Build-time requirement of preinstalled full set of metadata

[pattivacek]

Section 5.4.1 says "Full verification ECUs MUST have a complete set of metadata (Root, Targets, Snapshot, and Timestamp) from both repositories". It points to the Deployment Best Practices for more information, but that mostly just repeats the same information. I'm wondering why we need anything more than the Root. The purpose of the Root is to provide the keys necessary to verify everything else. If the Root has been rotated on the server in the meantime, that will invalidate the other metadata roles anyway and require redownloading fresh versions that might also be signed with new keys. What do we gain by requiring that full set? I can't see the benefit if you have the Roots.

[joshuagl]

Drive by TUF comment, apologies if I am missing context.

In short – you need a prior version of the metadata to do rollback protection. We have a proposed TAP for formalising so-called backstop metadata, and bootstrapping from a known set of trusted metadata, here: https://github.com/theupdateframework/taps/pull/128

[pattivacek]

Thanks, that does explain it pretty well! I was thinking of a case where you'd trust anything signed by the right keys, but I like this idea of the backstop metadata. That does sound like the right thing to do.