Re: [Suit] HR Review: Firmware Update Architecture for IoT Devices

David Brown <david.brown@linaro.org> Wed, 11 July 2018 23:58 UTC

Return-Path: <david.brown@linaro.org>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E1C1130E73 for <suit@ietfa.amsl.com>; Wed, 11 Jul 2018 16:58:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=linaro.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WUusfg7BPXAK for <suit@ietfa.amsl.com>; Wed, 11 Jul 2018 16:58:15 -0700 (PDT)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 585F5124BE5 for <suit@ietf.org>; Wed, 11 Jul 2018 16:58:15 -0700 (PDT)
Received: by mail-io0-x234.google.com with SMTP id q9-v6so26158647ioj.8 for <suit@ietf.org>; Wed, 11 Jul 2018 16:58:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=drRegDy4OFUpsNmKYxmVMCQ3m5/kPTjocdXhM6i5v70=; b=Ol6MO9O6l1Vz8gTD6Mde3QuBM+rR1+jEsb20ehGIStx9O38KHeDI8/FxmkUc1DHSi/ 7DZBO8EPtPDuU8n3wUbLkKzHyWFJuJ+gJZ47uJhXtW1yoRxw2A/Ji4+GBorBDWtBK/Es jO3G3Apvoa57uykM832HqcRHtbc+kPxWKeedc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=drRegDy4OFUpsNmKYxmVMCQ3m5/kPTjocdXhM6i5v70=; b=IOIy8snE2th7hwGPW7vn/FHG766sKbNrNBL2q0nW54gj0sqcNUx7GH3LNKCY9ctDfc fwxlD6cmx6vZ/tmYRUQDRy5Zmdx8wI6B+uK1YbRLobv2tigpn1Qw3iya/A1/tRrc+TTQ Xnzt4ef0Gi0PcHpaiFNdS/3tHT1FRN+MuAKsROgwyOLmu1XKC3hJh/q66YLKO+szq/Jh FLLCPIHtUL/fbfYnDt38xSZzf/r7no4Ay9KP7AQ8mnm+VwdvNBkfqNmA8ZjS/boqkL2L S/aAbHRx4nYiOleaixBRZdeujDlEi6kvVWpnCi7I8ib8Cs9aEyzDQ2LpvFBJH3vrtmxE lWRg==
X-Gm-Message-State: AOUpUlEF2zPd53vp/tRLdE6Dl9U6vJsHSXBSB5b+FcoYlrmyhfpm4EVu 0AUm8NcrXSN08l8XEF3c/6vwPiVvU+I=
X-Google-Smtp-Source: AAOMgpcYb8Nv8NxmwI6IBFgxRp2MuzK9Vaax4YdvPq6n1pgTl6T/Twan2YAtrFSl2Mg4mO1+wk9RWA==
X-Received: by 2002:a5e:df42:: with SMTP id g2-v6mr903555ioq.327.1531353494599; Wed, 11 Jul 2018 16:58:14 -0700 (PDT)
Received: from davidb.org ([2601:283:4300:987c:6245:cbff:fe6d:5400]) by smtp.gmail.com with ESMTPSA id r20-v6sm5642213iog.85.2018.07.11.16.58.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Jul 2018 16:58:14 -0700 (PDT)
Date: Wed, 11 Jul 2018 17:58:12 -0600
From: David Brown <david.brown@linaro.org>
To: Gurshabad Grover <gurshabad@cis-india.org>
Cc: suit@ietf.org, hrpc@irtf.org, Sandeep Jha <sandeepkjha18@gmail.com>
Message-ID: <20180711235812.GB20649@davidb.org>
References: <11993b06-5da6-e397-3457-de6ecec87bb4@cis-india.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <11993b06-5da6-e397-3457-de6ecec87bb4@cis-india.org>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/DmkTTf0v7FhE5cUcARrPOhkWrLU>
Subject: Re: [Suit] HR Review: Firmware Update Architecture for IoT Devices
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2018 23:58:18 -0000

On Thu, Jul 12, 2018 at 03:00:48AM +0530, Gurshabad Grover wrote:

>#Additional suggestions
>
>Section 3.9 of [SUIT-ARCH] talks about multiple authorizations wherein
>an unnecessary distinction has been made between critical infrastructure
>and non-critical infrastructure. Even in non-critical infrastructure,
>operators would want to the ability to install updates according to
>their own preferences. In such scenarios, forced installations may
>violate user’s control of the device. Accordingly, we propose that the
>device operator SHOULD have the authority to accept or reject firmware
>updates.

This depends a lot on who the device operator is referring to.  From a
security perspective, the vendor may wish to make certain types of
security updates mandatory.  As stated earlier, for devices say in a
factory, or installed on a water meter, it is unclear who the device
operator is.  An organization installing water meeting IoT devices is
unlikely to allow the individual consumers of water to have any
authority as to whether firmware is installed.

Realistically, calling this mandatory in the spec would mostly just
result in that criteria of the spec being ignored.

One challenge with SUIT, in general, is that those producing these
end-use devices have little motivation to comply with the spec.  The
benefits gained to them are resources (such as reference code) and
infrastructure that wouldn't have to be implemented.  They have little
reason to not modify any behavior of the code that doesn't suit their
own requirements.

Although there may be good reasons to desire that decisions like this
be granted to certain parties, the SUIT documents have little
authority for enforce them.

David