Hackathon114: SUIT manifest reference in EAT manifests claim

[dthaler]

The following question came up at the IETF 114 hackathon.
Currently the EAT spec has claims:

• manifests
• sw-name
• sw-version

The desire in TEEP, but which is not TEEP specific, is to have an EAT claim that states what version of a given component (e.g., firmware, or the OS, or OP-TEE, or whatever else) is installed. sw-name and sw-version are free-form text not machine readable nor guaranteed to change when a patch is done (i.e., it would rely on a human updating the sw-version value when software is patched).

Instead it seems more appropriate to reference a particular SUIT manifest / version.

However the manifests claim, while extensible, currently only allows a SUIT_Envelope which seems to imply it would have to have the entire SUIT manifest rather than just a reference to a SUIT manifest as a SUIT_Dependency would do. The thought is that if the SUIT_Dependency can be used in the manifests claim (or alternatively, a new claim) then one could easily and precisely reference the component manifest/version.

Use with the existing manifests claim would be doable if there is a content-type usable. The SUIT manifest spec defines application/suit-envelope but that again requires an entire SUIT_Envelope. Should we

a) define a content-type for a SUIT_Dependency
b) specify using some SUIT_Envelope which contains basically just a SUIT_Dependency
c) specify a new EAT claim for use with SUIT_Dependency. The disadvantage of this one is that it is specific to EAT, whereas the problem may exist in other contexts than just EAT.

?

[hannestschofenig]

Check: What is the status of this issue? I am not sure whether this issue belongs to the SUIT manifest itself.

[bremoran]

I believe that the resolution here is that the SUIT_Reference will be placed in the EAT manifests claim.