Trustworthiness Vectors for the Software Updates of Internet of Things (SUIT) Workflow Model

Introduction Attestation Results are an essential output of Verifiers as defined in the Remote ATtestation procedureS (RATS) architecture . They are consumed by Relying Parties: the entities that intend to build future decisions on trustworthiness assessments of remote peers. Attestation Results must be easily appraised by Relying Parties -- in contrast to the rather complex or domain-specific Evidence appraised by Verifiers. In order to create Attestation Results, a Verifier must consume Evidence generated by a given Attester (amongst other Conceptual Messages, such as Endorsements and Attestation Policies). Both Evidence and Attestation Results are composed of Claims. This document highlights and defines a set of Claims to be used in Evidence and Attestation Results that are based on the SUIT Workflow Model . In the scope of this document, an Attester takes on the role of a SUIT Recipient: the system that receives a SUIT Manifest.

SUIT Workflow Model and Procedures This document focuses on Evidence and Attestation Results that can be generated based on the output of SUIT Procedures. The SUIT Workflow Model allows for two types of SUIT Procedures generating Reports on the Attester as defined in the SUIT Manifest specification :

Update Procedures:: A procedure that updates a device by fetching dependencies, software images, and installing them.
: An Update Procedure creates a Report about mutable software components that are installed or updated on hardware components.
Boot Procedures:: A procedure that boots a device by checking dependencies and images, loading images, and invoking one or more image.
: A Boot Procedure creates a Report on measured boot events (e.g. during Secure Boot).

The Records contained in each type of Report can be used as Claims in Evidence generation on the Attester for Remote Attestation Procedures as described in this document. Analogously, a corresponding Verifier appraising that Evidence can generate Attestation Results using the Claims defined in this document. Both types of SUIT Procedures pass several stages (e.g. dependency-checking is one stage). The type and sequence of stages are defined by the Command Sequences included in a SUIT Manifest. For each stage in which a Command from the Command Sequence is executed a Record is created. All Records of a SUIT procedure contain binary results limited to "fail" or "pass". The aggregated sequence of all Records is composed into a Report. This document specifies new Claims derived from Command Sequence Reports and relates them to Claims defined in Attestation Results for Secure Interactions -- if applicable to the operational state of installed and updated software. The Claims defined in this document are in support of the Trusted Execution Environment Provisioning (TEEP) architecture. During TEEP, the current operational state of an Attester is assessed via RATS. If the corresponding Attestation Results -- as covered in this document -- indicate insufficient Trustworthiness Tiers in a Trustworthiness Vector with respect to installed software, the SUIT Workflow Model is used for remediation.

Terminology This document uses the terms and concepts defined in , , and . The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Trustworthiness Vectors While there are usage scenarios where Attestation Results can be binary decisions, more often than not the assessment of trustworthiness is represented by a more fine-grained spectrum or based on multiple factors. These shades of Attestation Results are captured by the definition of Trustworthiness Vectors in Attestation Results for Secure Interaction . Trustworthiness Vectors are sets of Trustworthiness Claims representing appraisal outputs produced by a Verifier (Attestation Results). Each of these Trustworthiness Claims has a Trustworthiness Tier ranging from Affirmed to None. An Attester processing SUIT Manifests can manages three types of information about it's Target Environments:

installed manifests including initial state (e.g. factory default),
hardware component identifiers that represent identifiable targets of updates, and
SUIT Interpreter results (e.g. test-failed) generated during updates.

Every SUIT Manifest maps to a certain intended state of a device. Every intended device composition of software components associated with hardware components can therefore be expressed based on a SUIT Manifest. The current operational state of a device can be represented in the same form, including the initial state. As a result, the Claims defined in this document are bundled by the scope of the information represented in SUIT Manifests, i.e., dedicated blobs of software that are the payload of a SUIT Manifest. All Claims associated with an identifiable SUIT Manifest MUST always be bundled together in a Claims set that is limited to the Claims defined in this document.

SUIT Claims The Claim description in this document uses CDDL as the formal modeling language for Claims. This approach is aligned with . All Claims are based on information elements as used in the SUIT Manifest specification . For instance, a SUIT Class ID is represented as an UUID. Analogously, the corresponding class-identifier Claim found below is based on a UUID. SUIT Claims are differentiated in:

software and hardware characteristics (System Properties), and
reports about updates and their SUIT Commands (SUIT Records).
success/failure reports

Each type of Claims is always bundled in a dedicated Claim Set. Implementations can encode this information in various different ways (data models), e.g., sets, sequences, or nested structures. The SUIT Report is defined in . It is used verbatim in this draft. The following subsections define the SUIT Report Claims for RATS.

System Properties Claims System Properties Claims are composed of:

Hardware Component Claims and
Software Component Claims.

Correspondingly, the Claim definitions below highlight if a Claim is generic or hw/sw-component specific.

vendor-identifier A RFC 4122 UUID representing the vendor of the Attester or one of its hardware and/or software components. $$system-property-claim //= (vendor-identifier => (RFC4122_UUID / cbor-pen)) cbor-pen = #6.112(bstr)

class-identifier A RFC 4122 UUID representing the class of the Attester or one of its hardware and/or software components. $$system-property-claim //= ( class-identifier => RFC4122_UUID )

device-identifier A RFC 4122 UUID representing the Attester. $$system-property-claim //= ( device-identifier => RFC4122_UUID )

image-digest A fingerprint computed over a software component image on the Attester. This Claim is always bundled with a component-identifier or component-index. $$system-property-claim //= ( image-digest => digest )

image-size The size of a firmware image on the Attester. $$system-property-claim //= ( image-size => size )

version The Version of a hardware or software component of the Attester. $$system-property-claim //= ( version => version-value )

Interpreter Record Claims This class of Claims represents the content of SUIT Records generated by Interpreters running on Recipients. They are always bundled into Claim Sets representing SUIT Reports and are intended to be included in Evidence generated by an Attester. The Interpreter Record Claims appraised by a Verifier can steer a corresponding a Firmware Appraisal procedures that consumes this Evidence. Analogously, these Claims can be re-used in generated Attestation Results as Trustworthiness Vectors .

record-success The result of a Command that was executed by the Interpreter on an Attester. $$interpreter-record-claim //= ( record-success => bool )

component-index A positive integer representing an entry in a flat list of indices mapped to software component identifiers to be updated. $$system-property-claim //= ( component-index => uint )

dependency-index A thumbprint of a software component that an update depends on. $$interpreter-record-claim //= ( dependency-index => digest )

command-index A positive integer representing an entry in a SUIT_Command_Sequence identifying a Command encoded as a SUIT Manifest Directive or SUIT Manifest Condition. $$interpreter-record-claim //= ( command-index => uint )

nominal-parameters A list of SUIT_Parameters associated with a specific Command that was executed by the Interpreter on an Attester. $$interpreter-record-claim //= ( actual-parameters => parameter-list )

Generic Record Conditions (TBD)

test-failed
unsupported-command
unsupported-parameter
unsupported-component-id
payload-unavailable
dependency-unavailable
critical-application-failure
watchdog-timeout

List of Commands (TBD)

Check Vendor Identifier
Check Class Identifier
Verify Image
Set Component Index
Override Parameters
Set Dependency Index
Set Parameters
Process Dependency
Run
Fetch
Use Before
Check Component Offset
Check Device Identifier
Check Image Not Match
Check Minimum Battery
Check Update Authorized
Check Version
Abort
Try Each
Copy
Swap
Wait For Event
Run Sequence
Run with Arguments