IETF Logo Mail Archive

[Suit] SUIT Architecture -- Operating modes

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Wed, 06 June 2018 09:27 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA85D130EDB for <suit@ietfa.amsl.com>; Wed, 6 Jun 2018 02:27:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6yE-3FN_6u0z for <suit@ietfa.amsl.com>; Wed, 6 Jun 2018 02:27:31 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0079.outbound.protection.outlook.com [104.47.0.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A172130ED7 for <suit@ietf.org>; Wed, 6 Jun 2018 02:27:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WUKLpm5tmTdhbjG9dz6wnoWAdN2YAQDrqIWw/AdZKnA=; b=YKNjLh1lDAuEkhnV7LY51ZDC+y/X1mYHF73zVwh8rKoF0BukqjO5VX5nzmhMaN1sB/FsokI19NwW3NTcQWvIPWaIQcMmM1RCevkXf2RNvKMT3RC91MxuYbWyYvz7gju/ZCL9rBWyHN3gX9sWi6NLoGuXx8yv0cuDWu/0+1vm5SQ=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1744.eurprd08.prod.outlook.com (10.168.67.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.820.14; Wed, 6 Jun 2018 09:27:28 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::d1df:1498:96ec:6b35]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::d1df:1498:96ec:6b35%4]) with mapi id 15.20.0820.015; Wed, 6 Jun 2018 09:27:28 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "suit@ietf.org" <suit@ietf.org>
Thread-Topic: SUIT Architecture -- Operating modes
Thread-Index: AdP9eHteSzrUiKgdQTO0D4Kr/wumzQ==
Date: Wed, 6 Jun 2018 09:27:28 +0000
Message-ID: <VI1PR0801MB211259B72731F37766C0227CFA650@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [195.37.142.77]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1744; 7:5vnPcw0XnFv6WHlDEenxL6w7NkByKS3vonjdbtY9p9J/qXbeqtienmApBHRqDb3+37sbDGpJXbLa09qEEN2YAZqIgDgWa8uSOk9DVAaCtDzLLVZmwBVnnz4sJ4pvdsbbj37MUu6b8P0pwJqhQN2hyy+fmqVF5NL/YF3SwjSSAdD35RA1gGGBsjAsMcCE2QL0b9YdmdjOS6SnKfKi8oR/xAFxaaQsuQjjgM2UY8voP4Biby6q44ozC7bILfuNn+KI
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1744;
x-ms-traffictypediagnostic: VI1PR0801MB1744:
x-microsoft-antispam-prvs: <VI1PR0801MB174451A8D7A340BEDCBDEF75FA650@VI1PR0801MB1744.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3002001)(3231254)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:VI1PR0801MB1744; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1744;
x-forefront-prvs: 06952FC175
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(396003)(346002)(39380400002)(376002)(39860400002)(53754006)(189003)(199004)(40434004)(3846002)(53936002)(26005)(99286004)(25786009)(6506007)(2900100001)(486006)(7696005)(5250100002)(6916009)(476003)(105586002)(86362001)(5660300001)(5890100001)(102836004)(186003)(106356001)(59450400001)(2501003)(6306002)(14454004)(9686003)(8936002)(33656002)(55016002)(72206003)(561944003)(6436002)(5640700003)(2906002)(74316002)(2351001)(966005)(7736002)(3280700002)(8676002)(68736007)(66066001)(305945005)(3660700001)(97736004)(478600001)(6116002)(1730700003)(81156014)(81166006)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1744; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: NsiIPoYTyuFaEDy19yw9kFycB5klil56iNapHwoauUsQZwaiU4rjeOaZAVr/Hm9pKvBcXv5K+wg2l0H0wYB9IbqNeQ99N1v6iEkRIuKjrlmYD4ZwhsdRpwjTGd8bxN5cWfV3pPr1MzGjAhZc9ZjHYUKkMs+im2DsYV206T/A2E9y6Xuc/hw9Wjl1kszxkksf
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 696f433b-59f1-4bee-60ff-08d5cb8fb8c1
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 696f433b-59f1-4bee-60ff-08d5cb8fb8c1
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jun 2018 09:27:28.2142 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1744
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/3-xs5ccSHRt3R2TU4topofkdXR0>
Subject: [Suit] SUIT Architecture -- Operating modes
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jun 2018 09:27:38 -0000

Hi all,

at the virtual interim meeting earlier this year Dave suggested terminology, which was based on
ITU-T work for firmware updates:

- Device Core: stores/uses software/firmware,
i.e., the IoT device itself

- Communicator: checks software/firmware
status of device and initiates update as needed
May or may not be on the device itself

- Status Tracker: tracks update status of
devices under its administration

- Firmware Server: distributes
software/firmware packages to devices
May or may not be combined with Status Tracker

At IETF#101 we talked about the following three categories for firmware update interactions:

- Client-initiated: IoT device polls for updates and downloads image when it wants
- Server-initiated: Server pushes update to a device
- Hybrid: Server pushes notification of availability of an update to a device, and the client then
  downloads the image when it wants.

In https://tools.ietf.org/html/draft-ietf-suit-architecture-00 Brendan and I made a proposal for
a new terminology. Here is the relevant text:

-----

3.10.  Operating modes

   There are three broad classifications of update operating modes.

   * Self initiated
   * Third-party initiated
   * Hybrid

   Self initiated updates take the form of a proactive IoT device that
   checks for updates.  Third-party initiated updates are triggered by
   an actor other than the IoT device, be it a server, a peer, or a
   user.  Hybrid updates are those that require agreement from both the
   target IoT device and another actor.

   Third-party initiated updates are important to consider because
   timing of updates may need to be tightly controlled in some high-
   reliability environments.

   An IoT device goes through several steps in the course of an update,
   each of which can be self-initiated or third-party initiated, or
   hybrid.  An IoT device may go through the following steps, though
   this is not a comprehensive list.

   * Notification
   * Pre-authorisation
   * Dependency resolution
   * Download
   * Installation

   The notification step consists informing an IoT device that an update
   is available.  This can be accomplished via polling (self-initiated),
   push notifications (third-party initiated), or more complex
   mechanisms.

   The pre-authorisation step involves verifying the update authority
   and making a determination that the device is prepared to initiate
   the fetching and processing of updates.  If the device has all
   information that is necessary to make this determination, then the
   pre-authorisation may be self-initiated.  However, the device can
   wait for instruction to begin (third-party initiated).  Hybrid
   approaches are possible as well.

   A dependency resolution phase is needed when more than one component
   can be updated or when a differential update is used.  The necessary
   dependencies must be available prior to installation.

   The download step is the process of acquiring a local copy of the
   payload.  When the download is self-initiated, this means that the
   IoT device chooses when a download occurs and initiates the download
   process.  When a download is third-party initiated, this means that
   either the remote service tells the IoT device when to download or
   that it initiates the transfer directly to the IoT device.  For
   example, a download from an HTTP server is initiated locally.  A
   transfer to a LwM2M Firmware Update resource [LwM2M] is initiated
   remotely.

   Installation is the act of processing the payload into a format that
   the IoT device can recognise.

   Each of these steps may require different permissions expressed in
   claims and may be implemented in a variety of ways.

----

Offline feedback from Dave indicates that it did not help improve clarify.
Hence, I am going it a new try. Let me know what you think.


-----

3.10.  Operating modes

   There are three broad classifications of update operating modes.

  * Client-initiated Update
  * Server-initiated Update
  * Hybrid Update

  Client-initiated updates take the form of a Communicator on a Device Core
  proactively checking for new firmware imagines provided by Firmware Servers.

  Server-initiated updates are important to consider because
  timing of updates may need to be tightly controlled in some high-
  reliability environments. In this case the Communicator, potentially in
  coordination with the Status Tracker, determines what IoT devices need
  qualify for a firmware update. Once those devices have been selected the
  Firmware Server distributes updates to those Device Cores.

  Note: This assumes that the Firmware Server is able to reach the Device Cores,
  which may require Device Cores to keep reachability information at the Communicator
  and / or at the Firmware Server up-to-date. This may also require keeping state at
  NATs and stateful packet filtering firewalls alive.

  Hybrid updates are those that require an interaction between the Device Core
  and the Firmware Server / Communicator. The Communicator pushes notifications
  of availability of an update to the Device Core, and the Device Core then
  downloads the image from the Firmware Server when it wants.

   An alternative approach is to consider the steps an IoT device has to go through
   in the course of an update:

   * Notification
   * Pre-authorisation
   * Dependency resolution
   * Download
   * Installation

   The notification step consists of the Communicator informing the Device Core
   that an update is available. This can be accomplished via polling (client-initiated),
   push notifications (server-initiated), or more complex
   mechanisms.

   The pre-authorisation step involves verifying whether the entity signing
   the manifest is indeed authorized to perform an update. The Device Core
   must also determine whether it should fetching and processing of the
   firmware image (unless it has been attached already to the manifest itself).

   A dependency resolution phase is needed when more than one component
   can be updated or when a differential update is used.  The necessary
   dependencies must be available prior to installation.

   The download step is the process of acquiring a local copy of the
   firmware image.  When the download is client-initiated, this means that the
   IoT device chooses when a download occurs and initiates the download
   process.  When a download is server-party initiated, this means that
   either the Communicator / Firmware Server tells the IoT device when
   to download or that it initiates the transfer directly to the IoT device.
   For example, a download from an HTTP-based Firmware Server is client-initiated.
   A transfer to a LwM2M Firmware Update resource [LwM2M] is server-initiated.

   If the Device Core has downloaded a new firmware image and is ready to
   install it it may need to wait for a trigger from a Communicator to
   install the firmware update, may trigger the update automatically, or
   may go through a more complex decision making process to determine
   the appropriate timing for an update (such as delaying the update
   process to a later time when end users are less impacted by the update process).

   Installation is the act of processing the payload into a format that
   the IoT device can recognise and the bootloader is responsible for then
   booting from the newly installed firmware image.

   Each of these steps may require different permissions.

----

Is this any better?

Writing the text above I noticed that the Communicator and the
Status Tracker have some overlapping functionality. Both entities
need to know about the status of the device. Also it would be
good to know what "initiates update" for the communicator
actually needs.

Finally, the term "Device Core" sounds a bit strange. Would it
be better to call it 'update service' or just refer to IoT device?

Ciao
Hannes


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.8.7 | Report a Bug | By Email