A Firmware Update Architecture for Internet of Things Devices

Slides:



Advertisements
Similar presentations
1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
Advertisements

Terms 4 Definitions and Questions. Motherboard The main board of a computer, usually containing the circuitry for the central processing unit, keyboard,
Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.
FI-WARE – Future Internet Core Platform FI-WARE Cloud Hosting July 2011 High-level description.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Installing software on personal computer
Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.
Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.
Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.
Chapter 14 Supporting Windows 2000 Professional. 14 You Will Learn… n About the different operating systems within the Windows 2000 suite n About the.
EbiTrack Architecture Version 1.0 September 24, 2012.
Network - definition A network is defined as a collection of computers and peripheral devices (such as printers) connected together. A local area network.
PART1 Data collection methodology and NM paradigms 1.
ConfigMgr Discovering and Organizing Resources Mariusz Zarzycki, Phd, MCT, MCTS, MCITP, MCSE, MCSA.....
Bootloaders Many embedded processors have flash memory. This allows us to alter a product even though it is in the users hands: -fix bugs -upgrade or enhance.
1 Remote Installation Service Windows 2003 Server Prof. Abdul Hameed.
Computer Hardware What is a CPU.
GCSE Computing - The CPU
Network Programming 10- SMTP-POP3
SmartCenter for Pointsec - MI
Securing Network Servers
Containers as a Service with Docker to Extend an Open Platform
Computer systems is a 10-credit unit
Operating Systems Lecture 2.
Bootloaders Many embedded processors have flash memory. This allows us to alter a product even though it is in the users hands: -fix bugs -upgrade or.
Memory Management.
Multiprocessor System Distributed System
Basic Computer Organization and Design
Chapter 2: Computer-System Structures(Hardware)
Chapter 2: Computer-System Structures
Chapter Objectives In this chapter, you will learn:
OGF PGI – EDGI Security Use Case and Requirements
2. OPERATING SYSTEM 2.1 Operating System Function
Integrating HA Legacy Products into OpenSAF based system
Smart Ethernet I/O P2P and GCL Introduction
Direct Attached Storage and Introduction to SCSI
Chapter 2: System Structures
What is Fibre Channel? What is Fibre Channel? Introduction
A Fast Track into Device Guard
Software Design and Architecture
Distribution and components
Introduction to Operating System (OS)
MCU cluster Cristian Alexe 18 October 2010.
Introduction to Networks
Introduction to Networks
Cloud Computing By P.Mahesh
Chapter III Desktop Imaging Systems & Issues
Chapter 21: Cloud Computing and Related Security Issues
Introduction to Computers
Chapter 1: Introduction
Introduction to Cloud Computing
Chapter 22: Cloud Computing Technology and Security
Cloud Testing Shilpi Chugh.
Enterprise Service Bus (ESB) (Chapter 9)
Virtualization Techniques
Memory Management Tasks
Cloud computing mechanisms
"Cloud services" - what it is.
Computer Organization
SharePoint Online Authentication Patterns
Outline Chapter 2 (cont) OS Design OS structure
Intel Active Management Technology
The bios.
Chapter 2: Computer-System Structures
Chapter 2: Computer-System Structures
GCSE Computing - The CPU
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
SCCM in hybrid world Predrag Jelesijević Microsoft 7/6/ :17 AM
draft-moran-suit-architecture-03
Presentation transcript:

A Firmware Update Architecture for Internet of Things Devices draft-ietf-suit-architecture-01

Changes between -00* and -01 New terminology for entities Updated operating modes Device Firmware Update Examples Added David Brown as co-author Many editorial changes New figures *: draft-ietf-suit-architecture-00 was discussed at the virtual interim meeting

Entities

Author & Device Author: The author is the entity that creates the firmware image and a manifest. There can be multiple authors in a system ( firmware consisting of multiple software components, or device running multiple MCUs) There are also other parties that can create a manifest even though they do not create new firmware Device: Definition updated to point out that the device may need multiple firmware images.

Communicator The communicator component of the device interacts with the firmware update server. It receives firmware images and triggers an update, if needed. The communicator either polls a firmware update server for the most recent manifest/firmware or manifests/firmware images are pushed to it. Note that the firmware update process may involve multiple stages since one or multiple manifests may need to be downloaded before the communicator can fetch one or multiple firmware images/software components.

Status Tracker The status tracker offers device management functionality that includes keeping track of the firmware update process. (It typically knows what firmware / software is run on the devices.) This includes fine-grained monitoring of changes at the device, for example, what state of the firmware update cycle the device is currently in.

Firmware Server Entity that stores firmware images and manifests. Some deployments may require storage of the firmware images/manifests on more than one entities before they reach the device.

Device & Network Operator Device Operator: The actor responsible for the day-to-day operation of a fleet of IoT devices. Network Operator: The actor responsible for the operation of a network to which IoT devices connect. Both may also create manifests (for already existing firmware) In https://www.ietf.org/mail-archive/web/suit/current/msg00587.html Frank suggests to also introduce the OEM Operator: OEM Operator: Actor responsible for the day-to-day operation of OEM units in IoT devices connected to an IoT network

Trust Provisioning Authority (TPA) The TPA distributes trust anchors and authorization permissions to various entities in the system. The TPA may also delegate rights to install, update, enhance, or delete trust anchors and authorization permissions to other parties in the system. This infrastructure overlaps the communication architecture and different deployments may empower certain entities while other deployments may not.

Operating Modes

Operating modes Client-initiated Update: Client-initiated updates take the form of a communicator on a device proactively checking for new firmware imagines provided by firmware servers. Server-initiated Update: The status tracker determines what devices qualify for a firmware update. Once those devices have been selected the firmware server, in cooperation with the status tracker, distributes updates to those devices. Hybrid Update: The status tracker pushes notifications of availability of an update to the device, and the communicator then downloads the image from the firmware server when it wants.

Communication Architecture

Communication Architecture Firmware + +----------+ Firmware + +-----------+ Manifest | |-+ Manifest | |-+ +--------->| Firmware | |<---------------| | | | | Server | | | Author | | | | | | | | | | +----------+ | +-----------+ | | +----------+ +-----------+ | -+-- ------ ---- | ---- ---- ---- // | \\ // \\ / | \ / \ / | \ / \ / | \ / \ / | \ / \ | v | | | | +------------+ | | |Communicator| | | | | +--------+---+ | Device | +--------+ | | | | | Management| | | | | | Device |<----------------------------->| Status | | | | | | | | Tracker| | | +--------+ | || | | | | | || +--------+ | | | | | | | \ / \ / \ / \ / \ Device / \ Network / \ Operator / \ Operator / \\ // \\ // ---- ---- ---- ---- ------ ----- Communication Architecture

Device Firmware Update Examples

Single CPU SoC The simplest, and currently most common, architecture consists of a single MCU along with its own peripherals. These SoCs generally contain some amount of flash memory for code and fixed data, as well as RAM for working storage. These systems either have a single firmware image, or an immutable bootloader that runs a single image. A notable characteristic of these SoCs is that the primary code is generally execute in place (XIP). Combined with the non-relocatable nature of the code, firmware updates need to be done in place.

Single CPU with Secure - Normal Mode Partitioning Another configuration consists of a similar architecture to the previous, with a single CPU. However, this CPU supports a security partitioning scheme that allows memory (in addition to other things) to be divided into secure and normal mode. There will generally be two images, one for secure mode, and one for normal mode. In this configuration, firmware upgrades will generally be done by the CPU in secure mode, which is able to write to both areas of the flash device. In addition, there are requirements to be able to update either image independently, as well as to update them together atomically, as specified in the associated manifests.

Dual CPU, shared memory This configuration has two or more CPUs in a single SoC that share memory (flash and RAM). Generally, they will be a protection mechanism to prevent one CPU from accessing the other's memory. Upgrades in this case will typically be done by one of the CPUs, and is similar to the single CPU with secure mode.

Dual CPU, other bus This configuration has two or more CPUs, each having their own memory. There will be a communication channel between them, but it will be used as a peripheral, not via shared memory. In this case, each CPU will have to be responsible for its own firmware upgrade. It is likely that one of the CPUs will be considered a master, and will direct the other CPU to do the upgrade. This configuration is commonly used to offload specific work to other CPUs. Firmware dependencies are similar to the other solutions above, sometimes allowing only one image to be upgraded, other times requiring several to be upgraded atomically. Because the updates are happening on multiple CPUs, upgrading the two images atomically is challenging.

Encryption of Manifest In the “Human Rights” review in https://www.ietf.org/mail-archive/web/suit/current/msg00580.html Gurshabad Grover recommends to offer encryption of manifests. Currently, only the encryption of the firmware is supported (as an optional to use feature).

Next Steps

Random Thoughts More editorial clean-up Incorporate feedback from this meeting More text about device interactions and bootloader design Better alignment with information model