ +--------+ +-----------------+ +------------+ +----------+
| Author | | Firmware Server | |Communicator| |Bootloader| | Author | | Firmware Server | |FW Consuumer| |Bootloader|
+--------+ +-----------------+ +------------+ +----------+ +--------+ +-----------------+ +------------+ +----------+
| | | + | | | +
| Create Firmware | | | | Create Firmware | | |
|--------------- | | | |--------------- | | |
| | | | | | | | | |
|<-------------- | | | |<-------------- | | |
| | | | | | | |
| Upload Firmware | | | | Upload Firmware | | |
|------------------>| | | |------------------>| | |
| | | | | | | |
skipping to change at page 19, line 43 skipping to change at page 19, line 50
protecting the manifest. protecting the manifest.
- incentives for manufacturers to offer a firmware update mechanism - incentives for manufacturers to offer a firmware update mechanism
as part of their IoT products. as part of their IoT products.
11. Mailing List Information 11. Mailing List Information
The discussion list for this document is located at the e-mail The discussion list for this document is located at the e-mail
address suit@ietf.org [1]. Information on the group and information address suit@ietf.org [1]. Information on the group and information
on how to subscribe to the list is at on how to subscribe to the list is at
https://www1.ietf.org/mailman/listinfo/suit https://www1.ietf.org/mailman/listinfo/suit [2]
Archives of the list can be found at: https://www.ietf.org/mail- Archives of the list can be found at: https://www.ietf.org/mail-
archive/web/suit/current/index.html archive/web/suit/current/index.html [3]
12. Acknowledgements 12. Acknowledgements
We would like to thank the following persons for their feedback: We would like to thank the following persons for their feedback:
- Geraint Luff - Geraint Luff
- Amyas Phillips - Amyas Phillips
- Dan Ros - Dan Ros
skipping to change at page 20, line 45 skipping to change at page 20, line 47
- Marti Bolivar - Marti Bolivar
- Andrzej Puzdrowski - Andrzej Puzdrowski
- Markus Gueller - Markus Gueller
- Henk Birkholz - Henk Birkholz
- Jintao Zhu - Jintao Zhu
- Takeshi Takahashi
We would also like to thank the WG chairs, Russ Housley, David We would also like to thank the WG chairs, Russ Housley, David
Waltermire, Dave Thaler for their support and their reviews. Waltermire, Dave Thaler for their support and their reviews.
Kathleen Moriarty was the responsible security area director when Kathleen Moriarty was the responsible security area director when
this work was started. this work was started.
13. References 13. References
13.1. Normative References 13.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc- DOI 10.17487/RFC2119, March 1997,
editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer [RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer
Security (TLS) / Datagram Transport Layer Security (DTLS) Security (TLS) / Datagram Transport Layer Security (DTLS)
Profiles for the Internet of Things", RFC 7925, Profiles for the Internet of Things", RFC 7925,
DOI 10.17487/RFC7925, July 2016, <https://www.rfc- DOI 10.17487/RFC7925, July 2016,
editor.org/info/rfc7925>. <https://www.rfc-editor.org/info/rfc7925>.
13.2. Informative References 13.2. Informative References
[I-D.ietf-suit-information-model] [I-D.ietf-suit-information-model]
Moran, B., Tschofenig, H., Birkholz, H., and J. Jimenez, Moran, B., Tschofenig, H., and H. Birkholz, "Firmware
"Firmware Updates for Internet of Things Devices - An Updates for Internet of Things Devices - An Information
Information Model for Manifests", draft-ietf-suit- Model for Manifests", draft-ietf-suit-information-model-01
information-model-00 (work in progress), June 2018. (work in progress), July 2018.
[LwM2M] OMA, ., "Lightweight Machine to Machine Technical [LwM2M] OMA, ., "Lightweight Machine to Machine Technical
Specification, Version 1.0.2", February 2018, Specification, Version 1.0.2", February 2018,
<http://www.openmobilealliance.org/release/LightweightM2M/ <http://www.openmobilealliance.org/release/LightweightM2M/
V1_0_2-20180209-A/ V1_0_2-20180209-A/
OMA-TS-LightweightM2M-V1_0_2-20180209-A.pdf>. OMA-TS-LightweightM2M-V1_0_2-20180209-A.pdf>.
[RFC5649] Housley, R. and M. Dworkin, "Advanced Encryption Standard [RFC5649] Housley, R. and M. Dworkin, "Advanced Encryption Standard
(AES) Key Wrap with Padding Algorithm", RFC 5649, (AES) Key Wrap with Padding Algorithm", RFC 5649,
DOI 10.17487/RFC5649, September 2009, <https://www.rfc- DOI 10.17487/RFC5649, September 2009,
editor.org/info/rfc5649>. <https://www.rfc-editor.org/info/rfc5649>.
[RFC6024] Reddy, R. and C. Wallace, "Trust Anchor Management [RFC6024] Reddy, R. and C. Wallace, "Trust Anchor Management
Requirements", RFC 6024, DOI 10.17487/RFC6024, October Requirements", RFC 6024, DOI 10.17487/RFC6024, October
2010, <https://www.rfc-editor.org/info/rfc6024>. 2010, <https://www.rfc-editor.org/info/rfc6024>.
[RFC8240] Tschofenig, H. and S. Farrell, "Report from the Internet [RFC8240] Tschofenig, H. and S. Farrell, "Report from the Internet
of Things Software Update (IoTSU) Workshop 2016", of Things Software Update (IoTSU) Workshop 2016",
RFC 8240, DOI 10.17487/RFC8240, September 2017, RFC 8240, DOI 10.17487/RFC8240, September 2017,
<https://www.rfc-editor.org/info/rfc8240>. <https://www.rfc-editor.org/info/rfc8240>.
13.3. URIs 13.3. URIs
[1] mailto:suit@ietf.org [1] mailto:suit@ietf.org
[2] https://www1.ietf.org/mailman/listinfo/suit
[3] https://www.ietf.org/mail-archive/web/suit/current/index.html
Authors' Addresses Authors' Addresses
Brendan Moran Brendan Moran
Arm Limited Arm Limited
EMail: Brendan.Moran@arm.com EMail: Brendan.Moran@arm.com
Milosch Meriac Milosch Meriac
Consultant Consultant
 End of changes. 47 change blocks. 
131 lines changed or deleted 144 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/