1// Copyright 2021 The Pigweed Authors 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); you may not 4// use this file except in compliance with the License. You may obtain a copy of 5// the License at 6// 7// https://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12// License for the specific language governing permissions and limitations under 13// the License. 14 15syntax = "proto3"; 16 17package pw.software_update; 18 19import "pw_software_update/tuf.proto"; 20 21option java_multiple_files = true; 22option java_package = "dev.pigweed.pw_software_update"; 23 24message UpdateBundle { 25 // The timestamp role is used for freshness check of the snapshot. Any 26 // project-specific update metadata should go in the top-level 27 // targets_metadata or with the TargetFile information 28 optional SignedTimestampMetadata timestamp_metadata = 1; 29 30 // The snapshot role is used to ensure that the collection of targets_metadata 31 // files is securely consistent (no target metadata mix and match). Any 32 // project-specific update metadata should go in the top-level 33 // targets_metadata or with the TargetFile information 34 optional SignedSnapshotMetadata snapshot_metadata = 2; 35 36 // Map of target metadata name to target metadata. 37 // Target metadata name can be an arbitrary name or a path that describes 38 // where the file lives relative to the base directory of the repository, as 39 // described in the snapshot metadata. e.g. "path/to/target/0". 40 map<string, SignedTargetsMetadata> targets_metadata = 3; 41 42 // Map of target file name to target payload bytes. 43 // Target file name can be an arbitrary name or a path that describes where 44 // the file lives relative to the base directory of the repository, as 45 // described in the target metadata. e.g. "path/to/amber_tools/0". 46 map<string, bytes> target_payloads = 4; 47 48 // If present, a client will attempt to upgrade its on-device trusted root 49 // metadata to the root metadata included in the bundle, following the 50 // standard "Update the root role" flow specified in the TUF spec, but 51 // without "version climbing". 52 // 53 // The exact steps are: 54 // 1. Check if there is a root metadata in the bundle. 55 // 2. If the root metadata IS NOT included, assume on-device root metadata 56 // is up-to-date and continue with the rest of metadata verification. 57 // 3. If the root metadata IS included, verify the new root metadata using 58 // the on-device root metadata. 59 // 4. If the verification is successful, persist new root metadata and 60 // continue with the rest of metadata verification. Otherwise abort the 61 // update session. 62 // 63 // The key deviation from standard flow is the client assumes it can always 64 // directly upgrade to the single new root metadata in the update bundle, 65 // without any step-stone history root metadata. This works only because 66 // we are not supporting (more than 1) root key rotations. 67 optional SignedRootMetadata root_metadata = 5; 68} 69 70// Update bundle metadata 71// Designed to inform the update server what the device currently has in-place. 72// Also used to persist the TUF metadata for use in the verification process. 73// Stored manifest is only written/erased by the update service. In all other 74// contexts the stored manifest is considered read-only. 75message Manifest { 76 map<string, TargetsMetadata> targets_metadata = 1; 77 78 // Insert user manifest target file content here 79 optional bytes user_manifest = 2; 80} 81