Markdown Version | Session Recording

Session Date/Time: 05 Nov 2025 17:00

SUIT Session - IETF 124

Summary

The SUIT session at IETF 124 covered the progress of the SUIT Report document, a critical discussion on a potential downgrade attack for firmware encryption, and initial thoughts on integrating Post-Quantum Cryptography (PQC) into SUIT. Key decisions included updating the firmware encryption draft to address the downgrade attack and continuing the finalization of the SUIT Report.

Key Discussion Points

• SUIT Report Draft Update

  • Purpose: The SUIT Report fills a gap in the SUIT architecture by defining a reporting format (a logging container) that directly matches how a SUIT manifest is processed. It allows understanding the execution flow and failure modes of firmware updates.
  • Mechanism: It uses the SUIT manifest as a template, navigating through it to determine what happened during an update. Key information reported includes the manifest command sequence, offset, component ID, and failure reason (including actual values for conditions).
  • Status: The draft has been submitted to the IESG for publication. Most DISCUSS comments have been cleared, with one remaining for which a response is staged in GitHub. The title was slightly changed based on feedback for better expressiveness.
  • Changes since IETF 123: Two or three versions have been released (now v16), mostly involving terminology clarification, editorial changes, cross-references, and a rewrite in the attestation section.
  • Consensus: A sense of those present indicates the group is ready to proceed with publication once the remaining IESG discuss is cleared.

• Firmware Encryption Security (COSE Algorithm Downgrade Attack)

  • Problem: Hannes Tschofenig raised concerns about a downgrade attack applicable to COSE key encryption, particularly relevant to SUIT firmware encryption. If an attacker can modify algorithm information in COSE, they might downgrade an Authenticated Encryption with Associated Data (AEAD) cipher (e.g., AES-GCM) to a non-AEAD cipher (e.g., AES-CounterMode). This could allow an attacker to learn secrets or modify content.
  • Context: This is particularly relevant for constrained devices that might support non-AEAD ciphers (like AES-CounterMode). COSE libraries often look only at header information without verifying against expected policies, making them vulnerable.
  • Proposed Solution: Instead of a complex new solution, Hannes suggested a more simplistic approach: adding a paragraph to the security considerations section of the firmware encryption document. This paragraph would emphasize that implementers must carefully check whether the algorithm specified in the COSE message matches the algorithm configured or expected for a given use case (e.g., in a PEEP scenario, ensuring AES-GCM is used if expected).
  • Group Discussion:
    • Brendan supporting the change, highlighting the catastrophic consequences of security errors in firmware updates and the special use case of non-AEAD ciphers in SUIT.
    • Hannes acknowledged that the COSE group had less enthusiasm for a more complex fix, partially because non-AEAD modes are considered deprecated for general COSE use.
    • The group agreed that pulling the draft from the IESG queue to incorporate this fix is acceptable and unlikely to significantly delay publication of other SUIT drafts.
    • Christian A. raised a point in chat about previous arguments regarding CBC/CounterMode in COSE, which Hannes clarified are addressed in the COSE RFC but reiterating the caution in the SUIT context is still valuable.

• Update Management Draft

  • Brendan stated he had no updates on this draft, as he received feedback from Deb on Friday and had not yet had a chance to review it.
  • It was noted that the focus should remain on finalizing the SUIT Report first.

• Post-Quantum Cryptography (PQC) in SUIT

  • Brendan's Proposal: Brendan reiterated a previous proposal to start the process of choosing cipher suites for ML-DSA and ML-KEM for SUIT, emphasizing the need to move towards standardized PQC algorithms as current cipher suites are becoming "undeployable."
  • COSE Progress: Hannes provided an update on PQC in the COSE group:
    • ML-DSA is in the RFC Editor's queue.
    • HSS-LMS has been completed.
    • FN-DSA and SLH-DSA are also being worked on.
    • Hannes noted that while drafts and RFCs exist, high-quality implementations and library readiness for COSE PQC algorithms still need attention (e.g., his own work on ML-DSA in DECOTC).
  • Deployability Concerns for HSS-LMS: Brendan highlighted an "unfortunate development" where CNSA guidelines have standardized LMS but not HSS-LMS. This creates deployability concerns for HSS-LMS due to key reuse and multiple signature issues, especially with failover techniques. He strongly advocated for ML-DSA over HSS-LMS from a regulatory compliance perspective.
  • Impact on SUIT Drafts: It was clarified that a PQC integration draft would either be an "abyss" (replacement) or an update to the existing MTI (Multi-Trust Infrastructure) draft. This activity is not expected to delay other SUIT drafts but is dependent on the MTI draft becoming an RFC first.
  • Overall SUIT Document Cluster: There was a brief discussion about the "gigantic cluster" of SUIT documents in the IESG queue, with dependencies generally flowing towards the manifest, report, and update drafts. The original intent to break dependencies with informative references was overridden by a request for normative references, thus re-creating the cluster.

Decisions and Action Items

• SUIT Report:
  • ACTION: Brendan to push the latest draft, respond to Eric Vink's IESG DISCUSS, and address any other outstanding comments on the datatracker.
• Firmware Encryption Security:
  • DECISION: The SUIT working group will update the firmware encryption draft to include a new paragraph in the security considerations section addressing the COSE algorithm downgrade attack.
  • ACTION: Hannes to draft the proposed security considerations paragraph and post it to the SUIT mailing list for review.
  • ACTION: Deb to communicate with the IESG editor regarding pulling the firmware encryption draft from the queue for these updates.

Next Steps

• SUIT Report: Complete the remaining actions to clear IESG DISCUSS and move towards publication.
• Firmware Encryption: Review and integrate Hannes's proposed security considerations update.
• PQC Integration: Continue discussion on the SUIT mailing list regarding Brendan's proposal for selecting ML-DSA and ML-KEM cipher suites.
• Overall SUIT Progress: Prioritize moving the SUIT Report and SUIT Update drafts through the IESG process to unblock the broader cluster of SUIT documents.