| < draft-ietf-suit-architecture-01.txt | draft-ietf-suit-architecture-02.txt > | |||
|---|---|---|---|---|
| SUIT B. Moran | SUIT B. Moran | |||
| Internet-Draft Arm Limited | Internet-Draft Arm Limited | |||
| Intended status: Informational M. Meriac | Intended status: Informational M. Meriac | |||
| Expires: January 3, 2019 Consultant | Expires: July 20, 2019 Consultant | |||
| H. Tschofenig | H. Tschofenig | |||
| Arm Limited | Arm Limited | |||
| D. Brown | D. Brown | |||
| Linaro | Linaro | |||
| July 02, 2018 | January 16, 2019 | |||
| A Firmware Update Architecture for Internet of Things Devices | A Firmware Update Architecture for Internet of Things Devices | |||
| draft-ietf-suit-architecture-01 | draft-ietf-suit-architecture-02 | |||
| Abstract | Abstract | |||
| Vulnerabilities with Internet of Things (IoT) devices have raised the | Vulnerabilities with Internet of Things (IoT) devices have raised the | |||
| need for a solid and secure firmware update mechanism that is also | need for a solid and secure firmware update mechanism that is also | |||
| suitable for constrained devices. Incorporating such update | suitable for constrained devices. Incorporating such update | |||
| mechanism to fix vulnerabilities, to update configuration settings as | mechanism to fix vulnerabilities, to update configuration settings as | |||
| well as adding new functionality is recommended by security experts. | well as adding new functionality is recommended by security experts. | |||
| This document lists requirements and describes an architecture for a | This document lists requirements and describes an architecture for a | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||
| symmetric key approach for very constrained devices. | symmetric key approach for very constrained devices. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 3, 2019. | This Internet-Draft will expire on July 20, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| This document may contain material from IETF Documents or IETF | This document may contain material from IETF Documents or IETF | |||
| Contributions published or made publicly available before November | Contributions published or made publicly available before November | |||
| 10, 2008. The person(s) controlling the copyright in some of this | 10, 2008. The person(s) controlling the copyright in some of this | |||
| skipping to change at page 2, line 38 ¶ | skipping to change at page 2, line 38 ¶ | |||
| not be created outside the IETF Standards Process, except to format | not be created outside the IETF Standards Process, except to format | |||
| it for publication as an RFC or to translate it into languages other | it for publication as an RFC or to translate it into languages other | |||
| than English. | than English. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Conventions and Terminology . . . . . . . . . . . . . . . . . 3 | 2. Conventions and Terminology . . . . . . . . . . . . . . . . . 3 | |||
| 3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 6 | 3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.1. Agnostic to how firmware images are distributed . . . . . 6 | 3.1. Agnostic to how firmware images are distributed . . . . . 6 | |||
| 3.2. Friendly to broadcast delivery . . . . . . . . . . . . . 6 | 3.2. Friendly to broadcast delivery . . . . . . . . . . . . . 7 | |||
| 3.3. Use state-of-the-art security mechanisms . . . . . . . . 7 | 3.3. Use state-of-the-art security mechanisms . . . . . . . . 7 | |||
| 3.4. Rollback attacks must be prevented . . . . . . . . . . . 7 | 3.4. Rollback attacks must be prevented . . . . . . . . . . . 7 | |||
| 3.5. High reliability . . . . . . . . . . . . . . . . . . . . 7 | 3.5. High reliability . . . . . . . . . . . . . . . . . . . . 8 | |||
| 3.6. Operate with a small bootloader . . . . . . . . . . . . . 8 | 3.6. Operate with a small bootloader . . . . . . . . . . . . . 8 | |||
| 3.7. Small Parsers . . . . . . . . . . . . . . . . . . . . . . 8 | 3.7. Small Parsers . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 3.8. Minimal impact on existing firmware formats . . . . . . . 8 | 3.8. Minimal impact on existing firmware formats . . . . . . . 9 | |||
| 3.9. Robust permissions . . . . . . . . . . . . . . . . . . . 8 | 3.9. Robust permissions . . . . . . . . . . . . . . . . . . . 9 | |||
| 3.10. Operating modes . . . . . . . . . . . . . . . . . . . . . 9 | 3.10. Operating modes . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4. Claims . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 4. Claims . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 5. Communication Architecture . . . . . . . . . . . . . . . . . 11 | 5. Communication Architecture . . . . . . . . . . . . . . . . . 11 | |||
| 6. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 6. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 7. Device Firmware Update Examples . . . . . . . . . . . . . . . 15 | 7. Device Firmware Update Examples . . . . . . . . . . . . . . . 16 | |||
| 7.1. Single CPU SoC . . . . . . . . . . . . . . . . . . . . . 16 | 7.1. Single CPU SoC . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 7.2. Single CPU with Secure - Normal Mode Partitioning . . . . 16 | 7.2. Single CPU with Secure - Normal Mode Partitioning . . . . 16 | |||
| 7.3. Dual CPU, shared memory . . . . . . . . . . . . . . . . . 16 | 7.3. Dual CPU, shared memory . . . . . . . . . . . . . . . . . 16 | |||
| 7.4. Dual CPU, other bus . . . . . . . . . . . . . . . . . . . 16 | 7.4. Dual CPU, other bus . . . . . . . . . . . . . . . . . . . 16 | |||
| 8. Example Flow . . . . . . . . . . . . . . . . . . . . . . . . 17 | 8. Example Flow . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 10. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | 10. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | |||
| 11. Mailing List Information . . . . . . . . . . . . . . . . . . 19 | 11. Mailing List Information . . . . . . . . . . . . . . . . . . 19 | |||
| 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 | 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 | 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 13.1. Normative References . . . . . . . . . . . . . . . . . . 21 | 13.1. Normative References . . . . . . . . . . . . . . . . . . 21 | |||
| 13.2. Informative References . . . . . . . . . . . . . . . . . 21 | 13.2. Informative References . . . . . . . . . . . . . . . . . 21 | |||
| 13.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 21 | 13.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 1. Introduction | 1. Introduction | |||
| When developing IoT devices, one of the most difficult problems to | When developing IoT devices, one of the most difficult problems to | |||
| solve is how to update the firmware on the device. Once the device | solve is how to update the firmware on the device. Once the device | |||
| is deployed, firmware updates play a critical part in its lifetime, | is deployed, firmware updates play a critical part in its lifetime, | |||
| particularly when devices have a long lifetime, are deployed in | particularly when devices have a long lifetime, are deployed in | |||
| remote or inaccessible areas or where manual intervention is cost | remote or inaccessible areas where manual intervention is cost | |||
| prohibitive or otherwise difficult. The need for a firmware update | prohibitive or otherwise difficult. Updates to the firmware of an | |||
| may be to fix bugs in software, to add new functionality, or to re- | IoT device are done to fix bugs in software, to add new | |||
| configure the device. | functionality, and to re-configure the device to work in new | |||
| environments or to behave differently in an already deployed context. | ||||
| The firmware update process, among other goals, has to ensure that | The firmware update process, among other goals, has to ensure that | |||
| - The firmware image is authenticated and attempts to flash a | - The firmware image is authenticated and integrity protected. | |||
| malicious firmware image are prevented. | Attempts to flash a modified firmware image or an image from an | |||
| unknown source are prevented. | ||||
| - The firmware image can be confidentiality protected so that | - The firmware image can be confidentiality protected so that | |||
| attempts by an adversary to recover the plaintext binary can be | attempts by an adversary to recover the plaintext binary can be | |||
| prevented. Obtaining the plaintext binary is often one of the | prevented. Obtaining the firmware is often one of the first steps | |||
| first steps for an attack to mount an attack. | to mount an attack since it gives the adversary valuable insights | |||
| into used software libraries, configuration settings and generic | ||||
| functionality (even though reverse engineering the binary can be a | ||||
| tedious process). | ||||
| More details about the security goals are discussed in Section 5 and | ||||
| requirements are described in Section 3. | ||||
| 2. Conventions and Terminology | 2. Conventions and Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in RFC | "OPTIONAL" in this document are to be interpreted as described in RFC | |||
| 2119 [RFC2119]. | 2119 [RFC2119]. | |||
| This document uses the following terms: | This document uses the following terms: | |||
| skipping to change at page 4, line 27 ¶ | skipping to change at page 4, line 33 ¶ | |||
| bootloader is a security critical component its functionality may | bootloader is a security critical component its functionality may | |||
| be split into separate stages. Such a multi-stage bootloader may | be split into separate stages. Such a multi-stage bootloader may | |||
| offer very basic functionality in the first stage and resides in | offer very basic functionality in the first stage and resides in | |||
| ROM whereas the second stage may implement more complex | ROM whereas the second stage may implement more complex | |||
| functionality and resides in flash memory so that it can be | functionality and resides in flash memory so that it can be | |||
| updated in the future (in case bugs have been found). The exact | updated in the future (in case bugs have been found). The exact | |||
| split of components into the different stages, the number of | split of components into the different stages, the number of | |||
| firmware images stored by an IoT device, and the detailed | firmware images stored by an IoT device, and the detailed | |||
| functionality varies throughout different implementations. | functionality varies throughout different implementations. | |||
| - Microcontroller (MCU for microcontroller unit): An MCU is a | ||||
| compact integrated circuit designed for use in embedded systems. | ||||
| A typical microcontroller includes a processor, memory (RAM and | ||||
| flash), input/output (I/O) ports and other features connected via | ||||
| some bus on a single chip. The term 'system on chip (SoC)' is | ||||
| often used for these types of devices. | ||||
| - System on Chip (SoC): An SoC is an integrated circuit that | ||||
| integrates all components of a computer, such as CPU, memory, | ||||
| input/output ports, secondary storage, etc. | ||||
| - Homogeneous Storage Architecture (HoSA): A device that stores all | ||||
| firmware components in the same way, for example in a file system | ||||
| or in flash memory. | ||||
| - Heterogeneous Storage Architecture (HeSA): A device that stores at | ||||
| least one firmware component differently from the rest, for | ||||
| example a device with an external, updatable radio, or a device | ||||
| with internal and external flash memory. | ||||
| The following entities are used: | The following entities are used: | |||
| - Author: The author is the entity that creates the firmware image. | - Author: The author is the entity that creates the firmware image. | |||
| There may be multiple authors in a system either when a device | There may be multiple authors in a system either when a device | |||
| consists of multiple micro-controllers or when the the final | consists of multiple micro-controllers or when the the final | |||
| firmware image consists of software components from multiple | firmware image consists of software components from multiple | |||
| companies. | companies. | |||
| - Device: The device is the recipient of the firmware image and the | - Firmware Consumer: The firmware consumer is the recipient of the | |||
| manifest. The goal is to update the firmware of the device. A | firmware image and the manifest. | |||
| single device may need to obtain more than one firmware image and | ||||
| manifest to succesfully perform an update. | ||||
| - Communicator: The communicator component of the device interacts | - Device: A device refers to the entire IoT product, which consists | |||
| with the firmware update server. It receives firmware images and | of one or many MCUs, sensors and/or actuators. Many IoT devices | |||
| triggers an update, if needed. The communicator either polls a | sold today contain multiple MCUs and therefore a single device may | |||
| firmware update server for the most recent manifest/firmware or | need to obtain more than one firmware image and manifest to | |||
| manifests/firmware images are pushed to it. Note that the | succesfully perform an update. The terms device and firmware | |||
| firmware update process may involve multiple stages since one or | consumer are used interchangably since the firmware consumer is | |||
| multiple manifests may need to be downloaded before the | one software component running on an MCU on the device. | |||
| communicator can fetch one or multiple firmware images/software | ||||
| components. | ||||
| - Status Tracker: The status tracker offers device management | - Status Tracker: The status tracker offers device management | |||
| functionality that includes keep track of the firmware update | functionality that includes keep track of the firmware update | |||
| process. This includes fine-grained monitoring of changes at the | process. This includes fine-grained monitoring of changes at the | |||
| device, for example, what state of the firmware update cycle the | device, for example, what state of the firmware update cycle the | |||
| device is currently in. | device is currently in. | |||
| - Firmware Server: Entity that stores firmware images and manifests. | - Firmware Server: The firmware server stores firmware images and | |||
| Some deployments may require storage of the firmware images/ | manifests and distributes them to IoT devices. Some deployments | |||
| manifests on more than one entities before they reach the device. | may require a store-and-forward concept, which requires storing | |||
| the firmware images/manifests on more than one entity before | ||||
| they reach the device. | ||||
| - Device Operator: The actor responsible for the day-to-day | - Device Operator: The actor responsible for the day-to-day | |||
| operation of a fleet of IoT devices. | operation of a fleet of IoT devices. | |||
| - Network Operator: The actor responsible for the operation of a | - Network Operator: The actor responsible for the operation of a | |||
| network to which IoT devices connect. | network to which IoT devices connect. | |||
| In addition to the entities in the list above there is an orthogonal | In addition to the entities in the list above there is an orthogonal | |||
| infrastructure with a Trust Provisioning Authority (TPA) distributing | infrastructure with a Trust Provisioning Authority (TPA) distributing | |||
| trust anchors and authorization permissions to various entities in | trust anchors and authorization permissions to various entities in | |||
| skipping to change at page 5, line 42 ¶ | skipping to change at page 6, line 19 ¶ | |||
| - "A trust anchor represents an authoritative entity via a public | - "A trust anchor represents an authoritative entity via a public | |||
| key and associated data. The public key is used to verify digital | key and associated data. The public key is used to verify digital | |||
| signatures, and the associated data is used to constrain the types | signatures, and the associated data is used to constrain the types | |||
| of information for which the trust anchor is authoritative." | of information for which the trust anchor is authoritative." | |||
| - "A trust anchor store is a set of one or more trust anchors stored | - "A trust anchor store is a set of one or more trust anchors stored | |||
| in a device. A device may have more than one trust anchor store, | in a device. A device may have more than one trust anchor store, | |||
| each of which may be used by one or more applications." | each of which may be used by one or more applications." | |||
| Furthermore, the following abbreviations are used in this document: | ||||
| - Microcontroller (MCU for microcontroller unit) is a small computer | ||||
| on a single integrated circuit, which is often used for mass | ||||
| volumne IoT devices. | ||||
| - System on Chip (SoC) is an integrated circuit that integrates all | ||||
| components of a computer, such as CPU, memory, input/output ports, | ||||
| secondary storage, etc. | ||||
| - Homogeneous Storage Architecture (HoSA): A device that stores all | ||||
| firmware components in the same way, for example in a file system | ||||
| or in flash memory. | ||||
| - Heterogeneous Storage Architecture (HeSA): A device that stores at | ||||
| least one firmware component differently from the rest, for | ||||
| example a device with an external, updatable radio, or a device | ||||
| with internal and external flash memory. | ||||
| 3. Requirements | 3. Requirements | |||
| The firmware update mechanism described in this specification was | The firmware update mechanism described in this specification was | |||
| designed with the following requirements in mind: | designed with the following requirements in mind: | |||
| - Agnostic to how firmware images are distributed | - Agnostic to how firmware images are distributed | |||
| - Friendly to broadcast delivery | - Friendly to broadcast delivery | |||
| - Use state-of-the-art security mechanisms | - Use state-of-the-art security mechanisms | |||
| skipping to change at page 6, line 49 ¶ | skipping to change at page 7, line 7 ¶ | |||
| 3.1. Agnostic to how firmware images are distributed | 3.1. Agnostic to how firmware images are distributed | |||
| Firmware images can be conveyed to devices in a variety of ways, | Firmware images can be conveyed to devices in a variety of ways, | |||
| including USB, UART, WiFi, BLE, low-power WAN technologies, etc. and | including USB, UART, WiFi, BLE, low-power WAN technologies, etc. and | |||
| use different protocols (e.g., CoAP, HTTP). The specified mechanism | use different protocols (e.g., CoAP, HTTP). The specified mechanism | |||
| needs to be agnostic to the distribution of the firmware images and | needs to be agnostic to the distribution of the firmware images and | |||
| manifests. | manifests. | |||
| 3.2. Friendly to broadcast delivery | 3.2. Friendly to broadcast delivery | |||
| This architecture does not specify any specific broadcast protocol | This architecture does not specify any specific broadcast protocol. | |||
| however, given that broadcast may be desirable for some networks, | However, given that broadcast may be desirable for some networks, | |||
| updates must cause the least disruption possible both in metadata and | updates must cause the least disruption possible both in metadata and | |||
| payload transmission. | payload transmission. | |||
| For an update to be broadcast friendly, it cannot rely on link layer, | For an update to be broadcast friendly, it cannot rely on link layer, | |||
| network layer, or transport layer security. In addition, the same | network layer, or transport layer security. In addition, the same | |||
| message must be deliverable to many devices, both those to which it | message must be deliverable to many devices, both those to which it | |||
| applies and those to which it does not, without a chance that the | applies and those to which it does not, without a chance that the | |||
| wrong device will accept the update. Considerations that apply to | wrong device will accept the update. Considerations that apply to | |||
| network broadcasts apply equally to the use of third-party content | network broadcasts apply equally to the use of third-party content | |||
| distribution networks for payload distribution. | distribution networks for payload distribution. | |||
| skipping to change at page 9, line 30 ¶ | skipping to change at page 9, line 41 ¶ | |||
| 3.10. Operating modes | 3.10. Operating modes | |||
| There are three broad classifications of update operating modes. | There are three broad classifications of update operating modes. | |||
| - Client-initiated Update | - Client-initiated Update | |||
| - Server-initiated Update | - Server-initiated Update | |||
| - Hybrid Update | - Hybrid Update | |||
| Client-initiated updates take the form of a communicator on a device | Client-initiated updates take the form of a firmware consumer on a | |||
| proactively checking for new firmware imagines provided by firmware | device proactively checking (polling) for new firmware images. | |||
| servers. | ||||
| Server-initiated updates are important to consider because timing of | Server-initiated updates are important to consider because timing of | |||
| updates may need to be tightly controlled in some high- reliability | updates may need to be tightly controlled in some high- reliability | |||
| environments. In this case the communicator, potentially in | environments. In this case the status tracker determines what | |||
| coordination with the status tracker, determines what devices qualify | devices qualify for a firmware update. Once those devices have been | |||
| for a firmware update. Once those devices have been selected the | selected the firmware server distributes updates to the firmware | |||
| firmware server distributes updates to those devices. | consumers. | |||
| Note: This assumes that the firmware server is able to reach the | Note: This assumes that the status tracker is able to reach the | |||
| device, which may require devices to keep reachability information at | device, which may require devices to keep reachability information at | |||
| the communicator and / or at the firmware server up-to-date. This | the status tracker up-to-date. This may also require keeping state | |||
| may also require keeping state at NATs and stateful packet filtering | at NATs and stateful packet filtering firewalls alive. | |||
| firewalls alive. | ||||
| Hybrid updates are those that require an interaction between the | Hybrid updates are those that require an interaction between the | |||
| device and the firmware server / communicator. The communicator | firmware consumer and the status tracker. The status tracker pushes | |||
| pushes notifications of availability of an update to the device, and | notifications of availability of an update to the firmware consumer, | |||
| the device then downloads the image from the firmware server when it | and it then downloads the image from a firmware server as soon as | |||
| wants. | possible. | |||
| An alternative approach is to consider the steps a device has to go | An alternative view to the operating modes is to consider the steps a | |||
| through in the course of an update: | device has to go through in the course of an update: | |||
| - Notification | - Notification | |||
| - Pre-authorisation | - Pre-authorisation | |||
| - Dependency resolution | - Dependency resolution | |||
| - Download | - Download | |||
| - Installation | - Installation | |||
| The notification step consists of the communicator informing the | The notification step consists of the status tracker informing the | |||
| device that an update is available. This can be accomplished via | firmware consumer that an update is available. This can be | |||
| polling (client-initiated), push notifications (server-initiated), or | accomplished via polling (client-initiated), push notifications | |||
| more complex mechanisms. | (server-initiated), or more complex mechanisms. | |||
| The pre-authorisation step involves verifying whether the entity | The pre-authorisation step involves verifying whether the entity | |||
| signing the manifest is indeed authorized to perform an update. The | signing the manifest is indeed authorized to perform an update. The | |||
| device must also determine whether it should fetching and processing | firmware consumer must also determine whether it should fetch and | |||
| of the firmware image (unless it has been attached already to the | process a firmware image, which is referenced in a manifest. | |||
| manifest itself). | ||||
| A dependency resolution phase is needed when more than one component | A dependency resolution phase is needed when more than one component | |||
| can be updated or when a differential update is used. The necessary | can be updated or when a differential update is used. The necessary | |||
| dependencies must be available prior to installation. | dependencies must be available prior to installation. | |||
| The download step is the process of acquiring a local copy of the | The download step is the process of acquiring a local copy of the | |||
| firmware image. When the download is client-initiated, this means | firmware image. When the download is client-initiated, this means | |||
| that the device chooses when a download occurs and initiates the | that the firmware consumer chooses when a download occurs and | |||
| download process. When a download is server-party initiated, this | initiates the download process. When a download is server-initiated, | |||
| means that either the communicator / firmware server tells the device | this means that the status tracker tells the device when to download | |||
| when to download or that it initiates the transfer directly to the | or that it initiates the transfer directly to the firmware consumer. | |||
| device. For example, a download from an HTTP-based firmware server | For example, a download from an HTTP-based firmware server is client- | |||
| is client-initiated. A transfer to a LwM2M Firmware Update resource | initiated. Pushing a manifest and firmware image to the transfer to | |||
| [LwM2M] is server-initiated. | the Package resource of the LwM2M Firmware Update object [LwM2M] is | |||
| server-initiated. | ||||
| If the Device has downloaded a new firmware image and is ready to | If the firmware consumer has downloaded a new firmware image and is | |||
| install it it may need to wait for a trigger from a Communicator to | ready to install it, it may need to wait for a trigger from the | |||
| install the firmware update, may trigger the update automatically, or | status tracker to initiate the installation, may trigger the update | |||
| may go through a more complex decision making process to determine | automatically, or may go through a more complex decision making | |||
| the appropriate timing for an update (such as delaying the update | process to determine the appropriate timing for an update (such as | |||
| process to a later time when end users are less impacted by the | delaying the update process to a later time when end users are less | |||
| update process). | impacted by the update process). | |||
| Installation is the act of processing the payload into a format that | Installation is the act of processing the payload into a format that | |||
| the IoT device can recognise and the bootloader is responsible for | the IoT device can recognise and the bootloader is responsible for | |||
| then booting from the newly installed firmware image. | then booting from the newly installed firmware image. | |||
| Each of these steps may require different permissions. | Each of these steps may require different permissions. | |||
| 4. Claims | 4. Claims | |||
| Claims in the manifest offer a way to convey instructions to a device | Claims in the manifest offer a way to convey instructions to a device | |||
| skipping to change at page 11, line 41 ¶ | skipping to change at page 11, line 49 ¶ | |||
| - Only allow a firmware installation if dependencies have been met. | - Only allow a firmware installation if dependencies have been met. | |||
| - Choose the mechanism to install the firmware, based on the type of | - Choose the mechanism to install the firmware, based on the type of | |||
| firmware it is. | firmware it is. | |||
| 5. Communication Architecture | 5. Communication Architecture | |||
| Figure 1 shows the communication architecture where a firmware image | Figure 1 shows the communication architecture where a firmware image | |||
| is created by an author, and uploaded to a firmware server. The | is created by an author, and uploaded to a firmware server. The | |||
| firmware image/manifest is distributed to the device either in a push | firmware image/manifest is distributed to the device either in a push | |||
| or pull manner using the communicator residing on the device. The | or pull manner using the firmware consumer residing on the device. | |||
| device operator keeps track of the process using the status tracker. | The device operator keeps track of the process using the status | |||
| This allows the device operator to know and control what devices have | tracker. This allows the device operator to know and control what | |||
| received an update and which of them are still pending an update. | devices have received an update and which of them are still pending | |||
| an update. | ||||
| Firmware + +----------+ Firmware + +-----------+ | Firmware + +----------+ Firmware + +-----------+ | |||
| Manifest | |-+ Manifest | |-+ | Manifest | |-+ Manifest | |-+ | |||
| +--------->| Firmware | |<---------------| | | | +--------->| Firmware | |<---------------| | | | |||
| | | Server | | | Author | | | | | Server | | | Author | | | |||
| | | | | | | | | | | | | | | | | |||
| | +----------+ | +-----------+ | | | +----------+ | +-----------+ | | |||
| | +----------+ +-----------+ | | +----------+ +-----------+ | |||
| | | | | |||
| | | | | |||
| | | | | |||
| -+-- ------ | -+-- ------ | |||
| ---- | ---- ---- ---- | ---- | ---- ---- ---- | |||
| // | \\ // \\ | // | \\ // \\ | |||
| / | \ / \ | / | \ / \ | |||
| / | \ / \ | / | \ / \ | |||
| / | \ / \ | / | \ / \ | |||
| / | \ / \ | / | \ / \ | |||
| | v | | | | | v | | | | |||
| | +------------+ | | | +------------+ | | |||
| | |Communicator| | | | | | | Firmware | | | | | |||
| | +--------+---+ | Device | +--------+ | | | | Consumer | | Device | +--------+ | | |||
| | | | | Management| | | | | | +------------+ | Management| | | | | |||
| | | Device |<----------------------------->| Status | | | | | |<------------------------->| Status | | | |||
| | | | | | | Tracker| | | | | Device | | | | Tracker| | | |||
| | +--------+ | || | | | | | +------------+ | || | | | | |||
| | | || +--------+ | | | | || +--------+ | | |||
| | | | | | | | | | | |||
| | | \ / | | | \ / | |||
| \ / \ / | \ / \ / | |||
| \ / \ Device / | \ / \ Device / | |||
| \ Network / \ Operator / | \ Network / \ Operator / | |||
| \ Operator / \\ // | \ Operator / \\ // | |||
| \\ // ---- ---- | \\ // ---- ---- | |||
| ---- ---- ------ | ---- ---- ------ | |||
| ----- | ----- | |||
| skipping to change at page 13, line 21 ¶ | skipping to change at page 13, line 21 ¶ | |||
| ^ * | ^ * | |||
| * * | * * | |||
| ************************************************************ | ************************************************************ | |||
| End-to-End Security | End-to-End Security | |||
| Figure 2: End-to-End Security. | Figure 2: End-to-End Security. | |||
| Whether the firmware image and the manifest is pushed to the device | Whether the firmware image and the manifest is pushed to the device | |||
| or fetched by the device is a deployment specific decision. | or fetched by the device is a deployment specific decision. | |||
| The following assumptions are made to allow the device to verify the | The following assumptions are made to allow the firmware consumer to | |||
| received firmware image and manifest before updating software: | verify the received firmware image and manifest before updating | |||
| software: | ||||
| - To accept an update, a device needs to verify the signature | - To accept an update, a device needs to verify the signature | |||
| covering the manifest. There may be one or multiple manifests | covering the manifest. There may be one or multiple manifests | |||
| that need to be validated, potentially signed by different | that need to be validated, potentially signed by different | |||
| parties. The device needs to be in possession of the trust | parties. The device needs to be in possession of the trust | |||
| anchors to verify those signatures. Installing trust anchors to | anchors to verify those signatures. Installing trust anchors to | |||
| devices via the Trust Provisioning Authority happens in an out-of- | devices via the Trust Provisioning Authority happens in an out-of- | |||
| band fashion prior to the firmware update process. | band fashion prior to the firmware update process. | |||
| - Not all entities creating and signing manifests have the same | - Not all entities creating and signing manifests have the same | |||
| skipping to change at page 13, line 49 ¶ | skipping to change at page 13, line 50 ¶ | |||
| - For confidentiality protection of firmware images the author needs | - For confidentiality protection of firmware images the author needs | |||
| to be in possession of the certificate/public key or a pre-shared | to be in possession of the certificate/public key or a pre-shared | |||
| key of a device. The use of confidentiality protection of | key of a device. The use of confidentiality protection of | |||
| firmware images is deployment specific. | firmware images is deployment specific. | |||
| There are different types of delivery modes, which are illustrated | There are different types of delivery modes, which are illustrated | |||
| based on examples below. | based on examples below. | |||
| There is an option for embedding a firmware image into a manifest. | There is an option for embedding a firmware image into a manifest. | |||
| This is a useful approach for deployments where devices are not | This is a useful approach for deployments where devices are not | |||
| connected to the Internet and cannot contact a dedicated server for | connected to the Internet and cannot contact a dedicated firmware | |||
| download of the firmware. It is also applicable when the firmware | server for the firmware download. It is also applicable when the | |||
| update happens via a USB stick or via Bluetooth Smart. Figure 3 | firmware update happens via a USB stick or via Bluetooth Smart. | |||
| shows this delivery mode graphically. | Figure 3 shows this delivery mode graphically. | |||
| /------------\ /------------\ | /------------\ /------------\ | |||
| /Manifest with \ /Manifest with \ | /Manifest with \ /Manifest with \ | |||
| |attached | |attached | | |attached | |attached | | |||
| \firmware image/ \firmware image/ | \firmware image/ \firmware image/ | |||
| \------------/ +-----------+ \------------/ | \------------/ +-----------+ \------------/ | |||
| +--------+ | | +--------+ | +--------+ | | +--------+ | |||
| | |<.................| Firmware |<................| | | | |<.................| Firmware |<................| | | |||
| | Device | | Server | | Author | | | Device | | Server | | Author | | |||
| | | | | | | | | | | | | | | |||
| skipping to change at page 17, line 9 ¶ | skipping to change at page 17, line 13 ¶ | |||
| commonly used to offload specific work to other CPUs. Firmware | commonly used to offload specific work to other CPUs. Firmware | |||
| dependencies are similar to the other solutions above, sometimes | dependencies are similar to the other solutions above, sometimes | |||
| allowing only one image to be upgraded, other times requiring several | allowing only one image to be upgraded, other times requiring several | |||
| to be upgraded atomically. Because the updates are happening on | to be upgraded atomically. Because the updates are happening on | |||
| multiple CPUs, upgrading the two images atomically is challenging. | multiple CPUs, upgrading the two images atomically is challenging. | |||
| 8. Example Flow | 8. Example Flow | |||
| The following example message flow illustrates the interaction for | The following example message flow illustrates the interaction for | |||
| distributing a firmware image to a device starting with an author | distributing a firmware image to a device starting with an author | |||
| uploading the new firmware to Firmware Server and creating a | uploading the new firmware to firmware server and creating a | |||
| manifest. The firmware and manifest are stored on the same Firmware | manifest. The firmware and manifest are stored on the same firmware | |||
| Server. | server. | |||
| +--------+ +-----------------+ +------------+ +----------+ | +--------+ +-----------------+ +------------+ +----------+ | |||
| | Author | | Firmware Server | |Communicator| |Bootloader| | | Author | | Firmware Server | |FW Consuumer| |Bootloader| | |||
| +--------+ +-----------------+ +------------+ +----------+ | +--------+ +-----------------+ +------------+ +----------+ | |||
| | | | + | | | | + | |||
| | Create Firmware | | | | | Create Firmware | | | | |||
| |--------------- | | | | |--------------- | | | | |||
| | | | | | | | | | | | | |||
| |<-------------- | | | | |<-------------- | | | | |||
| | | | | | | | | | | |||
| | Upload Firmware | | | | | Upload Firmware | | | | |||
| |------------------>| | | | |------------------>| | | | |||
| | | | | | | | | | | |||
| skipping to change at page 19, line 43 ¶ | skipping to change at page 19, line 50 ¶ | |||
| protecting the manifest. | protecting the manifest. | |||
| - incentives for manufacturers to offer a firmware update mechanism | - incentives for manufacturers to offer a firmware update mechanism | |||
| as part of their IoT products. | as part of their IoT products. | |||
| 11. Mailing List Information | 11. Mailing List Information | |||
| The discussion list for this document is located at the e-mail | The discussion list for this document is located at the e-mail | |||
| address suit@ietf.org [1]. Information on the group and information | address suit@ietf.org [1]. Information on the group and information | |||
| on how to subscribe to the list is at | on how to subscribe to the list is at | |||
| https://www1.ietf.org/mailman/listinfo/suit | https://www1.ietf.org/mailman/listinfo/suit [2] | |||
| Archives of the list can be found at: https://www.ietf.org/mail- | Archives of the list can be found at: https://www.ietf.org/mail- | |||
| archive/web/suit/current/index.html | archive/web/suit/current/index.html [3] | |||
| 12. Acknowledgements | 12. Acknowledgements | |||
| We would like to thank the following persons for their feedback: | We would like to thank the following persons for their feedback: | |||
| - Geraint Luff | - Geraint Luff | |||
| - Amyas Phillips | - Amyas Phillips | |||
| - Dan Ros | - Dan Ros | |||
| skipping to change at page 20, line 45 ¶ | skipping to change at page 20, line 47 ¶ | |||
| - Marti Bolivar | - Marti Bolivar | |||
| - Andrzej Puzdrowski | - Andrzej Puzdrowski | |||
| - Markus Gueller | - Markus Gueller | |||
| - Henk Birkholz | - Henk Birkholz | |||
| - Jintao Zhu | - Jintao Zhu | |||
| - Takeshi Takahashi | ||||
| We would also like to thank the WG chairs, Russ Housley, David | We would also like to thank the WG chairs, Russ Housley, David | |||
| Waltermire, Dave Thaler for their support and their reviews. | Waltermire, Dave Thaler for their support and their reviews. | |||
| Kathleen Moriarty was the responsible security area director when | Kathleen Moriarty was the responsible security area director when | |||
| this work was started. | this work was started. | |||
| 13. References | 13. References | |||
| 13.1. Normative References | 13.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, <https://www.rfc- | DOI 10.17487/RFC2119, March 1997, | |||
| editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer | [RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer | |||
| Security (TLS) / Datagram Transport Layer Security (DTLS) | Security (TLS) / Datagram Transport Layer Security (DTLS) | |||
| Profiles for the Internet of Things", RFC 7925, | Profiles for the Internet of Things", RFC 7925, | |||
| DOI 10.17487/RFC7925, July 2016, <https://www.rfc- | DOI 10.17487/RFC7925, July 2016, | |||
| editor.org/info/rfc7925>. | <https://www.rfc-editor.org/info/rfc7925>. | |||
| 13.2. Informative References | 13.2. Informative References | |||
| [I-D.ietf-suit-information-model] | [I-D.ietf-suit-information-model] | |||
| Moran, B., Tschofenig, H., Birkholz, H., and J. Jimenez, | Moran, B., Tschofenig, H., and H. Birkholz, "Firmware | |||
| "Firmware Updates for Internet of Things Devices - An | Updates for Internet of Things Devices - An Information | |||
| Information Model for Manifests", draft-ietf-suit- | Model for Manifests", draft-ietf-suit-information-model-01 | |||
| information-model-00 (work in progress), June 2018. | (work in progress), July 2018. | |||
| [LwM2M] OMA, ., "Lightweight Machine to Machine Technical | [LwM2M] OMA, ., "Lightweight Machine to Machine Technical | |||
| Specification, Version 1.0.2", February 2018, | Specification, Version 1.0.2", February 2018, | |||
| <http://www.openmobilealliance.org/release/LightweightM2M/ | <http://www.openmobilealliance.org/release/LightweightM2M/ | |||
| V1_0_2-20180209-A/ | V1_0_2-20180209-A/ | |||
| OMA-TS-LightweightM2M-V1_0_2-20180209-A.pdf>. | OMA-TS-LightweightM2M-V1_0_2-20180209-A.pdf>. | |||
| [RFC5649] Housley, R. and M. Dworkin, "Advanced Encryption Standard | [RFC5649] Housley, R. and M. Dworkin, "Advanced Encryption Standard | |||
| (AES) Key Wrap with Padding Algorithm", RFC 5649, | (AES) Key Wrap with Padding Algorithm", RFC 5649, | |||
| DOI 10.17487/RFC5649, September 2009, <https://www.rfc- | DOI 10.17487/RFC5649, September 2009, | |||
| editor.org/info/rfc5649>. | <https://www.rfc-editor.org/info/rfc5649>. | |||
| [RFC6024] Reddy, R. and C. Wallace, "Trust Anchor Management | [RFC6024] Reddy, R. and C. Wallace, "Trust Anchor Management | |||
| Requirements", RFC 6024, DOI 10.17487/RFC6024, October | Requirements", RFC 6024, DOI 10.17487/RFC6024, October | |||
| 2010, <https://www.rfc-editor.org/info/rfc6024>. | 2010, <https://www.rfc-editor.org/info/rfc6024>. | |||
| [RFC8240] Tschofenig, H. and S. Farrell, "Report from the Internet | [RFC8240] Tschofenig, H. and S. Farrell, "Report from the Internet | |||
| of Things Software Update (IoTSU) Workshop 2016", | of Things Software Update (IoTSU) Workshop 2016", | |||
| RFC 8240, DOI 10.17487/RFC8240, September 2017, | RFC 8240, DOI 10.17487/RFC8240, September 2017, | |||
| <https://www.rfc-editor.org/info/rfc8240>. | <https://www.rfc-editor.org/info/rfc8240>. | |||
| 13.3. URIs | 13.3. URIs | |||
| [1] mailto:suit@ietf.org | [1] mailto:suit@ietf.org | |||
| [2] https://www1.ietf.org/mailman/listinfo/suit | ||||
| [3] https://www.ietf.org/mail-archive/web/suit/current/index.html | ||||
| Authors' Addresses | Authors' Addresses | |||
| Brendan Moran | Brendan Moran | |||
| Arm Limited | Arm Limited | |||
| EMail: Brendan.Moran@arm.com | EMail: Brendan.Moran@arm.com | |||
| Milosch Meriac | Milosch Meriac | |||
| Consultant | Consultant | |||
| End of changes. 47 change blocks. | ||||
| 131 lines changed or deleted | 144 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||