Designating a Primary for Secondary ECUs in Multiple Primary Configuration
jhdalek55 opened this issue · 17 comments
This issue splits off from Issue #174, which was actually two unrelated issues in a single package. Here, the question is managing configurations that feature more than one Primary. As explained in the original issue, posted by @allen-cain:
The Standard and Deployment Considerations have both been expanded to allow for a vehicle to have multiple Primaries.
The Standard Section 5.4.2 states If multiple such Primaries are included within a vehicle, each Secondary ECU SHALL have a single Primary responsible for providing its updates.
The Deployment Considerations states If multiple Primaries are active in the vehicle at the same time, then each Primary SHOULD control a mutually exclusive set of Secondaries, so that each Secondary is controlled only by one Primary.
Proposal: Modify the Standard to allow for multiple Primaries to interact with a Secondary.
Proposed wording: If multiple such Primaries are included within a vehicle, each Secondary ECU SHOULD have a single Primary responsible for providing its updates.
Discussion moved over from Issue #174
- Proposal: Modify the Standard to allow for multiple Primaries to interact with a Secondary.
Proposed wording:If multiple such Primaries are included within a vehicle, each Secondary ECU **SHOULD** have a single Primary responsible for providing its updates
Comment from Marina
I think the choice to make this a SHALL in the standard was intentional to ensure that each Secondary ECU does not get conflicting updates from different Primaries, and to ensure that the Director has a consistent view of the ECUs in a vehicle. If we changed it to a SHOULD, I think we would need to add some clarification (possibly in the deployment considerations) about how to handle these events if an ECU communicates with multiple primaries. That being said, we should certainly resolve the conflict between deployment considerations and the standard (using either the SHALL or the SHOULD).
I am strongly in favor of the use of SHALL here (in the Standard and in the Deployment Best Practices). If a given Secondary can install updates from two different Primaries in the same vehicle, then the security posture of that Secondary cannot be deterministic and collisions between competing Prinmaries are inevitable.
Separately, there should be new text (in v2.0) for both Standard and Deployment that multiple Primaries in the same vehicle SHALL coordinate all software update activities and actively avoid unsafe or insecure software update activities.
I agree with @iramcdonald that we should add a SHALL that each Secondary is associated with a single Primary, but I think requiring the Primaries to coordinate would add unnecessary challenges for aftermarket ECUs, or more generally Primaries that are controlled by different parties.
Can someone tag this for V.2.0.0? I'm not able to do that.
Can someone tag this for V.2.0.0? I'm not able to do that.
Done.
Can someone take a look at the issue and see if there is an interim step we could take?
Any change to this part of the standard (reducing the SHALL) will have to wait for 2.0.0. What we can do now is decide if this is something we want to do, and how to specify the coordination between multiple primaries in the deployment considerations.
As of the 4/13 Uptane Standard meeting, it was agreed to add some text about this issue to a new "Emerging Issues" page on the website. Otherwise leave to 2.0.0.
At our 4/13 meeting, it was agreed we should add an "Emerging Issues" page to Deployment Best Practices that would address topics like this one where no definitive solution is on the horizon. PR # 104 opened a file for this page and @jhdalek55 will draft some initial text. In addition to this issue, the text will address Issues #200 and Issue #86 on the Deployment pages.
The consensus was to add some text to the Standard, but as a SHOULD and not a SHALL (i.e. “Secondaries SHOULD only have one . If this text is added, then a rationale for the SHOULD needs to be included in the Deployment section. It was agreed that text should be drafted and the debate can continue from there."
Are we moving forward with this and can we get a volunteer?
We still need a volunteer to draft some text for this.
It was agreed that we should add some text to the Standard stating that, in cases where a system has multiple primaries, each primary SHOULD have its one designated set of secondaries. In the Deployment pages, we should explain that secondaries lack the resources to prioritize between primaries which could prevt secondaries from maintaining compliance.
We still need text for this issue. I'm not sure I know how to address this issue. Can we please get a volunteer to address this?