@@ -37,7 +37,9 @@ verify objects (lean, `WOLFCOSE_LEAN_VERIFY`). Fine-tuning macros:
3737| ` SUIT_HAVE_ENCRYPTION ` | decrypt COSE_Encrypt0 payloads on install (AES-GCM); enables AES-GCM in the build |
3838| ` SUIT_DEVICE_VENDOR_ID ` / ` SUIT_DEVICE_CLASS_ID ` | this device's identity (brace initializers) for the vendor/class conditions |
3939| ` SUIT_KEY_SLOT ` | fallback trust-anchor slot when the COSE_Sign1 carries no key id |
40- | ` SUIT_HAVE_FETCH ` / ` SUIT_HAVE_TRY_EACH ` / ` SUIT_HAVE_RUN_SEQUENCE ` | optional commands |
40+ | ` SUIT_HAVE_FETCH ` | enable directive-fetch; the host supplies an ` ops->fetch ` callback that retrieves the payload by uri (e.g. wolfUpdate transport) |
41+ | ` SUIT_HAVE_REPORT ` | build ` suit_report_encode() ` , a compact ` { result, sequence } ` status record an update server reads to learn the outcome |
42+ | ` SUIT_HAVE_TRY_EACH ` / ` SUIT_HAVE_RUN_SEQUENCE ` | optional commands |
4143
4244## Architecture
4345
@@ -90,8 +92,11 @@ CBOR/COSE tooling (test B); it is not a full draft-34 implementation.
9092
9193- Unrecognized (or known-but-unsupported) commands are ** default-denied** (the
9294 sequence fails), as a SUIT processor must, rather than silently skipped.
93- - Not implemented (and rejected if present): directive-fetch, severable members,
94- try-each / run-sequence / swap, dependencies/trust-domains, SUIT Reports.
95+ - Optional, built only when their macro is set: directive-fetch
96+ (` SUIT_HAVE_FETCH ` , via a host callback) and a compact status report
97+ (` SUIT_HAVE_REPORT ` , not the full draft-suit-report COSE attestation).
98+ - Not implemented (and rejected if present): severable members,
99+ try-each / run-sequence / swap, dependencies/trust-domains.
95100
96101## Status
97102
@@ -110,8 +115,18 @@ image or content larger than the partition space, and an out-of-range component
110115index), and ** key-id selection** (the COSE_Sign1 ` kid ` picks the trust anchor
111116via the keystore, like the TLV path's pubkey hint).
112117
113- Follow-ups: ` directive-fetch ` (networked payload retrieval, wolfUpdate), and the
114- optional commands (` try-each ` / ` run-sequence ` / ` swap ` ).
118+ Networked update support: ` directive-fetch ` (` SUIT_HAVE_FETCH ` ) retrieves the
119+ payload by uri through a host callback, and ` suit_report_encode() `
120+ (` SUIT_HAVE_REPORT ` ) emits a compact status record, so a server (e.g. wolfUpdate)
121+ can pull images and learn outcomes. Remaining optional commands: ` try-each ` /
122+ ` run-sequence ` / ` swap ` .
123+
124+ Production readiness: this feature is experimental and off by default. Before
125+ enabling it in a shipping product the gate is, at minimum: fuzz the manifest
126+ parser and complete a security review (the manifest is attacker-controlled),
127+ hardware-test the boot/swap path, and provision the content-encryption key by
128+ key-wrap rather than handing it in raw. Encryption (` SUIT_HAVE_ENCRYPTION ` ) is
129+ not production-ready until the key-wrap step exists.
115130
116131This PR is gated on the wolfCOSE fixes in wolfSSL/wolfCOSE PR #53 ; the submodule
117132is pinned to that work and should be repinned to the wolfCOSE v1.0 tag before
0 commit comments