Re: [Suit] Review of draft-ietf-suit-manifest-09
Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Mon, 27 July 2020 15:15 UTC
Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AA393A0F0F for <suit@ietfa.amsl.com>; Mon, 27 Jul 2020 08:15:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, LOTS_OF_MONEY=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aC5MIb-woLbd for <suit@ietfa.amsl.com>; Mon, 27 Jul 2020 08:15:23 -0700 (PDT)
Received: from mail-edgeDD24.fraunhofer.de (mail-edgeDD24.fraunhofer.de [192.102.167.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65A843A183C for <suit@ietf.org>; Mon, 27 Jul 2020 08:15:20 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2F6CQBkpYde/xwBYJlmHAEBAQEBBwEBEQEEBAEBgXuBfSxsA1UvKgqEEZBdLZlggSs3BQoBAQEBAQEBAQEGAQEYDQgCBAEBAoRCAoJHJDgTAhABAQYBAQEBAQUEAgJphVYMgnZdPAk5AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBBQINNh43EgEBHgEBAQECAQEhDwEFMwMCCRAJAhIGAgIjAwICJx8BAg4GAQwBBQIBAYMiAYJ7BQuTP5t5gTKENQGBFYNngTgGgQ4qixKBHw+BTD+BEScPglo+gmcBAQEBgS4BEgEPPoJmgl4EjWUHToJFhieYc3kHgUl3fASMS4Q/hRUjgkwziAWEMQWMRo8uBIFSmksCBAIJAhWBaSNncE0kT4JpUBgNjiYDF4EEAQKCSYUUhUNyAoEnjRkBgQ8BAQ
X-IPAS-Result: A2F6CQBkpYde/xwBYJlmHAEBAQEBBwEBEQEEBAEBgXuBfSxsA1UvKgqEEZBdLZlggSs3BQoBAQEBAQEBAQEGAQEYDQgCBAEBAoRCAoJHJDgTAhABAQYBAQEBAQUEAgJphVYMgnZdPAk5AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBBQINNh43EgEBHgEBAQECAQEhDwEFMwMCCRAJAhIGAgIjAwICJx8BAg4GAQwBBQIBAYMiAYJ7BQuTP5t5gTKENQGBFYNngTgGgQ4qixKBHw+BTD+BEScPglo+gmcBAQEBgS4BEgEPPoJmgl4EjWUHToJFhieYc3kHgUl3fASMS4Q/hRUjgkwziAWEMQWMRo8uBIFSmksCBAIJAhWBaSNncE0kT4JpUBgNjiYDF4EEAQKCSYUUhUNyAoEnjRkBgQ8BAQ
X-IronPort-AV: E=Sophos;i="5.72,341,1580770800"; d="scan'208";a="33273914"
Received: from mail-mtaka28.fraunhofer.de ([153.96.1.28]) by mail-edgeDD24.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Jul 2020 17:15:17 +0200
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DTDQCl7h5f/1lIDI1gHgEBCxIMQIFMgXkvbwNUMCwKhCqRIJojgWkLAQMBAQEBAQYBARgNCAIEAQGETAKCJwIkOBMCEAEBBQEBAQIBBgRthVwMQxYBhRgBAQICAQEhDwEFMwMCCRAJAhIGAgIjAwICJx8BAg4GAQwBBQIBAYMiAYMAC5IQm3qBMoQ7AYEWg0iBOgaBDioBhkWFGYEeD4FMP4ERJw+CWj6CXAEBAQGBKAESAQ8+gmqCYASPIQdPgmWGf5sKXCkHgVmBCIEIBAuNeYUAhVIFCh6CezaJEoR9Bo4ekhIEgWidMgIEAgkCFYFqI2dwTSRPgmlQFwINjicDF4ECAQKCSYUUhURBMQI1AgYBBwEBAwl8iiyDYwGBEAEB
X-IronPort-AV: E=Sophos;i="5.75,402,1589234400"; d="scan'208";a="31599259"
Received: from mailext.sit.fraunhofer.de ([141.12.72.89]) by mail-mtaKA28.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Jul 2020 17:15:14 +0200
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id 06RFFDJE015519 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Mon, 27 Jul 2020 17:15:13 +0200
Received: from [192.168.16.50] (79.206.156.41) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.487.0; Mon, 27 Jul 2020 17:15:08 +0200
To: Brendan Moran <Brendan.Moran@arm.com>, Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org>
CC: suit <suit@ietf.org>
References: <BL0PR2101MB1027152EC8DAD9B3847C3E89A3770@BL0PR2101MB1027.namprd21.prod.outlook.com> <70453005-8DFA-4DBE-8C04-9882839D5005@arm.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <3ff3915e-c61c-2c00-f780-a77c9ab494cc@sit.fraunhofer.de>
Date: Mon, 27 Jul 2020 17:15:07 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <70453005-8DFA-4DBE-8C04-9882839D5005@arm.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [79.206.156.41]
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/4-bZOLHDWp6_wCM_GkaBSsiSNQQ>
Subject: Re: [Suit] Review of draft-ietf-suit-manifest-09
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2020 15:15:28 -0000
Hi Brendan, hi Dave thanks for your extensive summary, Brendan! This is very useful. Just two small additions. While CBOR OID seems to be a good match, that unfortunately introduces a timing problem (as does packed), but maybe we can devise a way around that. As PEN are not a rare choice in CBOR-based representations, I'd just want to voice support for the notion of being very careful here. We can of course start to create a qualified name that involves a PEN (among other things), but we are not the only ones that might attempt such a thing and therefore might require some ealignment. Viele Grüße, Henk On 27.07.20 16:42, Brendan Moran wrote: > Hi Dave, > > Thank you very much for your very detailed review! Of course, it will > take me some time to work through this review. I will do my best to > clarify these technical comments as I work through. In general, the > issues you’ve listed look to me like the “right” answer is fairly > obvious, so I will straighten them out. There are several comments that > I think deserve a little more clarification. > > 6. SUIT_Report > >> SUIT_Report and Reporting Engine text is added but does not appear to >> be about what goes in a SUIT manifest, so I argue that it doesn’t >> belong in this spec (and is arguable as to whether it’s in scope for >> SUIT at all) > > You’re right. This has not been raised on the list. If it’s more > appropriate to put it in a new draft, I’m happy to do that. However, > it’s a natural consequence of adding the SUIT_Reporting_Policy, which > was discussed at the virtual interim. It seemed to me that if a > reporting policy was specified, then an implementor would naturally want > to know how to report that information. If there is a need for logging > SUIT commands, along with their arguments and results, this seems very > specific to SUIT in general and the SUIT manifest in specific. I > struggle to see what document would be more appropriate than the SUIT > manifest for the SUIT_Report. > >> Furthermore, it says SUIT_Report can go in an attestation report. >> What’s the rationale for that as opposed to some more typical >> logging/reporting mechanism that might integrate with existing error >> reporting mechanisms and trouble ticketing? > > SUIT_Reporting_Policy has two output channels: “system information,” > that is the “actual” values compared against in conditions, and “command > records” which are effectively logs of command execution. For an update > case, these are adequately served by logging infrastructure. However, in > a bootloader case, this is inadequate because the bootloader and the > booted application are different security domains. This means that any > system information or command records need to be protected from > modification by the application. Typically, this would be done with a > signature; I don’t see how this is different from attestation. > > The discussion of a Reporting Engine seems necessary: it’s the thing > that consumes reporting policy. > >> 7.Defining a new identifier space (UUIDs) for vendors is not >> motivated. So a vendor can’t use an existing OUI or IANA private >> enterprise number that can be easily looked up? You have to instead >> use an opaque identifier with no way to directly look up its meaning? >> What is the rationale for inventing a new space rather than being able >> to reuse an existing one that can be looked up to get an org name, >> contact info, etc.? (Yes there is suit-text-vendor-domain but that’s >> severable and optional to implement at all.) And a UUID takes up more >> bytes than either an OUI or a PEN, so is worse for constrained >> devices, so why not use an existing space that is shorter and hence >> more applicable to constrained devices? > 7. Vendor IDs > I’d argue that I have not defined a new identifier space. It was defined > in RFC4122. That said, I think that PEN could be beneficial if we can > work around some of the complexities associated with it. > > OUIs may be prohibitive for small manufacturers (US $2,995). For > example, I have seen small manufacturers avoid building USB devices due > to the cost of obtaining a USB VID. Class IDs still require a UUID Name > Space Identifier. There is no rule I can find for constructing an OUI > UUID, so it cannot be used as a UUID Name Space Identifier. > > > Private Enterprise Numbers seem manageable by small manufacturers. > There is a UUID Name Space Identifier for OIDs, however this gets a bit > confusing. You would need to construct a class ID as follows: > > Vendor_UUID = uuid.uuid5(uuid.NAMESPACE_OID, EncodeOID(‘1.3.6.1.4.1.’ + > PEN)) > Class_UUID = uuid.uuid5(Vendor_UUID, Class_Information) > > The problem here is that EncodeOID() is not specified at all in RFC4122. > The closest we get is: > >> For example, some name spaces are the >> domain name system, URLs, ISO Object IDs (OIDs), X.500 Distinguished >> Names (DNs), and reserved words in a programming language. > So Class IDs become unpredictable because OID encoding is underspecified > in RFC4122. I can see the Vendor_UUID being computed with several > different versions of EncodeOID: > - Encode as dotted-integer string > - Encode as DER OID > - Encode as value of DER OID (no tag/length) > - Lots of other ASN.1 encodings possible. > - Future CBOR OID? > > I do not believe we should specify the use of OUIs because 1) they cost > $3000, 2) there is no UUID namespace for OUIs > > I’m not against using a PEN, but we would also need to provide extremely > strict encoding guidelines for constructing Vendor UUIDs, since the > Vendor UUID is needed as the Name Space ID for the Class UUID. For > encoding in the manifest I think we should insist on using the PEN > directly rather than the full OID. But what would we do with a PEN > sub-assignment? > > There’s a lot more complexity here than just “use a PEN.” > > > Best Regards, > Brendan > > >> On 24 Jul 2020, at 23:51, Dave Thaler >> <dthaler=40microsoft.com@dmarc.ietf.org >> <mailto:dthaler=40microsoft.com@dmarc.ietf.org>> wrote: >> >> During the IETF hackathon week, I went through all of the suit >> manifest draft and kept notes. >> My full review in context is at >> https://www.microsoft..com/en-us/research/uploads/prod/2017/05/draft-ietf-suit-manifest-09.pdf >> <https://www.microsoft.com/en-us/research/uploads/prod/2017/05/draft-ietf-suit-manifest-09.pdf> >> which is too long to copy into email here. >> Besides lots of editorial comments, there’s a few technical >> comments/questions, including >> (but there may be more depending on whether you interpret some others >> as editorial or technical): >> 1.Apparent contradictions about whether on systems with a single >> component, whether setting the component index should clear the >> dependency index or not. >> 2.What it means to “break” is underspecified (I’m guessing continue on >> to the next command after try-each, as opposed to go on to the next >> manifest, but it’s not stated in the doc). >> 3.Section 6.7 seems to require using multiple processes, not just >> multiple threads, without justification. >> 4.The trust model when multiple manifest processors exist, in two or >> more security domains, is underspecified, and not mentioned in the >> Security Considerations section. >> 5.Suit-text-version-required expression syntax is underspecified. >> 6.SUIT_Report and Reporting Engine text is added but does not appear >> to be about what goes in a SUIT manifest, so I argue that it doesn’t >> belong in this spec (and is arguable as to whether it’s in scope for >> SUIT at all). It reads like SUIT_Record is yet another alternative to >> IPFIX, syslog, etc., and doesn’t state the rationale for defining a >> new format. You might say that it could be used in an octetArray in >> IPFIX if someone defined such a field, but this document doesn’t, and >> indeed if SUIT_Record is not something that would appear in a SUIT >> manifest, then I think it should not be in this document. >> oFurthermore, it says SUIT_Report can go in an attestation report. >> What’s the rationale for that as opposed to some more typical >> logging/reporting mechanism that might integrate with existing error >> reporting mechanisms and trouble ticketing? I don’t think this was >> motivated in either the suit architecture or the suit IM document, and >> I don’t recall it ever being discussed on the SUIT list or WG meeting >> (but maybe it was and I forgot?) Again, I think my preferred course >> would be to sever it from the SUIT manifest specification. >> 7.Defining a new identifier space (UUIDs) for vendors is not >> motivated. So a vendor can’t use an existing OUI or IANA private >> enterprise number that can be easily looked up? You have to instead >> use an opaque identifier with no way to directly look up its meaning? >> What is the rationale for inventing a new space rather than being able >> to reuse an existing one that can be looked up to get an org name, >> contact info, etc.? (Yes there is suit-text-vendor-domain but that’s >> severable and optional to implement at all.) And a UUID takes up more >> bytes than either an OUI or a PEN, so is worse for constrained >> devices, so why not use an existing space that is shorter and hence >> more applicable to constrained devices? >> 8.The time-of-day and day-of-week wait events are underspecified in >> terms of whether they are in local time or UTC. >> 9.If I understand correctly, if a dependency manifest sets Strict >> Order to false, this will then carry over to the dependent manifest, >> potentially leading to a source of unexpected bugs. Is my >> understanding correct? >> 10.For conditions that are optional to implement, I couldn’t tell if >> that means that if not implemented by a manifest processor, they are >> treated as passing, failing, or as parse errors. >> 11.There are several commands where in certain contexts the doc says >> they “MUST have no effect”. But why not make them illegal to appear >> in such contexts? Why spend the extra space to include them in the >> manifest just to have no effect? >> 12.Swap directive is underspecified in terms of what should happen if >> the destination doesn’t yet exist (i.e., fail vs move). >> 13.IANA considerations section doesn’t yet meet the requirements of >> RFC 8126. For example, it specifies Expert Review but contains >> insufficient information to instruct an expert how to review, per the >> guidelines in that RFC. >> I know the doc is long (109 pages) so forgive me if some answers are >> elsewhere in the doc and I just missed them, >> which just means maybe a cross-reference would be sufficient.J >> Dave >> _______________________________________________ >> Suit mailing list >> Suit@ietf.org <mailto:Suit@ietf.org> >> https://www.ietf.org/mailman/listinfo/suit > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy > the information in any medium. Thank you. > > _______________________________________________ > Suit mailing list > Suit@ietf.org > https://www.ietf.org/mailman/listinfo/suit >
- [Suit] Review of draft-ietf-suit-manifest-09 Dave Thaler
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Michael Richardson
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Brendan Moran
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Henk Birkholz
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Waltermire, David A. (Fed)
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Henk Birkholz
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Brendan Moran
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Dave Thaler
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Dave Thaler
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Michael Richardson
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Michael Richardson
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Brendan Moran
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Michael Richardson
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Brendan Moran
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Michael Richardson
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Brendan Moran
- Re: [Suit] Review of draft-ietf-suit-manifest-09 Michael Richardson