• The firmware image is authenticated and integrity protected. Attempts to flash a maliciously modified firmware image or an image from an unknown, untrusted source must be prevented. This document uses asymmetric cryptography in examples because it is the preferred approach by many IoT deployments. The use of symmetric credentials is also supported and can be used by very constrained IoT devices.
• The firmware image can be confidentiality protected so that attempts by an adversary to recover the plaintext binary can be mitigated or at least made more difficult. Obtaining the firmware is often one of the first steps to mounting an attack since it gives the adversary valuable insights into the software libraries used, configuration settings, and generic functionality. Even though reverse engineering the binary can be a tedious process, modern reverse engineering frameworks have made this task a lot easier.

• Installing firmware updates in a robust fashion so that the update does not break the device functionality of the environment in which this device operates. This requires proper testing and offering of recovery strategies when a firmware update is unsuccessful.
• Making firmware updates available in a timely fashion considering the complexity of the decision-making process for updating devices, potential recertification requirements, the length of a supply chain an update needs to go through before it reaches the end customer, and the need for user consent to install updates.
• Ensuring an energy-efficient design of a battery-powered IoT device; a firmware update, particularly radio communication and writing the firmware image to flash, is an energy-intensive task for a device.
• Creating incentives for device operators to use a firmware update mechanism and to require its integration from IoT device vendors.
• Ensuring that firmware updates addressing critical flaws can be obtained even after a product is discontinued or a vendor goes out of business.

Firmware Image:

The firmware image, or simply the "image", is a binary that may contain the complete software of a device or a subset of it. The firmware image may consist of multiple images if the device contains more than one microcontroller. Often, it is also a compressed archive that contains code, configuration data, and even the entire file system. The image may consist of a differential update for performance reasons.

The terms "firmware image", "firmware", and "image" are used in this document and are interchangeable. We use the term "application firmware image" to differentiate it from a firmware image that contains the bootloader. An application firmware image, as the name indicates, contains the application program often including all the necessary code to run it (such as protocol stacks and an embedded operating system (OS)).

Manifest:

The manifest contains metadata about the firmware image. The manifest is protected against modification and provides information about the author.

Microcontroller:

A microcontroller unit (MCU) is a compact integrated circuit designed for use in embedded systems. A typical microcontroller includes a processor, memory (RAM and flash), input/output (I/O) ports, and other features connected via some bus on a single chip. The term "system on chip" (SoC) is often used interchangeably with MCU, but MCU tends to imply more limited peripheral functions.

Rich Execution Environment (REE):

An environment that is provided and governed by a typical OS (e.g., Linux, Windows, Android, iOS), potentially in conjunction with other supporting operating systems and hypervisors; it is outside of the Trusted Execution Environment (TEE). This environment and the applications running on it are considered untrusted.

Software:

Similar to firmware but typically dynamically loaded by an OS. Used interchangeably with firmware in this document.

System on Chip (SoC):

An SoC is an integrated circuit that contains all components of a computer, such as the CPU, memory, I/O ports, secondary storage, a bus to connect the components, and other hardware blocks of logic.

Trust Anchor:

A trust anchor, as defined in RFC 6024 [RFC 6024], represents an authoritative entity via a public key and associated data. The public key is used to verify digital signatures, and the associated data is used to constrain the types of information for which the trust anchor is authoritative.

Trust Anchor Store:

A trust anchor store, as defined in [RFC 6024], is a set of one or more trust anchors stored in a device. A device may have more than one trust anchor store, each of which may be used by one or more applications. A trust anchor store must resist modification against unauthorized insertion, deletion, and modification.

Trusted Applications (TAs):

An application component that runs in a TEE.

Trusted Execution Environments (TEEs):

An execution environment that runs alongside of, but is isolated from, an REE. For more information about TEEs, see [TEEP-ARCH].

Author:

The author is the entity that creates the firmware image. There may be multiple authors involved in producing firmware running on an IoT device. Section 5 talks about those IoT device deployment cases.

Device Operator:

The device operator is responsible for the day-to-day operation of a fleet of IoT devices. Customers of IoT devices, as the owners of IoT devices (such as enterprise customers or end users), interact with their IoT devices indirectly through the device operator via the Web or smartphone apps.

Network Operator:

The network operator is responsible for the operation of a network to which IoT devices connect.

Trust Provisioning Authority (TPA):

The TPA distributes trust anchors and authorization policies to devices and various stakeholders. The TPA may also delegate rights to stakeholders. Typically, the original equipment manufacturer (OEM) or original design manufacturer (ODM) will act as a TPA; however, complex supply chains may require a different design. In some cases, the TPA may decide to remain in full control over the firmware update process of their products.

User:

The end user of a device. The user may interact with devices via the Web or smartphone apps, as well as through direct user interfaces.

(IoT) Device:

A device refers to the entire IoT product, which consists of one or many MCUs, sensors, and/or actuators. Many IoT devices sold today contain multiple MCUs; therefore, a single device may need to obtain more than one firmware image and manifest to successfully perform an update.

Status Tracker:

The status tracker has a client and a server component and performs three tasks:

1. It communicates the availability of a new firmware version. This information will flow from the server to the client.
2. It conveys information about the software and hardware characteristics of the device. The information flow is from the client to the server.
3. It can remotely trigger the firmware update process. The information flow is from the server to the client.

For example, a device operator may want to read the installed firmware version number running on the device and information about available flash memory. Once an update has been triggered, the device operator may want to obtain information about the state of the firmware update. If errors occurred, the device operator may want to troubleshoot problems by first obtaining diagnostic information (typically using a device management protocol).

We make no assumptions about where the server-side component is deployed. The deployment of status trackers is flexible: they may be found at cloud-based servers or on-premise servers, or they may be embedded in edge computing devices. A status tracker server component may even be deployed on an IoT device. For example, if the IoT device contains multiple MCUs, then the main MCU may act as a status tracker towards the other MCUs. Such deployment is useful when updates have to be synchronized across MCUs.

The status tracker may be operated by any suitable stakeholder, typically the author, device operator, or network operator.

Firmware Consumer:

The firmware consumer is the recipient of the firmware image and the manifest. It is responsible for parsing and verifying the received manifest and for storing the obtained firmware image. The firmware consumer plays the role of the update component on the IoT device, typically running in the application firmware. It interacts with the firmware server and the status tracker client (locally).

Firmware Server:

The firmware server stores firmware images and manifests and distributes them to IoT devices. Some deployments may require a store-and-forward concept, which requires storing the firmware images and/or manifests on more than one entity before they reach the device. There is typically some interaction between the firmware server and the status tracker, and these two entities are often physically separated on different devices for scalability reasons.

Bootloader:

A bootloader is a piece of software that is executed once a microcontroller has been reset. It is responsible for deciding what code to execute.

• The Internet protocol stack for firmware downloads. Firmware images are often multiple kilobytes, sometimes exceeding one hundred kilobytes, for low-end IoT devices and can even be several megabytes for IoT devices running full-fledged operating systems like Linux. The protocol mechanism for retrieving these images needs to offer features like congestion control, flow control, fragmentation and reassembly, and mechanisms to resume interrupted or corrupted transfers.
• The capability to write the received firmware image to persistent storage (most likely flash memory).
• A manifest parser with code to verify a digital signature or a message authentication code (MAC).
• The ability to unpack, decompress, and/or decrypt the received firmware image.
• A status tracker.

• Client-initiated updates take the form of a status tracker client proactively checking (polling) for updates.
• With server-initiated updates, the server-side component of the status tracker learns about a new firmware version and determines which devices qualify for a firmware update. Once the relevant devices have been selected, the status tracker informs these devices, and the firmware consumers obtain those images and manifests. Server-initiated updates are important because they allow a quick response time. Note that in this mode, the client-side status tracker needs to be reachable by the server-side component. This may require devices to keep reachability information on the server side up to date and the state at NATs and stateful packet filtering firewalls alive.
• Using a hybrid approach, the server side of the status tracker pushes update availability notifications to the client side and requests that the firmware consumer pull the manifest and the firmware image from the firmware server.

                                                      +----------+
                                                      |          |
                                                      |  Author  |
                                                      |          |
                                                      +----------+
                       Firmware + Manifest                 |
              +----------------------------------+         | Firmware +
              |                                  |         | Manifest
              |                               ---+-------  |
              |                           ----   |       --|-
              |                         //+----------+     | \\
             -+--                      // |          |     |   \
        ----/ |  ----                |/   | Firmware |<-+  |    \
      //      |      \\              |    | Server   |  |  |     \
     /        |        \             /    |          |  +  +      \
    /         |         \           /     +----------+   \ /       |
   / +--------+--------+ \         /                      |        |
  /  |        v        |  \       /                       v        |
 |   | +------------+  |   |     |          +----------------+      |
 |   | |  Firmware  |  |   |     |          |     Device     |      |
 |   | |  Consumer  |  |   |     |          |     Management |      |
|    | +------------+  |    |    |          |                |      |
|    | +------------+  |    |    |          |    +--------+  |      |
|    | |  Status    |<-+--------------------+->  |        |  |      |
|    | |  Tracker   |  |    |    |          |    | Status |  |      |
|    | |  Client    |  |    |    |          |    | Tracker|  |     |
 |   | +------------+  |   |     |          |    | Server |  |     |
 |   |    Device       |   |      |         |    +--------+  |     |
 |   +-----------------+   |       \        |                |    /
  \                       /         \       +----------------+   /
   \       Network       /           \                          /
    \     Operator      /             \     Device Operator    /
     \\               //               \\                    //
        ----     ----                     ----           ----
            -----                             -----------

• need to wait for a trigger from the status tracker,
• trigger the update automatically, or
• go through a more complex decision-making process to determine the appropriate timing for an update.

• A firmware verifier must verify the firmware image it boots as part of the secure boot process. Doing so requires metadata to be stored alongside the firmware image so that the firmware verifier can cryptographically verify the firmware image before booting it to ensure it has not been tampered with or replaced. This metadata used by the firmware verifier may well be the same manifest obtained with the firmware image during the update process.
• An IoT device needs a recovery strategy in case the firmware update/invocation process fails. The recovery strategy may include storing two or more application firmware images on the device or offering the ability to invoke a recovery image to perform the firmware update process again using firmware updates over serial, USB, or even wireless connectivity like Bluetooth Smart. In the latter case, the firmware consumer functionality is contained in the recovery image and requires the necessary functionality for executing the firmware update process, including manifest parsing.

• First, the bootloader is also firmware. If a bootloader is updatable, then its firmware image is treated like any other application firmware image.
• Second, the firmware image that has to be replaced is still available on the device as a backup in case the freshly downloaded firmware image does not boot or operate correctly.
• Third, there is the newly downloaded firmware image.

• The bootloader needs to fetch the manifest from nonvolatile storage and parse its contents for subsequent cryptographic verification.
• Cryptographic libraries with hash functions, digital signatures (for asymmetric crypto), and message authentication codes (for symmetric crypto) need to be accessible.
• The device needs to have a trust anchor store to verify the digital signature. Alternatively, access to a key store for use with the message authentication code may be used.
• There must be an ability to expose boot-process-related data to the application firmware (such as the status tracker). This allows information sharing about the current firmware version and the status of the firmware update process and whether errors have occurred.
• Produce boot measurements as part of an attestation solution; see [RATS-ARCH] for more information (optional).
• The bootloader must be able to decrypt firmware images in case confidentiality protection was applied. This requires a solution for key management (optional).

(1):

A device presented with an old but valid manifest and firmwaremust not be tricked into installing such firmware since avulnerability in the old firmware image may allow an attacker togain control of the device.

• Authentication ensures that the device can cryptographically identify the author(s) creating firmware images and manifests. Authenticated identities may be used as input to the authorization process. Not all entities creating and signing manifests have the same permissions. A device needs to determine whether the requested action is indeed covered by the permission of the party that signed the manifest. Informing the device about the permissions of the different parties also happens in an out-of-band fashion and is a duty of the Trust Provisioning Authority.
• Integrity protection ensures that no third party can modify the manifest or the firmware image. To accept an update, a device needs to verify the signature covering the manifest. There may be one or multiple manifests that need to be validated, potentially signed by different parties. The device needs to be in possession of the trust anchors to verify those signatures. Installing trust anchors to devices via the Trust Provisioning Authority happens in an out-of-band fashion prior to the firmware update process.
• Confidentiality protection of the firmware image must be done in such away that no one aside from the intended firmware consumer(s) and other authorized parties can decrypt it. The informationthat is encrypted individually for each device/recipient must be done in a way that is usable with Content Distribution Networks (CDNs), bulk storage, andbroadcast protocols. For confidentiality protection of firmware images, the author needsto be in possession of the certificate/public key or a pre-shared keyof a device. The use of confidentiality protection of firmware imagesis optional.

[LwM2M]

Open Mobile Alliance, "Lightweight Machine to Machine Technical Specification", Version 1.0.2, February 2018,
<http://www.openmobilealliance.org/release/LightweightM2M/V1_0_2-20180209-A/OMA-TS-LightweightM2M-V1_0_2-20180209-A.pdf>.

[quantum-factorization]

Department of Chemistry, Physics and Birck Nanotechnology Center, Purdue University, S. Jiang, K.A. Britt, A.J. McCaskey, T.S. Humble, and S. Kais, "Quantum Annealing for Prime Factorization", Scientific Reports 8, December 2018,
<https://www.nature.com/articles/s41598-018-36058-z>.

[RATS-ARCH]

Huawei Technologies, , , , , and , "Remote Attestation Procedures Architecture", Internet-Draft draft-ietf-rats-architecture-12, April 2021,
<https://tools.ietf.org/html/draft-ietf-rats-architecture-12>.

[RFC6024]

R. Reddy, and C. Wallace, "Trust Anchor Management Requirements", RFC 6024, DOI 10.17487/RFC6024, October 2010,
<https://www.rfc-editor.org/info/rfc6024>.

[RFC6763]

S. Cheshire, and M. Krochmal, "DNS-Based Service Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013,
<https://www.rfc-editor.org/info/rfc6763>.

[RFC7228]

C. Bormann, M. Ersue, and A. Keranen, "Terminology for Constrained-Node Networks", RFC 7228, DOI 10.17487/RFC7228, May 2014,
<https://www.rfc-editor.org/info/rfc7228>.

[RFC8240]

H. Tschofenig, and S. Farrell, "Report from the Internet of Things Software Update (IoTSU) Workshop 2016", RFC 8240, DOI 10.17487/RFC8240, September 2017,
<https://www.rfc-editor.org/info/rfc8240>.

[RFC8778]

R. Housley, "Use of the HSS/LMS Hash-Based Signature Algorithm with CBOR Object Signing and Encryption (COSE)", RFC 8778, DOI 10.17487/RFC8778, April 2020,
<https://www.rfc-editor.org/info/rfc8778>.

[SUIT-INFO-MODEL]

Fraunhofer SIT, , , and , "A Manifest Information Model for Firmware Updates in IoT Devices", Internet-Draft draft-ietf-suit-information-model-11, April 2021,
<https://tools.ietf.org/html/draft-ietf-suit-information-model-11>.

[SUIT-MANIFEST]

Inria, , , , and , "A Concise Binary Object Representation (CBOR)-based Serialization Format for the Software Updates for Internet of Things (SUIT) Manifest", Internet-Draft draft-ietf-suit-manifest-12, February 2021,
<https://tools.ietf.org/html/draft-ietf-suit-manifest-12>.

[TEEP-ARCH]

Intel, , , , and , "Trusted Execution Environment Provisioning (TEEP) Architecture", Internet-Draft draft-ietf-teep-architecture-14, February 2021,
<https://tools.ietf.org/html/draft-ietf-teep-architecture-14>.

• Geraint Luff
• Amyas Phillips
• Dan Ros
• Thomas Eichinger
• Michael Richardson
• Emmanuel Baccelli
• Ned Smith
• Jim Schaad
• Carsten Bormann
• Cullen Jennings
• Olaf Bergmann
• Suhas Nandakumar
• Phillip Hallam-Baker
• Marti Bolivar
• Andrzej Puzdrowski
• Markus Gueller
• Henk Birkholz
• Jintao Zhu
• Takeshi Takahashi
• Jacob Beningo
• Kathleen Moriarty
• Bob Briscoe
• Roman Danyliw
• Brian Carpenter
• Theresa Enghardt
• Rich Salz
• Mohit Sethi
• Éric Vyncke
• Alvaro Retana
• Barry Leiba
• Benjamin Kaduk
• Martin Duke
• Robert Wilton

Brendan Moran

Hannes Tschofenig

David Brown

Milosch Meriac