| < draft-ietf-suit-architecture-00.txt | draft-ietf-suit-architecture-01.txt > | |||
|---|---|---|---|---|
| SUIT B. Moran | SUIT B. Moran | |||
| Internet-Draft Arm Limited | Internet-Draft Arm Limited | |||
| Intended status: Informational M. Meriac | Intended status: Informational M. Meriac | |||
| Expires: December 5, 2018 Consultant | Expires: January 3, 2019 Consultant | |||
| H. Tschofenig | H. Tschofenig | |||
| Arm Limited | Arm Limited | |||
| June 03, 2018 | D. Brown | |||
| Linaro | ||||
| July 02, 2018 | ||||
| A Firmware Update Architecture for Internet of Things Devices | A Firmware Update Architecture for Internet of Things Devices | |||
| draft-ietf-suit-architecture-00 | draft-ietf-suit-architecture-01 | |||
| Abstract | Abstract | |||
| Vulnerabilities with Internet of Things (IoT) devices have raised the | Vulnerabilities with Internet of Things (IoT) devices have raised the | |||
| need for a solid and secure firmware update mechanism that is also | need for a solid and secure firmware update mechanism that is also | |||
| suitable for constrained devices. Incorporating such update | suitable for constrained devices. Incorporating such update | |||
| mechanism to fix vulnerabilities, to update configuration settings as | mechanism to fix vulnerabilities, to update configuration settings as | |||
| well as adding new functionality is recommended by security experts. | well as adding new functionality is recommended by security experts. | |||
| This document lists requirements and describes an architecture for a | This document lists requirements and describes an architecture for a | |||
| skipping to change at page 1, line 46 ¶ | skipping to change at page 1, line 48 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on December 5, 2018. | This Internet-Draft will expire on January 3, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 36 ¶ | skipping to change at page 2, line 36 ¶ | |||
| the copyright in such materials, this document may not be modified | the copyright in such materials, this document may not be modified | |||
| outside the IETF Standards Process, and derivative works of it may | outside the IETF Standards Process, and derivative works of it may | |||
| not be created outside the IETF Standards Process, except to format | not be created outside the IETF Standards Process, except to format | |||
| it for publication as an RFC or to translate it into languages other | it for publication as an RFC or to translate it into languages other | |||
| than English. | than English. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Conventions and Terminology . . . . . . . . . . . . . . . . . 3 | 2. Conventions and Terminology . . . . . . . . . . . . . . . . . 3 | |||
| 3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.1. Agnostic to how firmware images are distributed . . . . . 5 | 3.1. Agnostic to how firmware images are distributed . . . . . 6 | |||
| 3.2. Friendly to broadcast delivery . . . . . . . . . . . . . 5 | 3.2. Friendly to broadcast delivery . . . . . . . . . . . . . 6 | |||
| 3.3. Use state-of-the-art security mechanisms . . . . . . . . 5 | 3.3. Use state-of-the-art security mechanisms . . . . . . . . 7 | |||
| 3.4. Rollback attacks must be prevented . . . . . . . . . . . 6 | 3.4. Rollback attacks must be prevented . . . . . . . . . . . 7 | |||
| 3.5. High reliability . . . . . . . . . . . . . . . . . . . . 6 | 3.5. High reliability . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3.6. Operate with a small bootloader . . . . . . . . . . . . . 6 | 3.6. Operate with a small bootloader . . . . . . . . . . . . . 8 | |||
| 3.7. Small Parsers . . . . . . . . . . . . . . . . . . . . . . 7 | 3.7. Small Parsers . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 3.8. Minimal impact on existing firmware formats . . . . . . . 7 | 3.8. Minimal impact on existing firmware formats . . . . . . . 8 | |||
| 3.9. Robust permissions . . . . . . . . . . . . . . . . . . . 7 | 3.9. Robust permissions . . . . . . . . . . . . . . . . . . . 8 | |||
| 3.10. Operating modes . . . . . . . . . . . . . . . . . . . . . 8 | 3.10. Operating modes . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4. Claims . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 4. Claims . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 5. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 10 | 5. Communication Architecture . . . . . . . . . . . . . . . . . 11 | |||
| 6. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 6. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7. Example Flow . . . . . . . . . . . . . . . . . . . . . . . . 13 | 7. Device Firmware Update Examples . . . . . . . . . . . . . . . 15 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 | 7.1. Single CPU SoC . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 15 | 7.2. Single CPU with Secure - Normal Mode Partitioning . . . . 16 | |||
| 10. Mailing List Information . . . . . . . . . . . . . . . . . . 16 | 7.3. Dual CPU, shared memory . . . . . . . . . . . . . . . . . 16 | |||
| 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16 | 7.4. Dual CPU, other bus . . . . . . . . . . . . . . . . . . . 16 | |||
| 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 | 8. Example Flow . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 12.1. Normative References . . . . . . . . . . . . . . . . . . 17 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 12.2. Informative References . . . . . . . . . . . . . . . . . 17 | 10. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | |||
| 12.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | 11. Mailing List Information . . . . . . . . . . . . . . . . . . 19 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 | 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 | ||||
| 13.1. Normative References . . . . . . . . . . . . . . . . . . 21 | ||||
| 13.2. Informative References . . . . . . . . . . . . . . . . . 21 | ||||
| 13.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 21 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 | ||||
| 1. Introduction | 1. Introduction | |||
| When developing IoT devices, one of the most difficult problems to | When developing IoT devices, one of the most difficult problems to | |||
| solve is how to update the firmware on the device. Once the device | solve is how to update the firmware on the device. Once the device | |||
| is deployed, firmware updates play a critical part in its lifetime, | is deployed, firmware updates play a critical part in its lifetime, | |||
| particularly when devices have a long lifetime, are deployed in | particularly when devices have a long lifetime, are deployed in | |||
| remote or inaccessible areas or where manual intervention is cost | remote or inaccessible areas or where manual intervention is cost | |||
| prohibitive or otherwise difficult. The need for a firmware update | prohibitive or otherwise difficult. The need for a firmware update | |||
| may be to fix bugs in software, to add new functionality, or to re- | may be to fix bugs in software, to add new functionality, or to re- | |||
| configure the device. | configure the device. | |||
| The firmware update process has to ensure that | The firmware update process, among other goals, has to ensure that | |||
| - The firmware image is authenticated and attempts to flash a | - The firmware image is authenticated and attempts to flash a | |||
| malicious firmware image are prevented. | malicious firmware image are prevented. | |||
| - The firmware image can be confidentiality protected so that | - The firmware image can be confidentiality protected so that | |||
| attempts by an adversary to recover the plaintext binary can be | attempts by an adversary to recover the plaintext binary can be | |||
| prevented. Obtaining the plaintext binary is often one of the | prevented. Obtaining the plaintext binary is often one of the | |||
| first steps for an attack to mount an attack. | first steps for an attack to mount an attack. | |||
| 2. Conventions and Terminology | 2. Conventions and Terminology | |||
| skipping to change at page 4, line 23 ¶ | skipping to change at page 4, line 29 ¶ | |||
| offer very basic functionality in the first stage and resides in | offer very basic functionality in the first stage and resides in | |||
| ROM whereas the second stage may implement more complex | ROM whereas the second stage may implement more complex | |||
| functionality and resides in flash memory so that it can be | functionality and resides in flash memory so that it can be | |||
| updated in the future (in case bugs have been found). The exact | updated in the future (in case bugs have been found). The exact | |||
| split of components into the different stages, the number of | split of components into the different stages, the number of | |||
| firmware images stored by an IoT device, and the detailed | firmware images stored by an IoT device, and the detailed | |||
| functionality varies throughout different implementations. | functionality varies throughout different implementations. | |||
| The following entities are used: | The following entities are used: | |||
| - Author: The author is the entity that creates the firmware image, | - Author: The author is the entity that creates the firmware image. | |||
| signs and/or encrypts it. The author is most likely a developer | There may be multiple authors in a system either when a device | |||
| using a set of tools. | consists of multiple micro-controllers or when the the final | |||
| firmware image consists of software components from multiple | ||||
| companies. | ||||
| - Device: The device is the recipient of the firmware image and the | - Device: The device is the recipient of the firmware image and the | |||
| manifest. The goal is to update the firmware of the device. | manifest. The goal is to update the firmware of the device. A | |||
| single device may need to obtain more than one firmware image and | ||||
| manifest to succesfully perform an update. | ||||
| - Untrusted Storage: Firmware images and manifests may be stored on | - Communicator: The communicator component of the device interacts | |||
| untrusted fileservers or cloud storage infrastructure. Some | with the firmware update server. It receives firmware images and | |||
| deployments may require storage of the firmware images/manifests | triggers an update, if needed. The communicator either polls a | |||
| to be stored on various entities before they reach the device. | firmware update server for the most recent manifest/firmware or | |||
| manifests/firmware images are pushed to it. Note that the | ||||
| firmware update process may involve multiple stages since one or | ||||
| multiple manifests may need to be downloaded before the | ||||
| communicator can fetch one or multiple firmware images/software | ||||
| components. | ||||
| - Status Tracker: The status tracker offers device management | ||||
| functionality that includes keep track of the firmware update | ||||
| process. This includes fine-grained monitoring of changes at the | ||||
| device, for example, what state of the firmware update cycle the | ||||
| device is currently in. | ||||
| - Firmware Server: Entity that stores firmware images and manifests. | ||||
| Some deployments may require storage of the firmware images/ | ||||
| manifests on more than one entities before they reach the device. | ||||
| - Device Operator: The actor responsible for the day-to-day | ||||
| operation of a fleet of IoT devices. | ||||
| - Network Operator: The actor responsible for the operation of a | ||||
| network to which IoT devices connect. | ||||
| In addition to the entities in the list above there is an orthogonal | ||||
| infrastructure with a Trust Provisioning Authority (TPA) distributing | ||||
| trust anchors and authorization permissions to various entities in | ||||
| the system. The TPA may also delegate rights to install, update, | ||||
| enhance, or delete trust anchors and authorization permissions to | ||||
| other parties in the system. This infrastructure overlaps the | ||||
| communication architecture and different deployments may empower | ||||
| certain entities while other deployments may not. For example, in | ||||
| some cases, the Original Design Manufacturer (ODM), which is a | ||||
| company that designs and manufactures a product, may act as a TPA and | ||||
| may decide to remain in full control over the firmware update process | ||||
| of their products. | ||||
| The terms 'trust anchor' and 'trust anchor store' are defined in | ||||
| [RFC6024]: | ||||
| - "A trust anchor represents an authoritative entity via a public | ||||
| key and associated data. The public key is used to verify digital | ||||
| signatures, and the associated data is used to constrain the types | ||||
| of information for which the trust anchor is authoritative." | ||||
| - "A trust anchor store is a set of one or more trust anchors stored | ||||
| in a device. A device may have more than one trust anchor store, | ||||
| each of which may be used by one or more applications." | ||||
| Furthermore, the following abbreviations are used in this document: | ||||
| - Microcontroller (MCU for microcontroller unit) is a small computer | ||||
| on a single integrated circuit, which is often used for mass | ||||
| volumne IoT devices. | ||||
| - System on Chip (SoC) is an integrated circuit that integrates all | ||||
| components of a computer, such as CPU, memory, input/output ports, | ||||
| secondary storage, etc. | ||||
| - Homogeneous Storage Architecture (HoSA): A device that stores all | ||||
| firmware components in the same way, for example in a file system | ||||
| or in flash memory. | ||||
| - Heterogeneous Storage Architecture (HeSA): A device that stores at | ||||
| least one firmware component differently from the rest, for | ||||
| example a device with an external, updatable radio, or a device | ||||
| with internal and external flash memory. | ||||
| 3. Requirements | 3. Requirements | |||
| The firmware update mechanism described in this specification was | The firmware update mechanism described in this specification was | |||
| designed with the following requirements in mind: | designed with the following requirements in mind: | |||
| - Agnostic to how firmware images are distributed | - Agnostic to how firmware images are distributed | |||
| - Friendly to broadcast delivery | - Friendly to broadcast delivery | |||
| skipping to change at page 5, line 4 ¶ | skipping to change at page 6, line 30 ¶ | |||
| - Friendly to broadcast delivery | - Friendly to broadcast delivery | |||
| - Use state-of-the-art security mechanisms | - Use state-of-the-art security mechanisms | |||
| - Rollback attacks must be prevented | - Rollback attacks must be prevented | |||
| - High reliability | - High reliability | |||
| - Operate with a small bootloader | - Operate with a small bootloader | |||
| - Small Parsers | - Small Parsers | |||
| - Minimal impact on existing firmware formats | - Minimal impact on existing firmware formats | |||
| - Robust permissions | - Robust permissions | |||
| - Diverse modes of operation | - Diverse modes of operation | |||
| 3.1. Agnostic to how firmware images are distributed | 3.1. Agnostic to how firmware images are distributed | |||
| Firmware images can be conveyed to devices in a variety of ways, | Firmware images can be conveyed to devices in a variety of ways, | |||
| including USB, UART, WiFi, BLE, low-power WAN technologies, etc. and | including USB, UART, WiFi, BLE, low-power WAN technologies, etc. and | |||
| use different protocols (e.g., CoAP, HTTP). The specified mechanism | use different protocols (e.g., CoAP, HTTP). The specified mechanism | |||
| needs to be agnostic to the distribution of the firmware images and | needs to be agnostic to the distribution of the firmware images and | |||
| manifests. | manifests. | |||
| 3.2. Friendly to broadcast delivery | 3.2. Friendly to broadcast delivery | |||
| This architecture does not specify any specific broadcast protocol | This architecture does not specify any specific broadcast protocol | |||
| however, given that broadcast may be desirable for some networks, | however, given that broadcast may be desirable for some networks, | |||
| updates must cause the least disruption possible both in metadata and | updates must cause the least disruption possible both in metadata and | |||
| payload transmission. | payload transmission. | |||
| skipping to change at page 7, line 25 ¶ | skipping to change at page 8, line 48 ¶ | |||
| required to validate at least one signature or MAC with minimal | required to validate at least one signature or MAC with minimal | |||
| exposure. | exposure. | |||
| 3.8. Minimal impact on existing firmware formats | 3.8. Minimal impact on existing firmware formats | |||
| The design of the firmware update mechanism must not require changes | The design of the firmware update mechanism must not require changes | |||
| to existing firmware formats. | to existing firmware formats. | |||
| 3.9. Robust permissions | 3.9. Robust permissions | |||
| A device may have many modules that require updating individually. | When a device obtains a monolithic firmware image from a single | |||
| It may also need to trust several actors in order to authorize an | author without any additional approval steps then the authorization | |||
| update. These actors might include the following (this is not a | flow is relatively simple. There are, however, other cases where | |||
| comprehensive list). | more complex policy decisions need to be made before updating a | |||
| device. | ||||
| * A firmware author | ||||
| * A device OEM | ||||
| * A device operator | ||||
| * A network operator | ||||
| * A device owner | ||||
| These actors exert their authority on the device by making claims (as | ||||
| in Section 4). | ||||
| For example, a firmware author may not have the authority to install | In this architecture the authorization policy is separated from the | |||
| firmware on a device in critical infrastructure without the | underlying communication architecture. This is accomplished by | |||
| authorization of a device operator. In this case, the device may be | separating the entities from their permissions. For example, an | |||
| programmed to reject firmware updates unless they are signed both by | author may not have the authority to install a firmware image on a | |||
| the firmware author and by the device operator. To facilitate | device in critical infrastructure without the authorization of a | |||
| complex use-cases such as this, updates require several claims. | device operator. In this case, the device may be programmed to | |||
| reject firmware updates unless they are signed both by the firmware | ||||
| author and by the device operator. | ||||
| Alternatively, a device may trust precisely one authority, which does | Alternatively, a device may trust precisely one entity, which does | |||
| all permission management and coordination. Effectively, the | all permission management and coordination. This entity allows the | |||
| authority allows the device to offload complex permissions | device to offload complex permissions calculations for the device. | |||
| calculations for the device. | ||||
| 3.10. Operating modes | 3.10. Operating modes | |||
| There are three broad classifications of update operating modes. | There are three broad classifications of update operating modes. | |||
| * Self initiated | - Client-initiated Update | |||
| * Third-party initiated | ||||
| * Hybrid | ||||
| Self initiated updates take the form of a proactive IoT device that | - Server-initiated Update | |||
| checks for updates. Third-party initiated updates are triggered by | ||||
| an actor other than the IoT device, be it a server, a peer, or a | ||||
| user. Hybrid updates are those that require agreement from both the | ||||
| target IoT device and another actor. | ||||
| Third-party initiated updates are important to consider because | - Hybrid Update | |||
| timing of updates may need to be tightly controlled in some high- | ||||
| reliability environments. | ||||
| An IoT device goes through several steps in the course of an update, | Client-initiated updates take the form of a communicator on a device | |||
| each of which can be self-initiated or third-party initiated, or | proactively checking for new firmware imagines provided by firmware | |||
| hybrid. An IoT device may go through the following steps, though | servers. | |||
| this is not a comprehensive list. | ||||
| * Notification | Server-initiated updates are important to consider because timing of | |||
| * Pre-authorisation | updates may need to be tightly controlled in some high- reliability | |||
| * Dependency resolution | environments. In this case the communicator, potentially in | |||
| * Download | coordination with the status tracker, determines what devices qualify | |||
| * Installation | for a firmware update. Once those devices have been selected the | |||
| firmware server distributes updates to those devices. | ||||
| The notification step consists informing an IoT device that an update | Note: This assumes that the firmware server is able to reach the | |||
| is available. This can be accomplished via polling (self-initiated), | device, which may require devices to keep reachability information at | |||
| push notifications (third-party initiated), or more complex | the communicator and / or at the firmware server up-to-date. This | |||
| mechanisms. | may also require keeping state at NATs and stateful packet filtering | |||
| firewalls alive. | ||||
| The pre-authorisation step involves verifying the update authority | Hybrid updates are those that require an interaction between the | |||
| and making a determination that the device is prepared to initiate | device and the firmware server / communicator. The communicator | |||
| the fetching and processing of updates. If the device has all | pushes notifications of availability of an update to the device, and | |||
| information that is necessary to make this determination, then the | the device then downloads the image from the firmware server when it | |||
| pre-authorisation may be self-initiated. However, the device can | wants. | |||
| wait for instruction to begin (third-party initiated). Hybrid | ||||
| approaches are possible as well. | An alternative approach is to consider the steps a device has to go | |||
| through in the course of an update: | ||||
| - Notification | ||||
| - Pre-authorisation | ||||
| - Dependency resolution | ||||
| - Download | ||||
| - Installation | ||||
| The notification step consists of the communicator informing the | ||||
| device that an update is available. This can be accomplished via | ||||
| polling (client-initiated), push notifications (server-initiated), or | ||||
| more complex mechanisms. | ||||
| The pre-authorisation step involves verifying whether the entity | ||||
| signing the manifest is indeed authorized to perform an update. The | ||||
| device must also determine whether it should fetching and processing | ||||
| of the firmware image (unless it has been attached already to the | ||||
| manifest itself). | ||||
| A dependency resolution phase is needed when more than one component | A dependency resolution phase is needed when more than one component | |||
| can be updated or when a differential update is used. The necessary | can be updated or when a differential update is used. The necessary | |||
| dependencies must be available prior to installation. | dependencies must be available prior to installation. | |||
| The download step is the process of acquiring a local copy of the | The download step is the process of acquiring a local copy of the | |||
| payload. When the download is self-initiated, this means that the | firmware image. When the download is client-initiated, this means | |||
| IoT device chooses when a download occurs and initiates the download | that the device chooses when a download occurs and initiates the | |||
| process. When a download is third-party initiated, this means that | download process. When a download is server-party initiated, this | |||
| either the remote service tells the IoT device when to download or | means that either the communicator / firmware server tells the device | |||
| that it initiates the transfer directly to the IoT device. For | when to download or that it initiates the transfer directly to the | |||
| example, a download from an HTTP server is initiated locally. A | device. For example, a download from an HTTP-based firmware server | |||
| transfer to a LwM2M Firmware Update resource [LwM2M] is initiated | is client-initiated. A transfer to a LwM2M Firmware Update resource | |||
| remotely. | [LwM2M] is server-initiated. | |||
| If the Device has downloaded a new firmware image and is ready to | ||||
| install it it may need to wait for a trigger from a Communicator to | ||||
| install the firmware update, may trigger the update automatically, or | ||||
| may go through a more complex decision making process to determine | ||||
| the appropriate timing for an update (such as delaying the update | ||||
| process to a later time when end users are less impacted by the | ||||
| update process). | ||||
| Installation is the act of processing the payload into a format that | Installation is the act of processing the payload into a format that | |||
| the IoT device can recognise. | the IoT device can recognise and the bootloader is responsible for | |||
| then booting from the newly installed firmware image. | ||||
| Each of these steps may require different permissions expressed in | Each of these steps may require different permissions. | |||
| claims and may be implemented in a variety of ways. | ||||
| 4. Claims | 4. Claims | |||
| When a simple set of permissions fails to encapsulate the rules | Claims in the manifest offer a way to convey instructions to a device | |||
| required for a device to make decisions about firmware, claims can be | that impact the firmware update process. To have any value the | |||
| used instead. Claims represent a form of policy. Several claims can | manifest containing those claims must be authenticated and integrity | |||
| be used together, when multiple actors should have the rights to set | protected. The credential used to must be directly or indirectly | |||
| policies. | related to the trust anchor installed at the device by the Trust | |||
| Provisioning Authority. | ||||
| Some example claims are: | ||||
| - Trust the actor identified by the referenced public key. | ||||
| - Trust the actor with access to the referenced shared secret (MAC). | ||||
| - Three actors are trusted identified by their public keys. | ||||
| Signatures from at least two of these actors are required to trust | ||||
| a manifest. | ||||
| - The actor identified by the referenced public key is authorized to | ||||
| create secondary policies | ||||
| The baseline claims for all manifests are described in [SUIT-IM]. In | The baseline claims for all manifests are described in | |||
| summary, they are: | [I-D.ietf-suit-information-model]. For example, there are: | |||
| - Do not install firmware with earlier metadata than the current | - Do not install firmware with earlier metadata than the current | |||
| metadata. | metadata. | |||
| - Only install firmware with a matching vendor, model, hardware | - Only install firmware with a matching vendor, model, hardware | |||
| revision, software version, etc. | revision, software version, etc. | |||
| - Only install firmware that is before its best-before timestamp. | - Only install firmware that is before its best-before timestamp. | |||
| - Only install firmware with metadata signed/authenticated by a | - Only allow a firmware installation if dependencies have been met. | |||
| trusted actor. | ||||
| - Only allow an actor to exercise rights on the device via a | ||||
| manifest if that actor has signed the manifest. | ||||
| - Only allow a firmware installation if all required rights have | - Choose the mechanism to install the firmware, based on the type of | |||
| been met through signatures/MACs (one or more) or manifest | firmware it is. | |||
| dependencies (one or more). | ||||
| - Use the instructions provided by the manifest to install the | 5. Communication Architecture | |||
| firmware. | ||||
| - Install any and all firmware images that are linked together with | Figure 1 shows the communication architecture where a firmware image | |||
| manifest dependencies. | is created by an author, and uploaded to a firmware server. The | |||
| firmware image/manifest is distributed to the device either in a push | ||||
| or pull manner using the communicator residing on the device. The | ||||
| device operator keeps track of the process using the status tracker. | ||||
| This allows the device operator to know and control what devices have | ||||
| received an update and which of them are still pending an update. | ||||
| - Choose the mechanism to install the firmware, based on the type of | Firmware + +----------+ Firmware + +-----------+ | |||
| firmware it is. | Manifest | |-+ Manifest | |-+ | |||
| +--------->| Firmware | |<---------------| | | | ||||
| | | Server | | | Author | | | ||||
| | | | | | | | | ||||
| | +----------+ | +-----------+ | | ||||
| | +----------+ +-----------+ | ||||
| | | ||||
| | | ||||
| | | ||||
| -+-- ------ | ||||
| ---- | ---- ---- ---- | ||||
| // | \\ // \\ | ||||
| / | \ / \ | ||||
| / | \ / \ | ||||
| / | \ / \ | ||||
| / | \ / \ | ||||
| | v | | | | ||||
| | +------------+ | | ||||
| | |Communicator| | | | | ||||
| | +--------+---+ | Device | +--------+ | | ||||
| | | | | Management| | | | | ||||
| | | Device |<----------------------------->| Status | | | ||||
| | | | | | | Tracker| | | ||||
| | +--------+ | || | | | | ||||
| | | || +--------+ | | ||||
| | | | | | ||||
| | | \ / | ||||
| \ / \ / | ||||
| \ / \ Device / | ||||
| \ Network / \ Operator / | ||||
| \ Operator / \\ // | ||||
| \\ // ---- ---- | ||||
| ---- ---- ------ | ||||
| ----- | ||||
| 5. Architecture | Figure 1: Architecture. | |||
| We start the architectural description with the security model. It | End-to-end security mechanisms are used to protect the firmware image | |||
| is based on end-to-end security. In Figure 1 a firmware image is | and the manifest although Figure 2 does not show the manifest itself | |||
| created by an author, sent to the device and subsequently installed. | since it may be distributed independently. | |||
| When the author is ready to distribute the firmware image it is | ||||
| conveyed using some communication channel to the device, which will | ||||
| typically involve the use of untrusted storage. Examples of | ||||
| untrusted storage are FTP servers, Web servers or USB sticks. End- | ||||
| to-end security mechanisms are used to protect the firmware image. | ||||
| Figure 1 does not show the manifest itself, which provides the meta- | ||||
| data about the firmware image and offers the security protection. It | ||||
| may bundled with the firmware image or travel as a standalone item. | ||||
| +-----------+ | +-----------+ | |||
| +--------+ | | +--------+ | +--------+ | | +--------+ | |||
| | | Firmware Image | Untrusted | Firmware Image | | | | | Firmware Image | Firmware | Firmware Image | | | |||
| | Device |<-----------------| Storage |<------------------| Author | | | Device |<-----------------| Server |<------------------| Author | | |||
| | | | | | | | | | | | | | | |||
| +--------+ +-----------+ +--------+ | +--------+ +-----------+ +--------+ | |||
| ^ * | ^ * | |||
| * * | * * | |||
| ************************************************************ | ************************************************************ | |||
| End-to-End Security | End-to-End Security | |||
| Figure 1: End-to-End Security. | Figure 2: End-to-End Security. | |||
| Whether the firmware image and the manifest is pushed to the device | Whether the firmware image and the manifest is pushed to the device | |||
| or fetched by the device is outside the scope of this work and | or fetched by the device is a deployment specific decision. | |||
| existing device management protocols can be used for efficiently | ||||
| distributing this information. | ||||
| The following assumptions are made to allow the device to verify the | The following assumptions are made to allow the device to verify the | |||
| received firmware image and manifest before updating software: | received firmware image and manifest before updating software: | |||
| - To accept an update, a device needs to decide whether the author | - To accept an update, a device needs to verify the signature | |||
| signing the firmware image and the manifest is authorized to make | covering the manifest. There may be one or multiple manifests | |||
| the updates. We use public key cryptography to accomplish this. | that need to be validated, potentially signed by different | |||
| The device verifies the signature covering the manifest using a | parties. The device needs to be in possession of the trust | |||
| digital signature algorithm OR the device verifies the MAC | anchors to verify those signatures. Installing trust anchors to | |||
| covering the manifest using a MAC algorithm. The device is | devices via the Trust Provisioning Authority happens in an out-of- | |||
| provisioned with a trust anchor that is used to validate the | band fashion prior to the firmware update process. | |||
| digital signature or MAC produced by the author. This trust | ||||
| anchor is potentially different from the trust anchor used to | - Not all entities creating and signing manifests have the same | |||
| validate the digital signature produced for other protocols (such | permissions. A device needs to determine whether the requested | |||
| as device management protocols). This trust anchor may be | action is indeed covered by the permission of the party that | |||
| provisioned to the device during manufacturing or during | signed the manifest. Informing the device about the permissions | |||
| commissioning. | of the different parties also happens in an out-of-band fashion | |||
| and is also a duty of the Trust Provisioning Authority. | ||||
| - For confidentiality protection of firmware images the author needs | - For confidentiality protection of firmware images the author needs | |||
| to be in possession of the certificate/public key or a pre-shared | to be in possession of the certificate/public key or a pre-shared | |||
| key of a device. | key of a device. The use of confidentiality protection of | |||
| firmware images is deployment specific. | ||||
| There are different types of delivery modes, which are illustrated | There are different types of delivery modes, which are illustrated | |||
| based on examples below. | based on examples below. | |||
| There is an option for embedding a firmware image into a manifest. | There is an option for embedding a firmware image into a manifest. | |||
| This is a useful approach for deployments where devices are not | This is a useful approach for deployments where devices are not | |||
| connected to the Internet and cannot contact a dedicated server for | connected to the Internet and cannot contact a dedicated server for | |||
| download of the firmware. It is also applicable when the firmware | download of the firmware. It is also applicable when the firmware | |||
| update happens via a USB stick or via Bluetooth Smart. Figure 2 | update happens via a USB stick or via Bluetooth Smart. Figure 3 | |||
| shows this delivery mode graphically. | shows this delivery mode graphically. | |||
| /------------\ /------------\ | /------------\ /------------\ | |||
| /Manifest with \ /Manifest with \ | /Manifest with \ /Manifest with \ | |||
| |attached | |attached | | |attached | |attached | | |||
| \firmware image/ \firmware image/ | \firmware image/ \firmware image/ | |||
| \------------/ +-----------+ \------------/ | \------------/ +-----------+ \------------/ | |||
| +--------+ | | +--------+ | +--------+ | | +--------+ | |||
| | |<.................| Untrusted |<................| | | | |<.................| Firmware |<................| | | |||
| | Device | | Storage | | Author | | | Device | | Server | | Author | | |||
| | | | | | | | | | | | | | | |||
| +--------+ +-----------+ +--------+ | +--------+ +-----------+ +--------+ | |||
| Figure 2: Manifest with attached firmware. | Figure 3: Manifest with attached firmware. | |||
| Figure 3 shows an option for remotely updating a device where the | Figure 4 shows an option for remotely updating a device where the | |||
| device fetches the firmware image from some file server. The | device fetches the firmware image from some file server. The | |||
| manifest itself is delivered independently and provides information | manifest itself is delivered independently and provides information | |||
| about the firmware image(s) to download. | about the firmware image(s) to download. | |||
| /------------\ | /------------\ | |||
| / \ | / \ | |||
| | Manifest | | | Manifest | | |||
| \ / | \ / | |||
| +--------+ \------------/ +--------+ | +--------+ \------------/ +--------+ | |||
| | |<..............................................>| | | | |<..............................................>| | | |||
| | Device | -- | Author | | | Device | -- | Author | | |||
| | |<- --- | | | | |<- --- | | | |||
| +--------+ -- --- +--------+ | +--------+ -- --- +--------+ | |||
| -- --- | -- --- | |||
| --- --- | --- --- | |||
| -- +-----------+ -- | -- +-----------+ -- | |||
| -- | | -- | -- | | -- | |||
| /------------\ -- | Untrusted |<- /------------\ | /------------\ -- | Firmware |<- /------------\ | |||
| / \ -- | Storage | / \ | / \ -- | Server | / \ | |||
| | Firmware | | | | Firmware | | | Firmware | | | | Firmware | | |||
| \ / +-----------+ \ / | \ / +-----------+ \ / | |||
| \------------/ \------------/ | \------------/ \------------/ | |||
| Figure 3: Independent retrieval of the firmware image. | Figure 4: Independent retrieval of the firmware image. | |||
| This architecture does not mandate a specific delivery mode but a | This architecture does not mandate a specific delivery mode but a | |||
| solution must support both types. | solution must support both types. | |||
| 6. Manifest | 6. Manifest | |||
| In order for a device to apply an update, it has to make several | In order for a device to apply an update, it has to make several | |||
| decisions about the update: | decisions about the update: | |||
| - Does it trust the author of the update? | - Does it trust the author of the update? | |||
| skipping to change at page 13, line 4 ¶ | skipping to change at page 15, line 19 ¶ | |||
| - When should the device apply the update? | - When should the device apply the update? | |||
| - How should the device apply the update? | - How should the device apply the update? | |||
| - What kind of firmware binary is it? | - What kind of firmware binary is it? | |||
| - Where should the update be obtained? | - Where should the update be obtained? | |||
| - Where should the firmware be stored? | - Where should the firmware be stored? | |||
| The manifest encodes the information that devices need in order to | The manifest encodes the information that devices need in order to | |||
| make these decisions. It is a data structure that contains the | make these decisions. It is a data structure that contains the | |||
| following information: | following information: | |||
| - information about the device(s) the firmware image is intended to | - information about the device(s) the firmware image is intended to | |||
| be applied to, | be applied to, | |||
| - information about when the firmware update has to be applied, | - information about when the firmware update has to be applied, | |||
| - information about when the manifest was created, | - information about when the manifest was created, | |||
| - dependencies on other manifests, | - dependencies on other manifests, | |||
| - pointers to the firmware image and information about the format, | - pointers to the firmware image and information about the format, | |||
| - information about where to store the firmware image, | - information about where to store the firmware image, | |||
| - cryptographic information, such as digital signatures or message | - cryptographic information, such as digital signatures or message | |||
| authentication codes (MACs). | authentication codes (MACs). | |||
| The manifest information model is described in [SUIT-IM]. | The manifest information model is described in | |||
| [I-D.ietf-suit-information-model]. | ||||
| 7. Example Flow | 7. Device Firmware Update Examples | |||
| Although these documents attempt to define a firmware update | ||||
| architecture that is applicable to both existing systems, as well as | ||||
| yet-to-be-conceived systems; it is still helpful to consider existing | ||||
| architectures. | ||||
| 7.1. Single CPU SoC | ||||
| The simplest, and currently most common, architecture consists of a | ||||
| single MCU along with its own peripherals. These SoCs generally | ||||
| contain some amount of flash memory for code and fixed data, as well | ||||
| as RAM for working storage. These systems either have a single | ||||
| firmware image, or an immutable bootloader that runs a single image. | ||||
| A notable characteristic of these SoCs is that the primary code is | ||||
| generally execute in place (XIP). Combined with the non-relocatable | ||||
| nature of the code, firmware updates need to be done in place. | ||||
| 7.2. Single CPU with Secure - Normal Mode Partitioning | ||||
| Another configuration consists of a similar architecture to the | ||||
| previous, with a single CPU. However, this CPU supports a security | ||||
| partitioning scheme that allows memory (in addition to other things) | ||||
| to be divided into secure and normal mode. There will generally be | ||||
| two images, one for secure mode, and one for normal mode. In this | ||||
| configuration, firmware upgrades will generally be done by the CPU in | ||||
| secure mode, which is able to write to both areas of the flash | ||||
| device. In addition, there are requirements to be able to update | ||||
| either image independently, as well as to update them together | ||||
| atomically, as specified in the associated manifests. | ||||
| 7.3. Dual CPU, shared memory | ||||
| This configuration has two or more CPUs in a single SoC that share | ||||
| memory (flash and RAM). Generally, they will be a protection | ||||
| mechanism to prevent one CPU from accessing the other's memory. | ||||
| Upgrades in this case will typically be done by one of the CPUs, and | ||||
| is similar to the single CPU with secure mode. | ||||
| 7.4. Dual CPU, other bus | ||||
| This configuration has two or more CPUs, each having their own | ||||
| memory. There will be a communication channel between them, but it | ||||
| will be used as a peripheral, not via shared memory. In this case, | ||||
| each CPU will have to be responsible for its own firmware upgrade. | ||||
| It is likely that one of the CPUs will be considered a master, and | ||||
| will direct the other CPU to do the upgrade. This configuration is | ||||
| commonly used to offload specific work to other CPUs. Firmware | ||||
| dependencies are similar to the other solutions above, sometimes | ||||
| allowing only one image to be upgraded, other times requiring several | ||||
| to be upgraded atomically. Because the updates are happening on | ||||
| multiple CPUs, upgrading the two images atomically is challenging. | ||||
| 8. Example Flow | ||||
| The following example message flow illustrates the interaction for | The following example message flow illustrates the interaction for | |||
| distributing a firmware image to a device starting with an author | distributing a firmware image to a device starting with an author | |||
| uploading the new firmware to untrusted storage and creating a | uploading the new firmware to Firmware Server and creating a | |||
| manifest. The firmware and manifest are stored on the same untrusted | manifest. The firmware and manifest are stored on the same Firmware | |||
| storage. | Server. | |||
| +--------+ +-----------------+ +------+ | +--------+ +-----------------+ +------------+ +----------+ | |||
| | Author | |Untrusted Storage| |Device| | | Author | | Firmware Server | |Communicator| |Bootloader| | |||
| +--------+ +-----------------+ +------+ | +--------+ +-----------------+ +------------+ +----------+ | |||
| | | | | | | | + | |||
| | Create Firmware | | | | Create Firmware | | | | |||
| |--------------- | | | |--------------- | | | | |||
| | | | | | | | | | | | |||
| |<-------------- | | | |<-------------- | | | | |||
| | | | | | | | | | |||
| | Upload Firmware | | | | Upload Firmware | | | | |||
| |------------------>| | | |------------------>| | | | |||
| | | | | | | | | | |||
| | Create Manifest | | | | Create Manifest | | | | |||
| |---------------- | | | |---------------- | | | | |||
| | | | | | | | | | | | |||
| |<--------------- | | | |<--------------- | | | | |||
| | | | | | | | | | |||
| | Sign Manifest | | | | Sign Manifest | | | | |||
| |-------------- | | | |-------------- | | | | |||
| | | | | | | | | | | | |||
| |<------------- | | | |<------------- | | | | |||
| | | | | | | | | | |||
| | Upload Manifest | | | | Upload Manifest | | | | |||
| |------------------>| | | |------------------>| | | | |||
| | | | | | | | | | |||
| | | Query Manifest | | | | Query Manifest | | | |||
| | |<--------------------| | | |<--------------------| | | |||
| | | | | | | | | | |||
| | | Send Manifest | | | | Send Manifest | | | |||
| | |-------------------->| | | |-------------------->| | | |||
| | | | | | | | Validate | | |||
| | | | Validate Manifest | | | | Manifest | | |||
| | | |------------------ | | | |---------+ | | |||
| | | | | | | | | | | | |||
| | | |<----------------- | | | |<--------+ | | |||
| | | | | | | | | | |||
| | | Request Firmware | | | | Request Firmware | | | |||
| | |<--------------------| | | |<--------------------| | | |||
| | | | | | | | | | |||
| | | Send Firmware | | | | Send Firmware | | | |||
| | |-------------------->| | | |-------------------->| | | |||
| | | | | | | | Verify | | |||
| | | | Verify Firmware | | | | Firmware | | |||
| | | |--------------- | | | |--------------- | | |||
| | | | | | | | | | | | |||
| | | |<-------------- | | | |<-------------- | | |||
| | | | | | | | | | |||
| | | | Store Firmware | | | | Store | | |||
| | | |-------------- | | | | Firmware | | |||
| | | | | | | | |-------------- | | |||
| | | |<------------- | | | | | | | |||
| | | | | | | |<------------- | | |||
| | | | Reboot | | | | | | |||
| | | |------- | | | | | | |||
| | | | | | | | | Reboot | | |||
| | | |<------ | | | |--------------->| | |||
| | | | | | | | | | |||
| | | | Bootloader validates | | | | Validate | | |||
| | | | Firmware | | | | Firmware | | |||
| | | |---------------------- | | | | ---------------| | |||
| | | | | | | | | | | | |||
| | | |<--------------------- | | | | -------------->| | |||
| | | | | | | | | | |||
| | | | Bootloader activates | | | | Activate new | | |||
| | | | Firmware | | | | Firmware | | |||
| | | |---------------------- | | | | ---------------| | |||
| | | | | | | | | | | | |||
| | | |<--------------------- | | | | -------------->| | |||
| | | | | | | | | | |||
| | | | Bootloader transfers | | | | Boot new | | |||
| | | | control to new Firmware | | | | Firmware | | |||
| | | |---------------------- | | | | ---------------| | |||
| | | | | | | | | | | | |||
| | | |<--------------------- | | | | -------------->| | |||
| | | | | | | | | | |||
| Figure 4: Example Flow for a Firmware Upate. | Figure 5: Example Flow for a Firmware Upate. | |||
| 8. IANA Considerations | 9. IANA Considerations | |||
| This document does not require any actions by IANA. | This document does not require any actions by IANA. | |||
| 9. Security Considerations | 10. Security Considerations | |||
| Firmware updates fix security vulnerabilities and are considered to | Firmware updates fix security vulnerabilities and are considered to | |||
| be an important building block in securing IoT devices. Due to the | be an important building block in securing IoT devices. Due to the | |||
| importance of firmware updates for IoT devices the Internet | importance of firmware updates for IoT devices the Internet | |||
| Architecture Board (IAB) organized a 'Workshop on Internet of Things | Architecture Board (IAB) organized a 'Workshop on Internet of Things | |||
| (IoT) Software Update (IOTSU)', which took place at Trinity College | (IoT) Software Update (IOTSU)', which took place at Trinity College | |||
| Dublin, Ireland on the 13th and 14th of June, 2016 to take a look at | Dublin, Ireland on the 13th and 14th of June, 2016 to take a look at | |||
| the big picture. A report about this workshop can be found at | the big picture. A report about this workshop can be found at | |||
| [RFC8240]. A standardized firmware manifest format providing end-to- | [RFC8240]. A standardized firmware manifest format providing end-to- | |||
| end security from the author to the device will be specified in a | end security from the author to the device will be specified in a | |||
| skipping to change at page 16, line 13 ¶ | skipping to change at page 19, line 38 ¶ | |||
| involvement. | involvement. | |||
| - energy efficiency and battery lifetime considerations. | - energy efficiency and battery lifetime considerations. | |||
| - key management required for verifying the digital signature | - key management required for verifying the digital signature | |||
| protecting the manifest. | protecting the manifest. | |||
| - incentives for manufacturers to offer a firmware update mechanism | - incentives for manufacturers to offer a firmware update mechanism | |||
| as part of their IoT products. | as part of their IoT products. | |||
| 10. Mailing List Information | 11. Mailing List Information | |||
| The discussion list for this document is located at the e-mail | The discussion list for this document is located at the e-mail | |||
| address suit@ietf.org [1]. Information on the group and information | address suit@ietf.org [1]. Information on the group and information | |||
| on how to subscribe to the list is at | on how to subscribe to the list is at | |||
| https://www1.ietf.org/mailman/listinfo/suit | https://www1.ietf.org/mailman/listinfo/suit | |||
| Archives of the list can be found at: https://www.ietf.org/mail- | Archives of the list can be found at: https://www.ietf.org/mail- | |||
| archive/web/suit/current/index.html | archive/web/suit/current/index.html | |||
| 11. Acknowledgements | 12. Acknowledgements | |||
| We would like to thank the following persons for their feedback: | We would like to thank the following persons for their feedback: | |||
| - Geraint Luff | - Geraint Luff | |||
| - Amyas Phillips | - Amyas Phillips | |||
| - Dan Ros | - Dan Ros | |||
| - Thomas Eichinger | - Thomas Eichinger | |||
| - Michael Richardson | - Michael Richardson | |||
| - Emmanuel Baccelli | - Emmanuel Baccelli | |||
| - Ned Smith | - Ned Smith | |||
| - David Brown | ||||
| - Jim Schaad | - Jim Schaad | |||
| - Carsten Bormann | - Carsten Bormann | |||
| - Cullen Jennings | - Cullen Jennings | |||
| - Olaf Bergmann | - Olaf Bergmann | |||
| - Suhas Nandakumar | - Suhas Nandakumar | |||
| - Phillip Hallam-Baker | - Phillip Hallam-Baker | |||
| - Marti Bolivar | - Marti Bolivar | |||
| - Andrzej Puzdrowski | - Andrzej Puzdrowski | |||
| - Markus Gueller | - Markus Gueller | |||
| - Henk Birkholz | - Henk Birkholz | |||
| - Jintao Zhu | - Jintao Zhu | |||
| We would also like to thank the WG chairs, Russ Housley, David | We would also like to thank the WG chairs, Russ Housley, David | |||
| Waltermire, Dave Thaler for their support and their reviews. | Waltermire, Dave Thaler for their support and their reviews. | |||
| Kathleen Moriarty was the responsible security area director when | Kathleen Moriarty was the responsible security area director when | |||
| this work was started. | this work was started. | |||
| 12. References | 13. References | |||
| 12.1. Normative References | 13.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, <https://www.rfc- | DOI 10.17487/RFC2119, March 1997, <https://www.rfc- | |||
| editor.org/info/rfc2119>. | editor.org/info/rfc2119>. | |||
| [RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer | [RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer | |||
| Security (TLS) / Datagram Transport Layer Security (DTLS) | Security (TLS) / Datagram Transport Layer Security (DTLS) | |||
| Profiles for the Internet of Things", RFC 7925, | Profiles for the Internet of Things", RFC 7925, | |||
| DOI 10.17487/RFC7925, July 2016, <https://www.rfc- | DOI 10.17487/RFC7925, July 2016, <https://www.rfc- | |||
| editor.org/info/rfc7925>. | editor.org/info/rfc7925>. | |||
| 12.2. Informative References | 13.2. Informative References | |||
| [I-D.ietf-suit-information-model] | ||||
| Moran, B., Tschofenig, H., Birkholz, H., and J. Jimenez, | ||||
| "Firmware Updates for Internet of Things Devices - An | ||||
| Information Model for Manifests", draft-ietf-suit- | ||||
| information-model-00 (work in progress), June 2018. | ||||
| [LwM2M] OMA, ., "Lightweight Machine to Machine Technical | [LwM2M] OMA, ., "Lightweight Machine to Machine Technical | |||
| Specification, Version 1.0.2", February 2018, | Specification, Version 1.0.2", February 2018, | |||
| <http://www.openmobilealliance.org/release/LightweightM2M/ | <http://www.openmobilealliance.org/release/LightweightM2M/ | |||
| V1_0_2-20180209-A/ | V1_0_2-20180209-A/ | |||
| OMA-TS-LightweightM2M-V1_0_2-20180209-A.pdf>. | OMA-TS-LightweightM2M-V1_0_2-20180209-A.pdf>. | |||
| [RFC5649] Housley, R. and M. Dworkin, "Advanced Encryption Standard | [RFC5649] Housley, R. and M. Dworkin, "Advanced Encryption Standard | |||
| (AES) Key Wrap with Padding Algorithm", RFC 5649, | (AES) Key Wrap with Padding Algorithm", RFC 5649, | |||
| DOI 10.17487/RFC5649, September 2009, <https://www.rfc- | DOI 10.17487/RFC5649, September 2009, <https://www.rfc- | |||
| editor.org/info/rfc5649>. | editor.org/info/rfc5649>. | |||
| [RFC6024] Reddy, R. and C. Wallace, "Trust Anchor Management | ||||
| Requirements", RFC 6024, DOI 10.17487/RFC6024, October | ||||
| 2010, <https://www.rfc-editor.org/info/rfc6024>. | ||||
| [RFC8240] Tschofenig, H. and S. Farrell, "Report from the Internet | [RFC8240] Tschofenig, H. and S. Farrell, "Report from the Internet | |||
| of Things Software Update (IoTSU) Workshop 2016", | of Things Software Update (IoTSU) Workshop 2016", | |||
| RFC 8240, DOI 10.17487/RFC8240, September 2017, | RFC 8240, DOI 10.17487/RFC8240, September 2017, | |||
| <https://www.rfc-editor.org/info/rfc8240>. | <https://www.rfc-editor.org/info/rfc8240>. | |||
| [SUIT-IM] Moran, B., Tschofenig, H., Birkholz, H., and J. Jimenez, | 13.3. URIs | |||
| "Firmware Updates for Internet of Things Devices - An | ||||
| Information Model for Manifests", June 2018. | ||||
| 12.3. URIs | ||||
| [1] mailto:suit@ietf.org | [1] mailto:suit@ietf.org | |||
| Authors' Addresses | Authors' Addresses | |||
| Brendan Moran | Brendan Moran | |||
| Arm Limited | Arm Limited | |||
| EMail: Brendan.Moran@arm.com | EMail: Brendan.Moran@arm.com | |||
| Milosch Meriac | Milosch Meriac | |||
| Consultant | Consultant | |||
| EMail: milosch@meriac.com | EMail: milosch@meriac.com | |||
| Hannes Tschofenig | Hannes Tschofenig | |||
| Arm Limited | Arm Limited | |||
| EMail: hannes.tschofenig@gmx.net | EMail: hannes.tschofenig@gmx.net | |||
| David Brown | ||||
| Linaro | ||||
| EMail: david.brown@linaro.org | ||||
| End of changes. 62 change blocks. | ||||
| 272 lines changed or deleted | 437 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||