[Suit] HR Review: Firmware Update Architecture for IoT Devices
Gurshabad Grover <gurshabad@cis-india.org> Wed, 11 July 2018 21:30 UTC
Return-Path: <gurshabad@cis-india.org>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 800A4130E73; Wed, 11 Jul 2018 14:30:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rx5IINMxvDFY; Wed, 11 Jul 2018 14:30:54 -0700 (PDT)
Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl [195.190.28.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1340130DDD; Wed, 11 Jul 2018 14:30:53 -0700 (PDT)
Received: from smtp.greenhost.nl ([213.108.110.112]) by smarthost1.greenhost.nl with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <gurshabad@cis-india.org>) id 1fdMhH-0002Aq-44; Wed, 11 Jul 2018 23:30:52 +0200
To: suit@ietf.org, hrpc@irtf.org
Cc: Sandeep Jha <sandeepkjha18@gmail.com>
From: Gurshabad Grover <gurshabad@cis-india.org>
Openpgp: preference=signencrypt
Autocrypt: addr=gurshabad@cis-india.org; keydata= xsFNBFriroIBEADfyDpCD8eborMUMXKtZzjo4t2KzrAlUVYgE/TFtrwUP+4Xw4dzakDIzST8 sVYmlXIWhM5NBBTZSQ190vsxrkbi0xxLcXYM2olZEtqkJ8zONZeZLBeGvcfMymtHqD4jHwYb Zm7OXnS45fWDL+HOoMP/VCwEn098rYfnllIkYQD1Gc28Ig+ywjGg8y5p0qMmmmhm2ckgLjnG MJX8t273MSc8wsn/UYH922yif3MQXmrzqgnRl9hRzf90SKqAw38bw7wccb55pIItloKYsi0r zYBKJSOPXn91Z21TpOSTy21M0MZYEAlDn1zeea+q8TggfHNWxOXoKrIm1pqZFRz0k+8i2siJ AHf8bRm/fhukA6szZ6b2nNPxjkAmOv9zvGu6RZGbmeLvQYVBSSnZ67ayZrkKwn7KIyAV6hQM /bVnD8eEZ2tZ0S8lxoZFYSNeMGt2b6WelFZO97/LbjxaJUHd9K8g5H0MwqN1NXoBxRwllVRC 3sVHVoWTBqnKo8qplzvQEAto69PpvuxxKTOFEJeQqmn1b/fo3sLRb4YiIg8Ax+Np7Huzzjk6 vKKgpIwIN7yEUj/ReWi/UA/W4wSg3XkcqTf7h73crnN/1At0PdgozbDV2UbcApaldStP4DfG UiQl0/7MiYLKapDDuSahmoeH3xrNnrzS9BAfuGHezzDbMyPLXQARAQABzSpHdXJzaGFiYWQg R3JvdmVyIDxndXJzaGFiYWRAY2lzLWluZGlhLm9yZz7CwX0EEwEIACcFAlriroICGyMFCQlm AYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQrbl/X+ubfC7/bQ//YQv7zqQE433xxsN/ 3GYKoOFccBy3WvV4DxrTskJ3n3k5lfcZolbc8TQksQOTzyerNt2ZA7fsGZa7eFSW+xR4Yq3/ C9o+5FOoHGhyZhb+x17MILhmyvyUNSj7SdKrRISgurMbV2Vv8LxmTcdrK6CdFF6JLH+opzU1 NlRKwZqROPgbYZEB2QFIUbGfgh2I5AXNyV2XbT7fagfkHk+v9AUV7POP2H1+AZ1xq6iFTm2o 9ufNZsp2bInsDohcVBKC3aH2cnFMjvIXpNoUOx8vb5A2xW0aBUTTJDB/uZw53WOg3kehrCNb ZkML3FnDZLRuu1e8DSWmwk5YIoDzt5bMCgfUwb0C6Q+JuM8lC+8CEEa9qamLc+fhvFAzcrWp VWuSaVeLdhe5NxmtlRYNZdGuKy6sRHjwsEWlwzRylhm74fiDR3aA1eIFsfmYLd4z+i1Fp23Y dHJf7/Gor2CmOxphog9DEA9WCuORXfx4De7hoMKwW4gWKw1A8B12Cv4EOkXmCsWsOnfDEarr 2Yl6elxkhQRfKjAesXb0cezRzZgwsWIsbeYsuWFF7Xi6IzUJ27lxU3p5PcyY8O8aDYOn+pu0 YFJ7s3u2VRRgptVZJmkcN3WTApXSHY8fGl5xAakM/bqFJj9uj5zlMnFN2EplC6/mQkfYfy2f siaGTP/GQV4OSuOeuMLOwU0EWuKuggEQAJ4lAzB72gHw4+rbyxmQNNVmvgYVZPjFtO/MQdYi x1QwRP/gxxqPqTd/ZwQvmPGzXRKw10B7uKSRk6YP12+IG0mXJwHGp9q5CWJE0XNGqX3UWbAc KIzxqPNpsf8e6Bv7jdW0YwLBxJ+RW0NNL6uAxz0sr2frbnS+EZB3cU+zOZzp/9YfTUZO2lxF NzgJoErKe/HLp7aBeJXBBcwO0LQlIT80rTZx2KihBa/Ww/y9E9gV/HacJu/Ncb6E/G3e4xGj 9w9L+UW43q01wy+FSUKy9FLc7D40WqQsj8SXZEpl84SyLcJRoX3mtj59bX2SAN2VB2BAksTu qCh00IcIUGfyHziu5PwUWYM96gOhDSocP4wSeiQ8TwLzaffllz2qhdI296a9lCIYIeWVytEd NU9jJ3RbzXAgE0pnDauNXDaQv1FS5jYi8rlslJUxKnrS69BFNjM5RqQ16Cm0C4rKL7/a8wHC r4VjcjSCM8Lzv8YOOitJ9Yt4Y8SVfO5s3YvxcdSr56nX0W3B1kGbG1GpqWTzOgXzGF5bIsbV 7SPecwUs9ShvmLmZzDUxIQ68n4zj3lMZn5I+pP+Ew6nAAiuSmKdr5cygnCH/NVJzil07t+X4 uR6oKHBhuMFYF1c6Wxk36m+EZz5ZHFaT4rN0WDIJdAEqRzD0Z56V6ansDF8y+ksh0SHlABEB AAHCwWUEGAEIAA8FAlriroICGwwFCQlmAYAACgkQrbl/X+ubfC50rhAAloTaq/fZC1gtiVtU wOB+00gEkjgmzt+rLkW+l2EySTST7tje57W83UZwzCX746B2O//Bqardxz9R1Vr0VFiwHA8g 3qeBqPqiv1WoQch/iZ5d/1MxK4A9xDag1uyqLR8RuGlZ8lATmcP3IabKiuiBV4MlFZ7V2Ib6 5ToPf28xxSyjMzTjQObIG0e009uHlu2z+iQVshLyoyVVAOWWa88D6iuBDC/EtBRjlpjLAjuR YhWVYX6KHdVUijKMHN2RqjpX5O2wPL7NcMY/wsTq7EteUeI75hxFvargRXkEt1XR8t52LC0u IE2OjpzY5re/ROUbfsqL8trjAOrSJ+Fx5H8AYl9JaoVxohhxDZgNtgNtPbh/8Nnlf9daj/bh lZcTBO98XLQwMnyHGPdyhIodpWPq2C09Ys3TkQsbcdMMB1pqnEK5Vz1zIKkEEX7QVsLdrz7C 2CFsauc/9PHj+4njCHslXtzBOiVu5FXTnbCwPrLJs5iEUkUCb6qtE/2mSCTrAanzOTTOmqiM cnNTI1Tj0ht462S9VypppQnKCv8shGxXG7BadZTv+pNCA/WfB2kk1sS3ZwB0wBWX4p41fxs+ ArM9ew2SzQ/vBrEfO7ljPfZZmBqH4t/vgAZBnOtTxCGlPEIJqiMqtGHRqIqpiR20QfxEUuXI MfMfa9QJpisdNmqoUyc=
Message-ID: <11993b06-5da6-e397-3457-de6ecec87bb4@cis-india.org>
Date: Thu, 12 Jul 2018 03:00:48 +0530
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="Gbpss3sAxMHeB20MlvRrDOH6ylt8kxaGV"
X-Virus-Scanned: by clamav at smarthost1.samage.net
X-Scan-Signature: 028245575ea82c532dbb94a201c00fd0
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/vH6PL5czghj5eLohdZgLysCwElc>
Subject: [Suit] HR Review: Firmware Update Architecture for IoT Devices
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2018 21:30:58 -0000
Hi, Thanks to the authors and the working group for developing the comprehensive drafts. As part of efforts in the Human Rights Protocol Considerations (HRPC) group, Sandeep and I have reviewed the human rights considerations (RFC 8280) in the three drafts. Following the updates to the drafts on July 2nd, we reached out to some of you. We are aware that some of the concerns we raise may no longer apply since the updates; we are sharing our review hoping to engage you on our other observations (and their solutions) in next week's HRPC sessions at IETF102. Review: A Firmware Update Architecture for Internet of Things Devices ===================================================================== An assessment of human rights considerations in * draft-ietf-suit-architecture-01 * draft-moran-suit-manifest-02 * draft-ietf-suit-information-model-01 Introduction ------------ ‘A Firmware Update Architecture for Internet of Things Devices’ (draft-ietf-suit-architecture-01) proposes an architecture for firmware update mechanism suitable for IoT devices, and lists various requirements associated with the same. [SUIT-ARCH] ‘A CBOR-based Manifest Serialisation Format’ (draft-moran-suit-manifest-02) describes the format of the manifest which contains firmware update metadata for a device. The draft defines components of the manifest and specifies their functions in firmware-update process. [SUIT-MF] ‘Firmware Updates for Internet of Things Devices - An Information Model for Manifests’ (draft-ietf-suit-information-model-01) describes the information in the manifest, a threat model for the architecture, and provides security requirements for the mitigation of these threats. [SUIT-IM] This is a review of the human rights considerations in the three drafts. (See [RFC8280], ‘Research Into Human Rights Protocol Considerations’). Human Rights Considerations --------------------------- # Privacy ([RFC8280], section 6.2.2) Privacy considerations are with regards to maintaining the confidentiality of firmware image and manifest. Both the firmware image and manifest contain information about the device. As mentioned in the older version of the drafts, Class ID and Vendor ID are typically compiled as strings into the firmware image. If an untrusted intermediary storage is assumed, as in [SUIT-ARCH], this device information will be available to all intermediary and snooping parties, which may violate the device operator’s privacy. Additionally, device information can be used by an attacker to design and mount targeted attacks on the device. Concern: The drafts are inconsistent in its recommendation of encryption of firmware images. Section 3.3.13 of [SUIT-IM] says that the information model must enable encrypted payloads to prevent the attackers from reading the content of the firmware images whereas Section 3.3 of [SUIT-ARCH] leaves the choice of encryption to the authors/OEMs. Recommendation: We recommend removing these inconsistencies, and that the drafts mandate the encryption of the firmware image. Accordingly, we recommend the relevant text of section 3.3 of [SUIT-ARCH] be updated. Concern: The manifest also contains information of the device (such as device-manufacturer’s name, model name, and model number) which an end-user operates, but the drafts have not recommended the encryption of the manifest. Recommendation: We recommend that the drafts ([SUIT-ARCH], [SUIT-MF]) recommend encryption of the manifest as well. # Security ([RFC8280], section 6.2.4) Security concerns have been emphasised in the draft [SUIT-IM]; various threats have been covered in the thread model (section 3.1 of [SUIT-IM]) and possible mitigations have been discussed. # Internationalization ([RFC8280], section 6.2.5) and Localization ([RFC8280], section 6.2.12) Concern: For the specific question, “Does your protocol have text strings that have to be understood or entered by humans?” [RFC8280]: An email highlighting the recent updates to the drafts [MF-MAIL] notes that a container in the manifest will have “severable” text meant for humans. However, it is not clear from the draft what this text will contain. Since the update server may choose to send the text to the device (if the device supports it), human readability of these text strings is a concern from a human rights perspective. Recommendation: Support of multiple languages for text meant to be read by humans advances access to information and non-discrimination. OEMs must have the ability to internationalise and localise any text meant to be read by humans. CBOR does support UTF-8; we recommend that the draft make the internationalisation ability explicit for all text meant for humans. # Open standards ([RFC8280], section 6.2.7) Pertaining to the question in [RFC8280], “is your protocol fully documented in such a way that it could be easily implemented, improved, built upon, and/or further developed?”, we found some statements in the drafts that might impede further improvement and development: * The use of the ‘extensions’ field of the manifest, defined in Section 2.1 of [SUIT-MF], has not been defined. * Section 4.18 of [SUIT-IM] says that linked manifests must be installed simultaneously. For clarity, we recommend that the draft specify that each linked manifest must be validated separately. # Reliability ([RFC8280], section 6.2.14) Reliability concerns have been addressed in Section 3.5 and 3.6 of [SUIT-ARCH]. Concern: With regard to the question, “[d]o you have a documented way to announce degradation?” [RFC8280], [SUIT-ARCH] does not provide any mechanism to convey the degradation to either the author or the device operator. Recommendation: We recommend that [SUIT-ARCH] recommend that degradation is made apparent to the operator. Concern: With regard to the question, “[d]o you have measures in place for recovery or partial healing from failure?”, Section 3.6 of [SUIT-ARCH] says that a recovery mechanism is optional. The lack of a recovery mechanism will render the device inoperational in case an update fails; this aspect is especially important in the case of constrained devices where communication about the failure of the update may not always be apparent to the operator. Recommendation: Instead of making the recovery mechanism optional, we suggest that the firmware architecture recommend or mandate the inclusion of a recovery mechanism to ensure high reliability of the devices in case the update fails. # Integrity ([RFC8280], section 6.2.16) Integrity concerns mentioned have been adequately addressed in the Section 3.3 of the [SUIT-IM]. # Authenticity ([RFC8280], section 6.2.17) Authenticity concerns have been adequately addressed in the Section 3.3, in particular, the subsections 3.3.5, 3.3.6 of [SUIT-IM]. # Outcome Transparency ([RFC8280], section 6.2.12) Whenever possible, the fact whether a update has been successful or unsuccessful should be conveyed to the device operator. In case of update failure, an error description should be provided. The status tracker, described in Section 2 of [SUIT-ARCH] as offering device management functionalities and update progress tracking, can serve this function. However, its mechanism is not sufficiently clear in the drafts. The coordination between status tracker and communicator has been mentioned in Section 3.10 of [SUIT-ARCH], but the mechanism has not been elaborated on. # Others After going through the drafts, we found no concerns for Heterogeneity Support ([RFC8280], section 6.2.8) since the architecture makes little or no assumptions about the devices or transport of the firmware image and manifest. Concerns in the following sections are out of scope: Connectivity ([RFC8280], section 6.2.1), Anonymity ([RFC8280], section 6.2.9), Pseudonymity ([RFC8280], section 6.2.10), Decentralization ([RFC 8280], section 6.2.13), Accessibility ([RFC8280], section 6.2.11), Content Agnosticism ([RFC8280], section 6.2.3), and Censorship Resistance ([RFC8280], section 6.2.6). #Additional suggestions Section 3.9 of [SUIT-ARCH] talks about multiple authorizations wherein an unnecessary distinction has been made between critical infrastructure and non-critical infrastructure. Even in non-critical infrastructure, operators would want to the ability to install updates according to their own preferences. In such scenarios, forced installations may violate user’s control of the device. Accordingly, we propose that the device operator SHOULD have the authority to accept or reject firmware updates. References ---------- [RFC8280] ten Oever, N., Cath, C., “Research into Human Rights Protocol Considerations”, RFC 8280, October 2017, <https://www.rfc-editor.org/info/rfc8280>. [SUIT-ARCH] Moran, B., Meriac, M., Tschofenig, H., “A Firmware Update Architecture for Internet of Things Devices”, draft-ietf-suit-architecture-01, June 2018, <https://datatracker.ietf.org/doc/draft-ietf-suit-architecture/>. [SUIT-MF] Moran, B., Meriac, M., Tschofenig, H., “A CBOR-based Manifest Serialisation Format”, draft-moran-suit-manifest-02, January 2018, <https://datatracker.ietf.org/doc/draft-moran-suit-manifest/>. [SUIT-IM] Moran, B., Tschofenig, H., Birkholz, H., Jimenez, J., “Firmware Updates for Internet of Things Devices - An Information Model for Manifests”, draft-ietf-suit-information-model-01, June 2018, <https://datatracker.ietf.org/doc/draft-ietf-suit-information-model/>. [MF-MAIL] Moran, B., “[Suit] [suit]: draft-moran-suit-manifest-02”, IETF Mail Archive, July 2018, <https://mailarchive.ietf.org/arch/msg/suit/rc1gkzf2jhICwcXHSq5JggdGiHo> Thanks to Mallory K., Amelia A., Niels t. and Sunil A. for their inputs. Regards, Gurshabad
- [Suit] HR Review: Firmware Update Architecture fo… Gurshabad Grover
- Re: [Suit] HR Review: Firmware Update Architectur… Dave Thaler
- Re: [Suit] HR Review: Firmware Update Architectur… David Brown
- Re: [Suit] HR Review: Firmware Update Architectur… David Brown
- Re: [Suit] HR Review: Firmware Update Architectur… Gurshabad Grover
- Re: [Suit] HR Review: Firmware Update Architectur… Gurshabad Grover
- Re: [Suit] HR Review: Firmware Update Architectur… Kvamtrø
- Re: [Suit] HR Review: Firmware Update Architectur… Russ Housley
- Re: [Suit] HR Review: Firmware Update Architectur… Gurshabad Grover
- Re: [Suit] HR Review: Firmware Update Architectur… Brendan Moran
- Re: [Suit] HR Review: Firmware Update Architectur… Gurshabad Grover