Secure Reporting of Update Status

Secure Reporting of Update Status Arm Limited

brendan.moran.ietf@gmail.com

Fraunhofer SIT

henk.birkholz@sit.fraunhofer.de

Security SUIT Internet-Draft The Software Update for the Internet of Things (SUIT) manifest provides a way for many different update and boot workflows to be described by a common format. However, this does not provide a feedback mechanism for developers in the event that an update or boot fails. This specification describes a lightweight feedback mechanism that allows a developer in possession of a manifest to reconstruct the decisions made and actions performed by a manifest processor.

Introduction A SUIT manifest processor can fail to install or boot an update for many reasons. Frequently, the error codes generated by such systems fail to provide developers with enough information to find root causes and produce corrective actions, resulting in extra effort to reproduce failures. Logging the results of each SUIT command can simplify this process. While it is possible to report the results of SUIT commands through existing logging or attestation mechanisms, this comes with several drawbacks: data inflation, particularly when designed for text-based logging missing information elements missing support for multiple components The CBOR objects defined in this document allow devices to: report a trace of how an update was performed report expected vs. actual values for critical checks describe the installation of complex multi-component architectures describe the measured properties of a system report the exact reason for a parsing failure This document provides a definition of a SUIT-specific logging container that may be used in a variety of scenarios.

Conventions and Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. Terms used in this specification include: Boot: initialization of an executable image. Although this specification refers to boot, any boot-specific operations described are equally applicable to starting an executable in an OS context.

The SUIT Record If the developer can be assumed to have a copy of the manifest, then they need little information to reconstruct what the manifest processor has done. They simply need any data that influences the control flow of the manifest. The manifest only supports the following control flow primitives: Set Component Set/Override Parameters Try-Each Run Sequence Conditions Of these, only conditions change the behavior of the processor from the default, and then only when the condition fails. Then, to reconstruct the flow of a manifest, all a developer needs is a list of metadata about failed conditions: the current manifest the current section the offset into the current section the current component index the "reason" for failure Most conditions compare a parameter to an actual value, so the "reason" is typically simply the actual value. Since it is possible that a non-condition command (directive) may fail in an exceptional circumstance, this must be included as well. However, a failed directive will terminate processing of the manifest. To accommodate for a failed command and for explicit "completion," an additional "result" element is added as well. In the case of a command failure, the failure reason is typically a numeric error code. However, these error codes need to be standardised in order to be useful. Reconstructing what a device has done in this way is compact, however it requires some reconstruction effort. This is an issue that can be solved by tooling.

suit-record-manifest-id is used to identify which manifest contains the command that caused the record to be generated. The manifest id is a list of integers that form a walk of the manifest tree, starting at the root. An empty list indicates that the command was contained in the root manifest. If the list is not empty, the command was contained in one of the root manifest's dependencies, or nested even further below that. For example, suppose that the root manifest has 3 dependencies and each of those dependencies has 2 dependencies of its own: Root Dependency A Dependency A0 Dependency A1 Dependency B Dependency B0 Dependency B1 Dependency C Dependency C0 Dependency C1 A manifest-id of [1,0] would indicate that the current command was contained within Dependency B0. Similarly, a manifest-id of [2,1] would indicate Dependency C1 suit-record-manifest-section indicates which section of the manifest was active. This is used in addition to an offset so that the developer can index into severable sections in a predictable way. The value of this element is the value of the key that identified the section in the manifest. suit-record-section-offset is the number of bytes into the current section at which the current command is located. suit-record-component-index is the index of the component that was specified at the time that the report was generated. This field is necessary due to the availability of set-current-component values of True and a list of components. Both of these values cause the manifest processor to loop over commands using a series of component-ids, so the developer needs to know which was selected when the command executed. suit-record-properties contains any measured properties that led to the command failure. For example, this could be the actual value of a SUIT_Digest or class identifier. This is encoded in a SUIT_Parameters block as defined in .

The SUIT_Report Some metadata is common to all records, such as the root manifest: the manifest that is the entry-point for the manifest processor. This metadata is aggregated with a list of SUIT_Records. The SUIT_Report may also contain a list of any system properties that were measured and reported, and a reason for a failure if one occured. CDDL ~~~ SUIT_Report = { suit-reference => SUIT_Reference, ? suit-report-nonce => bstr, suit-report-records => [ * SUIT_Record / system-property-claims ], suit-report-result => true / { suit-report-result-code => int, suit-report-result-record => SUIT_Record, suit-report-result-reason => SUIT_Report_Reasons, }, ? suit-report-capability-report => SUIT_Capability_Report, $$SUIT_Report_Extensions } system-property-claims = { system-component-id => SUIT_Component_Identifier, + SUIT_Parameters, } ~~~ The suit-reference provides a reference URI and digest for a suit manifest. The uri SHOULD be the canonical URI that is provided in the manifest. The digest is the digest of the manifest. NOTE: The digest is used in preference to other identifiers in the manifest because it allows a manifest to be uniquely identified (collision resistance) whereas other identifiers, such as the sequence number, can collide, particularly in scenarios with multiple trusted signers. The following CDDL describes a SUIT_Reference.

suit-report-manifest-digest provides a SUIT_Digest (as defined in ) that is the characteristic digest of the Root manifest. suit-report-manifest-uri provides the reference URI that was provided in the root manifest. suit-report-nonce provides a container for freshness or replay protection information. This field MAY be omitted where the suit-report is authenticated within a container that provides freshness already. For example, attestation evidence typically contains a proof of freshness.

SUIT Record suit-report-records is a list of 0 or more SUIT Records or system-property-claims. Because SUIT Records are only generated on failure, in simple cases this can be an empty list. SUIT_Records and suit-system-property-claims are merged into a single list because this reduces the overhead for a constrained node that generates this report. The use of a single append-only log allows report generators to use simple memory management. Because the system-property-claims are encoded as maps and SUIT_Records are encoded as lists, a recipient need only filter the CBOR Type-5 entries from suit-report-records to obtain all system-property-claims. System properties can be extracted from suit-report-records by filtering suit-report-records for maps. System Properties are a list of measured or asserted properties of the system that creates the SUIT_Report. These properties are scoped by component identifier. Because this list is expected to be constructed on the fly by a constrained node, component identifiers may appear more than once. A recipient may convert the result to a more conventional structure:

{ + SUIT_Parameters, } } ]]>

SUIT Report Result suit-report-result provides a mechanism to show that the SUIT procedure completed successfully (value is true) or why it failed (value is a map of an error code and a SUIT_Record). suit-report-result-reason gives a high-level explanation of the failure. These reasons are intended for interoperable implementations. The reasons are divided into a small number of groups: suit-report-reason-cbor-parse: a parsing error was encountered by the CBOR parser. suit-report-reason-cose-unsupported: an unusupported COSE structure or header was encountered. suit-report-reason-alg-unsupported: an unsupported COSE algorithm was encountered. suit-report-reason-unauthorised: Signature/MAC verification failed. suit-report-reason-command-unsupported: an unsupported command was encountered. suit-report-reason-component-unsupported: The manifest declared a component/prefix that does not exist. suit-report-reason-component-unauthorised: The manifest declared a component that is not accessible by the signer. suit-report-reason-parameter-unsupported: The manifest used a parameter that does not exist. suit-report-severing-unsupported: The manifest uses severable fields but the Manifest Processor doesn't support them. suit-report-reason-condition-failed: A condition failed with soft- failure off. suit-report-reason-operation-failed: A command failed (e.g., download/copy/swap/write) The suit-report-result-code reports an internal error code that is provided for debugging reasons. This code is not intended for interoperability. The suit-report-result-record indicates the exact point in the manifest or manifest dependency tree where the error occured. suit-report-capability-report provides a mechanism to report the capabilities of the Manifest Processor. The SUIT_Capability_Report is described in . The capability report is optional to include in the SUIT_Report, according to an application-specific policy. While the SUIT_Capability_Report is not expected to be very large, applications should ensure that they only report capabilities when necessary in order to conserve bandwidth. A capability report is not necessary except when: A client explicitly requests the capability report, or A manifest attempts to use a capability that the Manifest Processor does not implement.

Attestation This document describes how a well-informed verifier can infer the trustworthiness of a remote device. Remote attestation is done by using the SUIT_Manifest_Envelope along with the SUIT_Report to reconstruct the state of the device at boot time. By embedding data used for remote attestation in the SUIT_Report, a remote device can use an append-only log to collect both measurements and debug/failure information into the same document. This document can then be conveyed to a verifier as a part of the attestation evidence. A remote attestation format to convey attestation evidence, such as an Entity Attestation Token (EAT, see ), that contains a SUIT_Report MUST also include an integrity measurement of the Manifest Processor & Report Generator. When a Concise Reference Integrity Manifest (CoRIM, see is delivered in a SUIT_Manifest_Envelope, this codifies the delivery of verification information to the verifier: The Firmware Distributor: sends the SUIT_Manifest_Envelope to the Verifier without payload or text, but with CoRIM sends the SUIT_Manifest_Envelope to the recipient without CoRIM, or text, but with payload The Recipient: Installs the firmware as described in the SUIT_Manifest and generates a SUIT_report, which is encapsulated in an EAT by the installer and sent to the Firmware Distributor. Boots the firmware as described in the SUIT_Manifest and creates a SUIT_report, which is encapsulated in an EAT by the installer and sent to the Firmware Distributor. The Firmware Distributor sends both reports to the verifier (separately or together) The Verifier: Reconstructs the state of the device using the manifest Compares this state to the CoRIM Returns an Attestation Report to the Firmware Distributor This approach simplifies the design of the bootloader since it is able to use an append-only log. It allows a verifier to validate this report against a signed CoRIM that is provided by the firmware author, which simplifies the delivery chain of verification information to the verifier. This information is not intended as Attestation Evidence and while an Attestation Report MAY provide this information for conveying error codes and/or failure reports, it SHOULD be translated into general-purpose claims for use by the Relying Party.

Capability Reporting Because SUIT is extensible, a manifest author must know what capabilities a device has available. To enable this, a capability report is a set of lists that define which commands, parameters, algorithms, and component IDs are supported by a manifest processor. The CDDL for a SUIT_Capability_Report follows:

[+ SUIT_Component_Capability ] suit-command-capabilities => [+ int], suit-parameters-capabilities => [+ int], suit-crypt-algo-capabilities => [+ int], ? suit-envelope-capabilities => [+ int], ? suit-manifest-capabilities => [+ int], ? suit-common-capabilities => [+ int], ? suit-text-capabilities => [+ int], ? suit-text-component-capabilities => [+ int], ? suit-dependency-capabilities => [+ int], * [+int] => [+ int], $$SUIT_Capability_Report_Extensions } SUIT_Component_Capability = [*bstr,?true] ]]> A SUIT_Component_Capability is similar to a SUIT_Component_ID, with one difference: it may optionally be terminated by a CBOR 'true' which acts as a wild-card match for any component with a prefix matching the SUIT_Component_Capability leading up to the 'true.' This feature is for use with filesystem storage, key value stores, or any other arbitrary-component-id storage systems. When reporting capabilities, it is OPTIONAL to report capabilities that are declared mandatory by the SUIT Manifest . Capabilities defined by extensions MUST be reported. Additional capability reporting can be added as follows: if a manifest element does not exist in this map, it can be added by specifying the CBOR path to the manifest element in an array and using this as the key. For example SUIT_Dependencies, as described in could have an extension added, which was key 3 in the SUIT_Dependencies map. This capability would be reported as: [3, 3, 1] => [3], where the key consists of the key for SUIT_Manifest (3), the key for SUIT_Common (3), and the key for SUIT_Dependencies (1). Then the value indicates that this manifest processor supports the extension (3).

EAT Claim The SUIT_Report is a form of measurement done by the SUIT Manifest Processor as it attempts to invoke a manifest or install a manifest. As a result, the SUIT_Report can be captured in an EAT measurements type. The Verifier MAY convert a SUIT_Report into a more consumable version of the EAT claim by, for example, constructing a measres claim that contains the digest of a component, the vendor ID & class ID of a component, etc.

SUIT_Report container The SUIT_Report MUST be carried in a container or transport that ensures authenticity. The SUIT_Report MUST be transported using one of the following options: As an element of an existing document that ensures authenticity, such as in a measurements claim in an EAT. As the payload of a message delivered over secure transport, such as a CoAP or LwM2M message. Contained within a secure container that conforms to the current recommendations of . In this case, the SUIT_Report is carried as sole payload of a COSE_Encrypt0 or COSE_Sign1 as shown in the CDDL snippet below.

SUIT_COSE_Profiles define only AES-CTR encryption due to its suitability for firmware distribution. Because AES-CTR is not authenticated, SUIT_Report_Protected defines authenticated containers with an encrypted payload.

IANA Considerations IANA is requested to allocate a CBOR tag and a coap content-type each for the SUIT_Report, SUIT_Reference, and SUIT_Capability_Report CBOR data structures. IANA is also requested to add the following registries to the SUIT category: SUIT Report Elements SUIT Record Elements SUIT Report Reasons SUIT Capability Report Elements

SUIT Report Elements IANA is requested to create a new registry for SUIT Report Elements. Label Name Reference 2 Nonce 3 Records 4 Result 5 Result Code 6 Result Record 7 Result Reason 8 Capability Report 99 Reference

SUIT Record Elements IANA is requested to create a new registry for SUIT Record Elements. Label Name Reference 0 Manifest ID 1 Manifest Section 2 Section Offset 3 Component Index 4 Dependency Index 5 Record Properties

SUIT Report Reasons IANA is requested to create a new registry for SUIT Report Reasons. Label Name Reference 0 Result OK 1 CBOR Parse Failure 2 Unsupported COSE Structure or Header 3 Unsupported COSE Algorithm 4 Signature / MAC verification failed 5 Unsupported SUIT Command 6 Unsupported SUIT Component 7 Unauthorized SUIT Component 8 Unsupported SUIT Parameter 9 Severing Unsupported 10 Condition Failed 11 Operation Failed

SUIT Capability Report Elements IANA is requested to create a new registry for SUIT Capability Report Elements. Label Name Reference 1 Components 2 Commands 3 Parameters 4 Cryptographic Algorithms 5 Envelope Elements 6 Manifest Elements 7 Common Elements 8 Text Elements 9 Component Text Elements

Security Considerations There are two aspects to the security considerations for SUIT reports: authenticity and confidentiality. SUIT reports must have guaranteed authenticity for them to be useful. Several options are available to ensure the authenticity of a SUIT report. The report MAY be bundled as the payload of a cryptographic container as described in . communicated over a secure transport. It may also be communicated as part of an existing authenticated protocol, such as within an EAT token. Ideally, the SUIT_Report SHOULD be communicated as part of an attestation flow, such as within an EAT token, since this proves the authenticity of the environment (hardware, software, or both) in which the SUIT_Report was generated. The SUIT_Report MAY require confidentiality as well. A SUIT_Report could potentially reveal confidential information about the kinds of device that a particular user has. It could also reveal confidential information about intellectual property contained in a device. Where these concerns are relevant, the SUIT_Report MUST be encrypted, for example using a COSE_Encrypt as described in , or by using secure transport. When reporting failures, particularly in the cryptographic primitives, there is a risk that over-reporting can provide an attacker with better visibility. Therefore, SUIT_Reports SHOULD be encrypted wherever possible. There are also operational considerations that intersect with these security considerations. In situations where the SUIT report is encrypted as an element of a message within another protocol, care must be taken to ensure that this does not leak information and that the principle of least privilege is respected. For example, in an EAT-based attestation workflow, the Verifier often will not need the full SUIT Report. Similarly, the Relying Party may also not need the SUIT_Report. In this case, the SUIT_Report MUST be encrypted even if the EAT token that contains it is also encrypted. In contrast, however, there are scenarios where the EAT Verifier consumes the SUIT report and translates it into one or more other EAT claims. For example, a SUIT report that shows a particular digest was matched using an suit-condition-image can be translated into a EAT measres (Measurement Results) claim. In this scenario, the Verifier must have access to the full SUIT_Report.

Acknowledgements The authors would like to thank Dave Thaler for his feedback.

A Concise Binary Object Representation (CBOR)-based Serialization Format for the Software Updates for Internet of Things (SUIT) Manifest Arm Limited Fraunhofer SIT Inria Nordic Semiconductor This specification describes the format of a manifest. A manifest is a bundle of metadata about code/data obtained by a recipient (chiefly the firmware for an Internet of Things (IoT) device), where to find the code/data, the devices to which it applies, and cryptographic information protecting the manifest. Software updates and Trusted Invocation both tend to use sequences of common operations, so the manifest encodes those sequences of operations, rather than declaring the metadata. CBOR Object Signing and Encryption (COSE): Structures and Process Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR. This document, along with RFC 9053, obsoletes RFC 8152. Mandatory-to-Implement Algorithms for Authors and Recipients of Software Update for the Internet of Things manifests Arm Limited Nordic Semiconductor ALAXALA Networks Corp. This document specifies algorithm profiles for SUIT manifest parsers and authors to ensure better interoperability. These profiles apply specifically to a constrained node software update use case. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. The Entity Attestation Token (EAT) Security Theory LLC Mediatek USA Qualcomm Technologies Inc. Red Hound Software, Inc. An Entity Attestation Token (EAT) provides an attested claims set that describes state and characteristics of an entity, a device like a smartphone, IoT device, network equipment or such. This claims set is used by a relying party, server or service to determine the type and degree of trust placed in the entity. An EAT is either a CBOR Web Token (CWT) or JSON Web Token (JWT) with attestation-oriented claims. Concise Reference Integrity Manifest Fraunhofer SIT arm arm Intel Huawei Technologies Remote Attestation Procedures (RATS) enable Relying Parties to assess the trustworthiness of a remote Attester and therefore to decide whether to engage in secure interactions with it. Evidence about trustworthiness can be rather complex and it is deemed unrealistic that every Relying Party is capable of the appraisal of Evidence. Therefore that burden is typically offloaded to a Verifier. In order to conduct Evidence appraisal, a Verifier requires not only fresh Evidence from an Attester, but also trusted Endorsements and Reference Values from Endorsers and Reference Value Providers, such as manufacturers, distributors, or device owners. This document specifies Concise Reference Integrity Manifests (CoRIM) that represent Endorsements and Reference Values in CBOR format. Composite devices or systems are represented by a collection of Concise Module Identifiers (CoMID) and Concise Software Identifiers (CoSWID) bundled in a CoRIM document. SUIT Manifest Extensions for Multiple Trust Domains Arm Limited SECOM CO., LTD. This specification describes extensions to the SUIT Manifest format for use in deployments with multiple trust domains. A device has more than one trust domain when it enables delegation of different rights to mutually distrusting entities for use for different purposes or Components in the context of firmware or software update.

Full CDDL In order to create a valid SUIT Report document the structure of the corresponding CBOR message MUST adhere to the following CDDL data definition. To be valid, the following CDDL MUST have the COSE CDDL appended to it. The COSE CDDL can be obtained by following the directions in . It must also have the CDDL from appended to it.

any}, payload : bstr .cbor SUIT_Report_Unprotected, signature : bstr ] SUIT_Report_COSE_MAC0_Tagged = #6.17(SUIT_Report_COSE_MAC0) SUIT_Report_COSE_MAC0 = [ protected : bstr, unprotected : {* int => any}, payload : bstr .cbor SUIT_Report_Unprotected, tag : bstr ] SUIT_Report_Unprotected = SUIT_Report / SUIT_Report_COSE_Encrypt0 SUIT_Report_COSE_Encrypt0 = COSE_Encrypt0 SUIT_Report = { suit-reference => SUIT_Reference, ? suit-report-nonce => bstr, suit-report-records => [ * SUIT_Record / system-property-claims ], suit-report-result => true / { suit-report-result-code => int, suit-report-result-record => SUIT_Record, suit-report-result-reason => SUIT_Report_Reasons, }, ? suit-report-capability-report => SUIT_Capability_Report, $$SUIT_Report_Extensions } SUIT_Reference = [ suit-report-manifest-uri : tstr, suit-report-manifest-digest : SUIT_Digest ] SUIT_Record = [ suit-record-manifest-id : [* uint ], suit-record-manifest-section : int, suit-record-section-offset : uint, suit-record-component-index : uint, suit-record-properties : {*$$SUIT_Parameters}, $$SUIT_Record_Extensions ] system-property-claims = { system-component-id => SUIT_Component_Identifier, + $$SUIT_Parameters, } SUIT_Capability_Report = { suit-component-capabilities => [+ SUIT_Component_Capability ] suit-command-capabilities => [+ int], suit-parameters-capabilities => [+ int], suit-crypt-algo-capabilities => [+ int], ? suit-envelope-capabilities => [+ int], ? suit-manifest-capabilities => [+ int], ? suit-common-capabilities => [+ int], ? suit-text-capabilities => [+ int], ? suit-text-component-capabilities => [+ int], ? suit-dependency-capabilities => [+ int], * [+int] => [+ int], $$SUIT_Capability_Report_Extensions } SUIT_Component_Capability = [*bstr,?true] suit-report-nonce = 2 suit-report-records = 3 suit-report-result = 4 suit-report-result-code = 5 suit-report-result-record = 6 suit-report-result-reason = 7 suit-report-capability-report = 8 suit-reference = 99 suit-system-properties = 13 system-component-id = 0 suit-record-manifest-id = 0 suit-record-manifest-section = 1 suit-record-section-offset = 2 suit-record-component-index = 3 suit-record-dependency-index = 4 suit-record-properties = 5 SUIT_Report_Reasons /= suit-report-reason-ok SUIT_Report_Reasons /= suit-report-reason-cbor-parse SUIT_Report_Reasons /= suit-report-reason-cose-unsupported SUIT_Report_Reasons /= suit-report-reason-alg-unsupported SUIT_Report_Reasons /= suit-report-reason-unauthorised SUIT_Report_Reasons /= suit-report-reason-command-unsupported SUIT_Report_Reasons /= suit-report-reason-component-unsupported SUIT_Report_Reasons /= suit-report-reason-component-unauthorised SUIT_Report_Reasons /= suit-report-reason-parameter-unsupported SUIT_Report_Reasons /= suit-report-severing-unsupported SUIT_Report_Reasons /= suit-report-reason-condition-failed SUIT_Report_Reasons /= suit-report-reason-operation-failed suit-report-reason-ok = 0 suit-report-reason-cbor-parse = 1 suit-report-reason-cose-unsupported = 2 suit-report-reason-alg-unsupported = 3 suit-report-reason-unauthorised = 4 suit-report-reason-command-unsupported = 5 suit-report-reason-component-unsupported = 6 suit-report-reason-component-unauthorised = 7 suit-report-reason-parameter-unsupported = 8 suit-report-severing-unsupported = 9 suit-report-reason-condition-failed = 10 suit-report-reason-operation-failed = 11 suit-component-capabilities = 1 suit-command-capabilities = 2 suit-parameters-capabilities = 3 suit-crypt-algo-capabilities = 4 suit-envelope-capabilities = 5 suit-manifest-capabilities = 6 suit-common-capabilities = 7 suit-text-capabilities = 8 suit-text-component-capabilities = 9 suit-dependency-capabilities = 10 ]]>