IETF Logo Mail Archive

Re: [Suit] SUIT rechartering: proposed text

Dave Thaler <dthaler@microsoft.com> Mon, 02 August 2021 21:34 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D99643A1D75 for <suit@ietfa.amsl.com>; Mon, 2 Aug 2021 14:34:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.553
X-Spam-Level:
X-Spam-Status: No, score=-2.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id stccuhfkTiLb for <suit@ietfa.amsl.com>; Mon, 2 Aug 2021 14:34:42 -0700 (PDT)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2106.outbound.protection.outlook.com [40.107.220.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16AB03A1D74 for <suit@ietf.org>; Mon, 2 Aug 2021 14:34:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PyaG9mTIJj/53eURK/OZNjTl/aRodht6+oWG/bwGz5KMuKGfUMhukBqmxWMVPGcFGPMaXZdPWfdDbpaieQ+WTlJAMLKlKuVhZlG8ofwY6nZkQ7SDrVxlRJEUOGAY0FwrYCYOHyuphUOac0fTrISvj6qPmoy+pgTRt0/bfJusqqJ0BRF1r4k7QztTqAZ9YiMlIUcMvmndQ64MMdOYZyx0SrQb4jEev2qYq84LwMh4prZr6GK0Y7Pne6lLCvQnsySiOh7V8mmUef22dLamrzWaUXNh2z1sfWduplWrwSPW+X9MbJwhgqMR6Ji6VOfU5re2YJLgN0btRuJkafirMbJCoQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2g0lDMe4xFAoxDvKDclokW0+XU8eqXb4aHXelavQCGE=; b=Ie5EMNBUHhDb+nEggmzEzvL7NQSJTTNsb0p/0neKljducjYkyYerQMR5ojqAPCQPzn/mYsRYqTpf3QaTXv1dG4ZPPBWA0Pk68KbQqu34llzwDe0Y7lqNsgQRhES/UT1vnj9ehqWnb47Z1BYfEILmqpE7s3MJnjWCM7+qq8rS97beE5N07nORK4dVqHdpymZX8M1E3EfMZHwCarn0RGC82u9Co99TX0mVlxCxKmJgQjioejRhZPnSm9fCbQbTS2rjoKvuJUEyKx0+pFCWgg5VBxXe4UfOFir9m/zQXhcNdlHTbs3gNDYyCHnUc27syc+KFeaofyXqYrhC2dBjrOs9kg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2g0lDMe4xFAoxDvKDclokW0+XU8eqXb4aHXelavQCGE=; b=WKoGfzLKqRBYLtqz+jMAXryAwEeSNsgy5aoU95r2BSqKGVQgJpZ8YkgUNNK3YkJI1vZDU1uy8DqOG3SxTIC7Xua256Z/7vzhtaxzkwqKBA+GaroST6N5GmjlWjhC847DEKs8wkwd0KaXnFMdF9iczxlQeSMmjguWUYLXhNWSqtM=
Received: from CH2PR21MB1464.namprd21.prod.outlook.com (2603:10b6:610:89::16) by CH2PR21MB1528.namprd21.prod.outlook.com (2603:10b6:610:80::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.1; Mon, 2 Aug 2021 21:34:39 +0000
Received: from CH2PR21MB1464.namprd21.prod.outlook.com ([fe80::cd73:748d:5b7:e2c5]) by CH2PR21MB1464.namprd21.prod.outlook.com ([fe80::cd73:748d:5b7:e2c5%9]) with mapi id 15.20.4415.002; Mon, 2 Aug 2021 21:34:39 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Russ Housley <housley@vigilsec.com>, suit <suit@ietf.org>
Thread-Topic: [Suit] SUIT rechartering: proposed text
Thread-Index: AQHXBIFCYdPbq2i4MU2UU0mwBdcWBqpbCE+AgABX+ACA5UScAIAAD0qAgABJdoCABbIAYIAGOtmAgATJPsCAABq0AIAMxcoAgAMvGIA=
Date: Mon, 02 Aug 2021 21:34:39 +0000
Message-ID: <CH2PR21MB1464AC4D50A932EC45A3B369A3EF9@CH2PR21MB1464.namprd21.prod.outlook.com>
References: <66D84CE5-22E6-44F0-8239-8A5832326219@arm.com> <3E7D5E5B-03EE-4EDD-A951-FB119F72DDE8@arm.com> <16339.1613515194@localhost> <E4B87013-1498-463F-98C0-5FF13344C3EA@arm.com> <6FC3F38A-B067-4180-ACD9-A121162EA459@vigilsec.com> <26718.1626138395@localhost> <MN2PR09MB4841BA0A0CC978E70A09A509F0119@MN2PR09MB4841.namprd09.prod.outlook.com> <67F117E7-28F2-45F3-BC4C-AC8116BCB69F@vigilsec.com> <SN6PR2101MB0943178F1E627E78A1343AE8A3E59@SN6PR2101MB0943.namprd21.prod.outlook.com> <50B65F80-808D-4591-9D4D-2346796DA204@vigilsec.com> <1944E3C3-9348-4574-AE26-4133BFD932B0@vigilsec.com>
In-Reply-To: <1944E3C3-9348-4574-AE26-4133BFD932B0@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=e0101121-f107-4e43-8de4-2f0f26d4de97; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-08-02T21:34:23Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 50ebb2c5-f7fd-4fd1-953b-08d955fd5512
x-ms-traffictypediagnostic: CH2PR21MB1528:
x-microsoft-antispam-prvs: <CH2PR21MB1528A862541037ADD74C9F06A3EF9@CH2PR21MB1528.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: VvIai0JnaM6Nd5lb4kzuxhuniARIOTlJY+3r6hvHG5e/macbNo4IcRwty7LDiOry0YEDtaopBsp4AZCosvqaI+H+4yJWTprkiGixFc1s7ykY6VZfFgvX4lmxR3CoFk/2djLgsClJWtx81OuxvtqI73tqY+Ye2oI8i5yHkU+qnadKw2Mw+IMuhMcxVZp9c1y7Fkv3KMgL+GGlaIqN2LPyOwGCkeIkn373j7HOxlnZ0puHSvKrlG7Dz/Vax+aiSiISXCm/6S0IpPMabaq3GveOhZuDxlTR2Mcjun9ltKOGRkT7heMv2AG4W0ZfigsXl1dK7+V1W+2b3+ey4KD7tNs8eeXgmU0jDyqTbbWzdfynl1FV3VuEHVeJww6KqnUTOfy5xOI1DsJrpcZJ2jgDqWbIhJC+7qGJqEo+238Fvfgmqrwmnf/L5PUg5j5nLgSMvvVUGh1aHUwXRi5rOSVGQE026K7H38YYD4P4s+HoLfGewfQNg2Kgblo3dJZEBKcadV9vMDg6Pro6Ptf2m7wTgdzgbOozXsxyarQbQS5mLdLquBPm6ufFQDFxJaUb2xdYgGalZqh+kK1LzR/TbdAsivNJNdoSA3k0+CndlhcWC1MUha8ejDCoQUGHGfd3jWNBQM59BdVIAKL3yEvFTK0deBQC1CpsYpyCDzA/LXf5uw8qzyEkNZ4GC1qBflrTrnYzPKnW42/sCBgEB8rd9bMePAUMnfJhJgmRxtmlUOT9kj7Kgq67OoUufyGB5InIselHKHxLEsNVvDlsRUaR+5r86Ct5JA07An8wxPORXFU1Fh+ypbo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR21MB1464.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(122000001)(66946007)(66476007)(64756008)(110136005)(66446008)(76116006)(66556008)(10290500003)(66574015)(53546011)(316002)(966005)(8676002)(83380400001)(6506007)(82950400001)(82960400001)(7696005)(2906002)(186003)(55016002)(38100700002)(52536014)(508600001)(8936002)(26005)(71200400001)(5660300002)(38070700005)(9686003)(33656002)(8990500004)(86362001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 8HgXC5bFaudOSyGo7eqAhekbDtbOTorDQY4ymhCmN4VI5+NfFUjyNE5d4yMWbMBFR/BAWgUJ8ipTYpPUT8qWCzZsaSuwtUqltu4pTQmDJ2ULCdDL5VYpeDHxcSJQwvn0Txg8yOYvecTX+dYUAQWc5XP5Ux5THw24ifVxUCn/hPG4RmDtEVbFJNkJLH2vkJUHeGvV0cmf03Z642caz0oLbbT98qcf1n+QCmhRXJm6AaAzmJjDWc7+Yf8oTrkdTivNkhBXPfkq8NwnREdwiJ4Y3dKzHP35BeRWbvXCqTUF59Rjyunk5QJqUIMQDVXc1+AxC/Z2UaXlWJz8zrdYZ3qSynptHFKxa91JdONgiOVX0qozEVlOepe6OVZqb2VhdL0IaI/VeTZ1B97GS2WK1Pq48XWTFKBsEcTlfslvT7tVuUNFpLpH5VrbVg6Z1SWyWaVpmg+6NJK/+97lRZp+4g2Uj0NDEGeqfzNdJDbUb2yHzyCiEy3eo5QqosVrPuRQtrl1fveWJDTJfgifi0NePHpM023lK26z6aOO1aIgXPJjd4WxXEACMpWmARgUTy97QyV4NTkq05tpQ1XzJh4sNkqPbAa/MSsy/PFjxKX8Vkn5I15Hr/1+RzqQvUzXtGbFtepp4kij+JktzB6l+oqueGCZLkpO3lxPv5CZ9dbCvlZXjIYqFiidnMVrY9nbg4VZzMRfn7YLodt35y6AfaGOlIGbmLEVfd7QUCaMNAwlMoLksxyZXLPd5APTzk+b2zLP2QULj3vtBd3VcHumu3dD8xHIQp4jIc5FDid3FZ55nalGCACNQAKuYllCwPz7YGFJshgD/TtJc+xma4DQABnttNHoh5AjMyCCIzxBe0OVbQiqgSODroo5WhVx3uzBWUD5VSgR0BLfNvSbiBZUzjWYkER+JMNmptRI1hiVewm8dK2nljqyJPSNZ9BrUkWBOERTTwQVTTJvvtRwiKRPoZwBVEGqRCleelsDEfGACVWClrnXAk4oeZ1SjwJ/Lag4WBdmiSMFjulDotQEeL53TBUj9F2FjHJYc7l2A3K91u0Bxz5Kf595KFbg+c99h1p6RWioLTufEF0zCixHpr26W86jrPXBfolctuJG6QhuZnLpcf7pBWdVwp9gfZcH2PlNYvcLuORlE6uPLS7QilUjxo5qbF66l8njqJ6PPlKfLDsxNWjJneSAoFPYw1GuSN/XkhACHYTVvxLVRaTtxfAW6XJj68JC0xNv8L2Z6bZKYEbzaiYYikJXTkzeCMLRiMcDEGJzWE5jxmKXBlOJJKZFZxLfc6/rKRDGf6k1wCW28iaJwLQuXYuvNVWh6FdFNP9HwKtbwvv7
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR21MB1464.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 50ebb2c5-f7fd-4fd1-953b-08d955fd5512
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Aug 2021 21:34:39.1127 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OetCGsp3LTVQG3ct+kgh9YXX5OzJczDxrAPnSgf6LaU3CPQ+wgi6m8Cn8HxYs4GxeGjP74YIOLx9kMudQ1EADtpoI8Q+uztxbkzou7TAQiY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR21MB1528
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/hzO_MI9cUg-SDeUxeCKqp7tWU9w>
Subject: Re: [Suit] SUIT rechartering: proposed text
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2021 21:34:48 -0000

This addresses my comments, so looks fine to me.

Dave

-----Original Message-----
From: Suit <suit-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Saturday, July 31, 2021 1:57 PM
To: suit <suit@ietf.org>
Subject: Re: [Suit] SUIT rechartering: proposed text

Based on the discussion at IETF 111, I have updated the DRAFT re-charter text.

Please review and comment.

Russ

= = = = = = =

Vulnerabilities in Internet of Things (IoT) devices have raised the need for a secure firmware update mechanism that is also suitable for constrained devices.  Security experts, researchers, and regulators recommend that all IoT devices be equipped with such a mechanism.  While there are many proprietary firmware update mechanisms in use today, there is no modern interoperable approach allowing secure updates to firmware in IoT devices. In June 2016, the Internet Architecture Board organized a workshop on 'Internet of Things (IoT) Software Update (IOTSU)', and RFC 8240 documents various requirements and challenges that are specific to IoT devices.

A firmware update solution consists of several components, including:
* A mechanism to transport firmware images to compatible devices.
* A manifest that provides meta-data about the firmware image (such as a
  firmware package identifier, the hardware the package needs to run, and
  dependencies on other firmware packages), as well as cryptographic
  information for protecting the firmware image in an end-to-end fashion.
* The firmware image itself.

The SUIT WG is defining a firmware update solution (taking into account past learnings from RFC 4108 and other proprietary firmware update solutions) that are usable on Class 1 (as defined in RFC 7228) devices, i.e., devices with
~10 KiB RAM and ~100 KiB flash.  The solution may apply to more capable devices as well.  The SUIT WG is not defining any new transport or discovery mechanisms, but may describe how to use existing mechanisms within the architecture.

The SUIT WG has already completed work on two documents:
* An IoT firmware update architecture.
* An information model for the SUIT manifest.

Now that the information model is complete, the SUIT WG has selected the CBOR serialization format and the associated COSE cryptographic mechanisms to encode the SUIT manifest. The SUIT WG may consider a small number of additional formats in the future; however, to reduce the complexity of a firmware management solution, a very small number of formats is preferred to enable SUIT maifest integration and interoperability with other IoT technologies and ecosystems.  To support a wide range of deployment scenarios, the formats are expected to be expressive enough to allow the use of different firmware sources and permission models.

The SUIT WG does not aim to create a standard for a generic application software update mechanism, but instead the SUIT WG is focusing on firmware development practices in the embedded industry. Software update solutions that target updating software other than the firmware binaries (e.g., applications) are also out of scope.

To support the SUIT manifest format, the SUIT WG is also defining formats that enable a SUIT Status Tracker to determine if a particular manifest could be successfully deployed to a device and determine if an operation was successful.

In addition, the SUIT WG will work with the RATS WG to specify claims related to the SUIT Status Tracker that can be used to provide evidence in support of the architecture that has already been defined by the RATS WG.

The SUIT WG will continue to work with silicon vendors and OEMs that develop IoT operating systems to produce implementations based on SUIT WG specifications.  In particular, the SUIT WG plans to continue to participate in IETF Hackathons.

The SUIT WG document deliverables are:
* A SUIT manifest format specification using CBOR.
* Extensions to the SUIT manifest for optional capabilities, including
  firmware encryption.
* A secure method for an IoT device to report on firmware update status.
* A SUIT manifest extension to include a MUD file as defined in RFC 8520.

In addition, either the SUIT WG or the RATS WG will produce:
* A set of claims for attesting to firmware update status.

_______________________________________________
Suit mailing list
Suit@ietf.org
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsuit&amp;data=04%7C01%7Cdthaler%40microsoft.com%7C427385012603490935f008d95465c81f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637633618399989057%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=7R1HMSFRyHq6792Rd84LOVQTWu6lNjk2mQRpR7odSPs%3D&amp;reserved=0

v2.23.0 | Report a Bug | By Email