-----Original Message-----
From: zephyr-devel-bounces@... [mailto:zephyr-devel-
bounces@...] On Behalf Of Johann Fischer
Sent: 28 August 2017 15:35
To: zephyr-devel@...
Subject: Re: [Zephyr-devel] Zephyr DFU protocol

Hi,

On 28.08.2017 14:45, Cufi, Carles wrote:

The USB DFU specification does not seem to be a good fit since it maps

specifically to particular USB endpoints and classes, making it not
suitable for other transports without extensive modification. Using a
standard USB class such as CDC ACM as transport, we could instead map
the chosen protocol over a USB physical link.

That surprised me a little, can you describe it in more detail what you
mean with "it maps specifically to particular USB endpoints and
classes". I think if you have USB, then USB DFU is the most elegant
solution for update. Or is it about using the same update tool for UART
and USB?

-----Original Message-----
From: David Brown [mailto:david.brown@...]
Sent: 28 August 2017 16:22
To: Cufi, Carles <Carles.Cufi@...>
Cc: zephyr-devel@...
Subject: Re: [Zephyr-devel] Zephyr DFU protocol

On Mon, Aug 28, 2017 at 12:45:37PM +0000, Cufi, Carles wrote:

As you might already know, we've been working on the introduction of
DFU (Device Firmware Upgrade) to Zephyr. Several Pull Requests have
been posted dealing with the low-level flash and image access modules
required to store a received image and then boot into it, but that
leaves out one of the key items in the system: the update protocol that
allows an existing running image to obtain an updated one over a
transport mechanism.

My first suggestion. Unless we are stricly implementing the USB DFU
protocol, we really should call this something else. DFU is defined by
USB standards, and is a very specific protocol with a very specific
purpose. If what we're looking is for something general across other
transports, we should call it a different name to avoid confusion.

There are several fundamental requirements for such a protocol if we
want it to be future-proof, extensible and practical for embedded
devices:

- Must be packet-based and transport-agnostic

Although this makes sense for non-usb, it also precludes using existing
tools for the update when we do have USB as our transport.

My suggestion would be to support DFU for USB, and device another
protocol for the other transports.

- Must be extensible and flexible
- The server-side implementation (assuming a request/response model)
must be relatively simple and require little resources
- Must be compatible with the mcuboot project and model
- At the very least the following transports must be supported: BLE,
UART, IP, USB
- A client-side tool (assuming a request/response model) must either
exist already or be easily implementable

So this is solved for USB DFU. We would probably have to create tools
for other transports.

With that in mind we proceeded to analyze a few of the existing
protocols out there (the ones we knew about), in order to consider
whether reusing an existing effort was a better approach than designing
and implementing a new protocol from scratch:

1) USB DFU specification[1]
2) Nordic Secure DFU protocol (included in the Nordic SDK)[2]
3) Newt Manager Protocol (part of Mynewt)[3]
4) Distributed DFU over CoAP used in Nordic's Thread SDK[4]

Note: I will use the word "source" to identify the device that contains
the new image, and "target" to identify the one that receives it,
flashes it and the boots into it.

The USB DFU specification does not seem to be a good fit since it maps
specifically to particular USB endpoints and classes, making it not
suitable for other transports without extensive modification.
Using a standard USB class such as CDC ACM as transport, we could
instead map the chosen protocol over a USB physical link.

This is fairly intentional. As I mention above, I would suggest
implementing DFU regardless of other protocols used.

We also see 2 very different image distribution models. In protocols 1,
2 and 3 the source (client) "pushes" an image to the target
(server) after checking that it's applicable based on version checking
and other verifications. In protocol 4 however, the source acts instead
as a server and the targets act as clients that "pulls"
images from the source (server) whenever they are available. I believe
that the Linaro DFU implementation also follows the "pull"
paradigm of protocol 4.

They also serve different purposes. DFU (the real one on USB) works
similar to a recovery mode. You put the target into DFU mode, and the
USB endpoint is a different kind of device than it usually is. The
other upgrade protocols are intended to upgrade live devices. This is
also a good reason to support USB's DFU in addition to whatever other
protocol we come up.

We believe that the right approach for the sort of ecosystem that
Zephyr targets is the "push" approach, to minimize traffic, reduce
power consumption and also make it possible to use with all transports.
That said, it is important to note that although we are trying to
decide on a default DFU mechanism for Zephyr, all layers (including the
image management) will be independent of it, and it should therefore be
entirely possible to implement an additional protocol for our users.
Furthermore we don't exclude the possibility of extending the chosen
protocol to support a "pull" model as well, something that should be
entirely feasible as long as the protocol of choice is flexible.

The approach that was demoed at the last Linaro Connect was pull based,
and essentially had the firmware living on an http server. It had the
advantage of being fairly easy to implement with existing code in
Zephyr.

After analyzing the different options available, we believe the Newt
Manager Protocol (NMP) to be the better suited option for our current
needs, for reasons outlined below:

- It is proven to work with mcuboot, the default bootloader for Zephyr
- The current mcuboot repository already contains an implementation of
NMP for serial recovery
- It uses a "push" model
- It is very simple but also easily extensible
- Uses a simple packet format combining an 8-byte header followed by
CBOR[5]-encoded data
- Supports additional functionality on top of basic DFU: stats,

filesystem access, date and time setting, etc.

- Already supports the BLE and serial transports
- A command-line tool exists to send images over both BLE and Serial
(both Go and JS/Node versions are available)
- It is open source and licensed under the APLv2
- There are commercial products using it already [6]

I agree that newtmgr protocol seems to be the best fit for us. It's
serial model would even fit in fairly well with the Zephyr shell, since
it wraps the packets with a control-character + base-64 packet + control
character, which the shell seems to have partial support for already.

-----Original Message-----
From: David Brown [mailto:david.brown@...]
Sent: 28 August 2017 17:59
To: Cufi, Carles <Carles.Cufi@...>
Cc: zephyr-devel@...
Subject: Re: [Zephyr-devel] Zephyr DFU protocol

On Mon, Aug 28, 2017 at 02:43:27PM +0000, Cufi, Carles wrote:

As I already stated, this is not about choosing the only protocol
available for updating images in the target device, so implementing
standard USB DFU is definitely something that we want as well. That
said, I would also be in favour of having the future management
protocol run over CDC ACM, for 2 reasons:

One other protocol I just realized is already out there is lwm2m.
There is starting to be some support for it in Zephyr, it works over
other transports, supports device management, and has support for
firmware update.

The eclipse foundation has a couple of implementations (wakaama in C,
and Leshan in Java).

The approach that was demoed at the last Linaro Connect was pull
based, and essentially had the firmware living on an http server. It
had the advantage of being fairly easy to implement with existing
code in Zephyr.

The problem with using a pull-based protocol is that it is less
portable to non TCP/IP transports as I see it, since it requires the
target device to initiate the transaction. Are you implying that you'd
prefer the Zephyr "management" protocol to be pull-based? We're
definitely open to discuss that at length. Also see the section about
the Newt Management Protocol over OIC/OCF, which implements "push"
over TCP/IP, which could be an alternative for the Linaro usecase.

I agree that the pull approach isn't really all that great, but it was
easy to implement. It does make management of the upgrade server a
little easier, though. I'm not sure how well a push-based protocol
scales to a large number of devices.

Any idea how Android or iOS handle this? I would guess that both are
pull based, since that would otherwise require the vendor to have a
server that keeps track of every device out there.

I agree that newtmgr protocol seems to be the best fit for us. It's
serial model would even fit in fairly well with the Zephyr shell,
since it wraps the packets with a control-character + base-64 packet
+ control character, which the shell seems to have partial support

for already.

It does, I didn't mention that to avoid extending myself too much, but
it's also a very nice feature I find.

One other thing we should consider is the security of the upgrade
protocol. Mcuboot has signatures to validate images, so that would
prevent rogue upgrades, but if we have a management protocol, that
should probably also be secured via some means.

It is likely that something like lwm2m is going to be implemented for
Zephyr (code is there, and work seems to be happening on it), so we
should decide if we want to push the newt management protocol as well.

-----Original Message-----
From: David Brown [mailto:david.brown@...]
Sent: 29 August 2017 15:49
To: Cufi, Carles <Carles.Cufi@...>
Cc: zephyr-devel@...
Subject: Re: [Zephyr-devel] Zephyr DFU protocol

On Tue, Aug 29, 2017 at 09:14:31AM +0000, Cufi, Carles wrote:

One other protocol I just realized is already out there is lwm2m.
There is starting to be some support for it in Zephyr, it works over
other transports, supports device management, and has support for
firmware update.

I just read through the highlights of the spec and indeed this matches
relatively closely the concept we are trying to push here with a
"management" protocol. After looking through it a bit here are the
problems I see:

a) Complexity: By reading through the specification[i] this looks like
a pretty complex protocol to me, which in many cases might be a
drawback to users wanting to reduce ROM and RAM size. This is
particularly important for very constrained devices that only need to
send some sensor data over BLE for example

I had a conversation with Sterling Hughes yesterday, and he explained
that this was pretty much the primary reason for developing the news
manager protocol instead of just using lwm2m.

b) Suitability for other transports: The specification clearly states
2 main transports: UDP and SMS. While adapting this to other transports
would likely be feasible, the protocol doesn't look designed for it

c) Model: the protocol seems to rest on the basis of a "pull" model,
where clients are the target devices. For the reasons stated before,
this might not be suitable to simple UART, BLE or USB CDC ACM usecases.

This is the other main reason for its infeasibility.

That said, the protocol does match the Newt Manager Protocol quite
closely when it comes to supported functionality and purpose. My vote
here would be to have support for both, because I do not think running
LWM2M over UART or BLE is a good match for tiny constrained
applications that only require simple firmware updates.

Agreed. I think that lwm2m is going to end up needing to be implemented
because there will be environments that will require that specific
protocol. But, we will want something like newtmgr for other cases, and
situations where less code is desired.

It is also possible for newtmgr to be layered differently, depending on
the situation. For serial, it can either be used directly, or in a
console friendly manner (with escape characters and base-64 encoding).
It is possible to leave minicom or picocom running, and have newtmgr
connect to the serial port to exchange packets.

On BLE, it can be transported directly over GATT.

And for network interfaces, layering it over COAP or COAPS makes sense.

-----Original Message-----
From: David Brown [mailto:david.brown@...]
Sent: 29 August 2017 15:57
To: Cufi, Carles <Carles.Cufi@...>
Cc: zephyr-devel@...
Subject: Re: [Zephyr-devel] Zephyr DFU protocol

On Tue, Aug 29, 2017 at 09:14:31AM +0000, Cufi, Carles wrote:

While having one single protocol would definitely be a boon, I am not
sure LWM2M will fit the bill in terms of RAM and ROM requirements, and
we still need something for the UART recovery mode in the bootloader,
which will probably end up being the Newt Manager Protocol since I
don't think we can fit LWM2M into a bootloader.

Given that there are other parties that have an interest in lwm2m, I
think we should put our focus into supporting newtmgr for upgrades.
The other protocols (lwm2m, and USB DFU) will probably be implemented as
there is need for them.

What would be nice would be to take the target-side newtmgr code, and
make it into its own project. We would need to refactor and abstract
the operating system interfaces so that we can use the same codebase for
multiple platforms. This would be similar to how mcuboot is now its own
project that works on Zephyr and Mynewt (and soon RIOT).