Lines Matching full:be

8 be used to help prioritize these efforts as well.
15 images. A general diagram can be seen in Figure 1:
24 model in unexpected ways, and variants on this will need to be
29 as this seems to be in wide use [1]_.
40    a root of trust, this image must be immutable. This model assumes
42    from future writes, and that this will be done after this image is
47    is made because this part of the image will need to be updated
51    a. The image shall only be replaced with an authorized image
55       shall be done in a timely manner [th-timely-update]_.
57    c. The image update shall be seen as atomic, meaning that when the
65    based services, this list will generally be provided by the service
66    provider. Because the root certificates can expire, and possibly be
67    revoked, this list will need to be periodically updated
78    software running elsewhere, and must be securely installed on the
79    device. Policy may dictate that this secret be replaced
84    These secrets must be protected from read, and the smallest amount
93    time to be accurate within a day or so. Token generation generally
94    requires the time to be accurate within 5-10 minutes.
96    It may be possible to approximate secure time by querying an
100    and the generation of tokens with invalid times.  It could be
103    certificate to be able to intercept this. [th-time]_
106    delivered to the service shall be delivered without modification or
112    and other need to be kept by the device. This configuration data will
113    need to be updated periodically as the configuration changes. Updates
114    should be allowed only from authorized parties. [th-conf]_
119    to be carefully selected. It may also be possible to send these log
120    events to the cloud service where they can be stored in a more
121    resource-available environment. Types of events that should be logged
127    b. **Client secret changes**. Changes and new client secrets should be
141    contents of flash can be modified programmatically by the SoC's CPU.
145       code initially run. This section shall be written early in the
165       flash/system shall be configured such that after the bootloader
166       has completed, the CPU will be unable to write to the application
170       version of the application image. This image will be downloaded
175    d. **Secret storage**. An area of the flash will be used to store
177       application image. The application shall be configured to
184       Initial secrets shall be placed in the device during a
186       device. Later updates can be made under the direction of
189    e. **Configuration storage**. There shall be an area to store other
191       allowed for this to be stored in the same region as the secret
193       secret storage area, and as such, more code that must be
197       events can be written.
201    shall be made to make intercepting this bus difficult for an attack.
207    device, and the cloud service will be done over the general
208    internet. As such, it shall be assumed that an attacker can
214    service [th-all-tls]_. The TLS stack shall be configured to use only cipher suites
216    secrecy. The communication shall be secured by the following:
223       server shall be verified [th-root-check]_.
229            require the certificate to be more restrictive than as
243            certificates shall be checked against the device's best
255           certificates will be stored within the service provider. These
256           certificates can be self-signed, or signed by a CA. Since the
260           be useful in the management of these certificates.
265           be transmitted in this packet. Instead, a token-based
268           Token (JWT) can be used. These tokens will generally have a
270           being reused if they are intercepted. The token shall not be
285    use do not have support for this, and it will be necessary to consult
288    describe the Simple Network Time Protocol that can be used to query
300       addition, the bootloader flash protection shall be installed. Of
302       device. This secret shall be securely maintained, and destroyed in
314       this is done it shall be done securely, and the new secret
320       particular device shall be rendered ineffective
345 .. [th-authrepl] Application image shall only be replaced with an
349    Application updates shall be done in a timely manner.
352    Application updates shall be atomic.
361    There must be a mechanism to securely store client secrets.  The
379    TLS shall be configured to allow only generally agreed cipher
394    The initial secret shall be securely maintained, and destroyed in
398    Reprovisioning a device shall be done securely.
401    Upon decommissioning, the device secret shall be rendered
418    current ideas of how TLS must be configured to be secure.
421    Note that merely erasing this flash area is unlikely to be