We did evaluate building in TUF (there is a reference implementation) when Mender was started, but decided not to because it:
- Does not offer significant increased security for most security requirements/threat models
- Is very complex and would make Mender harder to use and maintain, in particular in terms of key management with different roes and purposes
“How secure” something is needs to be defined by a threat model to do a formal analysis. So the question first is: What are you trying to protect against?
In general Mender protects against the common scenarios out of the box:
- Server spoofing: TLS
- Client spoofing: JWT authenticaiton based on unique RSA keypair on client
- Any communication listening/meddling: TLS
- Software tampering (end-to-end): Artifact signatures
- Client compromise: Unique keys and Artifact download links, ability to reject & decommission
I think TUF could protect against some additional scenarios where the server and/or software repository gets compromised. For example to avoid downgrade attacks (downgrading to vulnerable software that was installed in the past). However this conflicts with the ability roll back in Mender, which is an important robustness criterion.
In terms of design principles we do want to make sure Mender is easy to use, and robust (e.g. supports rollback), and I think this is where TUF would conflict the most.
As you probably know this is a large topic, so would be happy to discuss further if you had any specific attack vectors or threat model in mind!