IETF Logo Mail Archive

[Suit] On device resets during manifest processing

"Rønningstad, Øyvind" <Oyvind.Ronningstad@nordicsemi.no> Wed, 06 July 2022 13:19 UTC

Return-Path: <Oyvind.Ronningstad@nordicsemi.no>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BEF4C14CF0F for <suit@ietfa.amsl.com>; Wed, 6 Jul 2022 06:19:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nordicsemi.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9NFuQIGFPfef for <suit@ietfa.amsl.com>; Wed, 6 Jul 2022 06:19:18 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80047.outbound.protection.outlook.com [40.107.8.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAB88C15C154 for <suit@ietf.org>; Wed, 6 Jul 2022 06:19:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QipSAAFisa+nU06bgmtD2uzWa1Jxbb2wnQRrxHUKBQFSwY7ErpRR1vAZd9TnBpNTsVuDUIX0CykWaFDhTRI6XCbIEUXM6GrbQBYPfHU8zR6jJCWCi3OrQiVpd4hKjOQpGjK1B/2jFK49lcJpaYPEriPaARC76Wt9/9l5sTYWDOjEAqJE2+Cgh7vDBxLFbBOllGhO5fgeC7S0SLsczXMrZdV2oQHQsCjscI09lVDs2WxomDOIaNTSsKrzWUZQHvhwKD34q0g4Ju70yMaC/P/XKBZoIe6yyNnzl9MlS7VCqGe5F+OSgKEgvtmB2q0hR9POFtembzCFfw3SDoSCSc7Gsg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kck5Am06NXWSKjvYxkf6GoOGjjvQIuXo05n5+6uqRSk=; b=g/Og7/R13UhxmNfi/XrLR5Y26xpd3NJIlqlyRv1BwC/tQAX5QAf8ewoFMEOb339zVXg1dl7b8TthgwQolHwAAlSx+7qK9UtaHqqDOCEqp1Ag9sqgzQ5mc0gpJdPM4xub8uj1EY5D1tQoV2tlUAJ1LTN7lY+WlHkJlH6N1uwz9yHmF7tEzuBcpyM3J8UqPqFW13e7OvlWw23enECr2ZML6DdkNDTmAxB1pWRY8czCYhSUfS48GDL6UOFtQQm0ZBe+9Z8MWzpmYLmnzLXTEASoMq+i4QpbtbhUGH1Cy9T76t9Cqa0KbELwWVtp5iOu8JrwH/R7m7pNtVS55mh24MwOVA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nordicsemi.no; dmarc=pass action=none header.from=nordicsemi.no; dkim=pass header.d=nordicsemi.no; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nordicsemi.onmicrosoft.com; s=selector2-nordicsemi-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kck5Am06NXWSKjvYxkf6GoOGjjvQIuXo05n5+6uqRSk=; b=c27lGtgp5pRQtxh2v0hTpI22bi1iBJ5B2ku0G68589qmU7hCcqHptBOXAOoKc8qW7t8m3+Jut9fTKLZn5IN+4OCqq3mYPoxHv7N5ga7Dda/Cy//8b4R7O39xS/NR4PIrYlIVtV73FJs82CuiUhiSa57nMReGxZCM/iUdSseAiIQ=
Received: from AM9PR05MB7668.eurprd05.prod.outlook.com (2603:10a6:20b:2cc::13) by VI1PR05MB4366.eurprd05.prod.outlook.com (2603:10a6:803:41::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5395.19; Wed, 6 Jul 2022 13:19:10 +0000
Received: from AM9PR05MB7668.eurprd05.prod.outlook.com ([fe80::dd1f:a176:9106:ff37]) by AM9PR05MB7668.eurprd05.prod.outlook.com ([fe80::dd1f:a176:9106:ff37%2]) with mapi id 15.20.5395.021; Wed, 6 Jul 2022 13:19:09 +0000
From: "Rønningstad, Øyvind" <Oyvind.Ronningstad@nordicsemi.no>
To: "suit@ietf.org" <suit@ietf.org>
Thread-Topic: On device resets during manifest processing
Thread-Index: AdiPr99Tl0KFMg/lQV6mT+U8i/TDfgBgohtA
Date: Wed, 06 Jul 2022 13:19:09 +0000
Message-ID: <AM9PR05MB766827642091BA812BAC891188809@AM9PR05MB7668.eurprd05.prod.outlook.com>
References: <AM9PR05MB766851037AC1FA6D542713A588809@AM9PR05MB7668.eurprd05.prod.outlook.com>
In-Reply-To: <AM9PR05MB766851037AC1FA6D542713A588809@AM9PR05MB7668.eurprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nordicsemi.no;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1165af1a-5e69-43f3-9a5c-08da5f521cae
x-ms-traffictypediagnostic: VI1PR05MB4366:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4mv6JGLEycLSo/3xSQcipxS/n/boV7aG2SnxAmKwGmXSeKaEpBe9se7t/0d5rJo296K1sUMStCIdNfXOgFpF5bu4ABnpVae3df7uyZk7rMbCcY9fBVpgTqtnWydHB5OfazD8aVBX/lQp8FhEVmND3QPgT8Ggzs3D4lbFdgfwmOK7Mk8BuCVtdKCMX4uHDJpsNE+Ylz+cKZgFMur75F496EjOOP7GhqGQwrR0AhlyPLFiu/zsl2hb4TL/1DJuve2004QYQ6+qcU1jWDSEG6o42dmhVUPf8I+BxImy1bJOjSBQEadzpNDPWuaXoM30s6gSXtbNptmXrjEJkw53GLKNb6356yAeJHj3azTFOd2OGaSR+PcXZEmwXhgEJHtdZu3u9Na9wEa3Q/5aq/aN1V/tduA67bz47cP6g+0dhXVw80tPjc6dDW4PO4McVd96EfSBHa1BEx61XNqHlMU8A+IHBbNaCBxIFgKv6hJ9sccjcgrw6jBPsWxCk4jKpOAuO8IxzKrR6jbEMt234qX7y3aVKRFYrKeGMrPW5U1LvCXBg5cJ/Aov+qb2XSR/3KY6BhC+xEQdik6hVRpIESUR2ohb0dCl6npYvaYXsI15ac6EmFXRDQtOZWD7Js+ZSRgUK5CfjHz5XwQuClsAE+eYJeubMHheix8vbCu2tPkaB4Vl62De/xxMdezy9dFVDAQpzASX5WA5Z6NRLMW9Fqj/zfsUu/zu8JRjH+2WHltGAwxW9krELzBTwTfXuXewVWTifdTrEzPnNMkj0JhwX6naRNTpqqS1K+WDpBs/LeOeb2AbZZMTZfMUj4qt0caSGNvjI5RX
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM9PR05MB7668.eurprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(346002)(366004)(396003)(39850400004)(376002)(136003)(83380400001)(9326002)(186003)(38100700002)(55016003)(5660300002)(66574015)(2906002)(52536014)(33656002)(8936002)(64756008)(316002)(66476007)(66556008)(7696005)(66446008)(76116006)(2940100002)(86362001)(478600001)(9686003)(38070700005)(122000001)(6916009)(41300700001)(71200400001)(8676002)(6506007)(66946007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BP2EEg9OqyQLc+9tSlGU0IKxAyfJUFtgc/5h5PLI/Pg7zksEf8NZ7ri4wrijqREwG+t+X8xibAwqjSZ9DS7fdmWhcdJlebpjPAWSm0yGzMDNOP3D8gLJbkA7pLtncVS8NlxdiAr+X5alU4rDo/mjYhDaZCtbbbm6IGZyK71iElgbBJpeRH6sNvfcesMC2HlfEHqPWPZJQaxiakQCzgiuotGK06UjCD1FNayfH9aIZZl4+hIhrPqAo1UHB1KDmDjIhy1eSBMdqGUnPfTMqB3vdOwG7BWdDoi6qhzgx8dvOWDGCCUxurLyUtozaVzMPz+VM77dpk29vwwW2/DCOFpO1nFox60nb9AFyRn8ceJtTtYIjrBC4iDXlHDRcxyk4Vm+bK2D/nZRdhiBBrgiMKqrieqwIzWSFPpT1Dwro3r3szEpfYsV6Axey4nweQa4SCYrIFuarScXcA5VOPEZ52/ia3VHvYplo5zJvC2dUwtu1fBKSVDZPzRXlH+yeHsJBKAWSJSJkYbUh4Ix7bmraoTb48jnv3GHxDwrJMe67DfUDYh7XHbHH6j38olxCxMC6veaslHaSRoVYBrHo4Z/WhBad/y8eNS3Sy4TyL4EhWT3THBDZQP3UT7cTXRMeEL+Udt83nOhf3g5ocjFbqWyyh8YpSNegCTz+N5YI6xkaUN5fJb2odrmuOl9VrneUe6zsOHU0r36KBdE/s+XDEb5Nxaw/yRXZFJ1M2zuZ8a09ivybi1fYOjgKTc+TUk6+eSk6abyqtCk0QtYXf/ykV7tQi/maemUVoU/ImGab1k+E8bryY/AseWLB0gbkRL1oNmBMgONLZI14iait11w53QCK04WalIrCKRuM04UL3UqInUr+n50A7nK1u2LIPXRTxZIby05bz6dPVwPLoT+YP8Kfu4Agjo43zjVkPWd1HxEOvgfNzKBI5m7uunfwyuUZisoGvlmHAlztPN67CnGZlaAWqJKw7wCcw9W45fTpWlYJujlj4s7h2ndw8+BuMzUobgWQyZWlzoFb66/61rdUGrel58ZgG9rVDv/0doz6JJl4/OLR3/h51med/0/axNKT5PvFdAr4JlWoSQg8d9C3o2erZIDgFEO7NQWKNm1r/GP8+XaUHGsac5S5vFZWAVdiYN1djrAYkVUCQcC417SOe/giHy7vyZ6Pwkycz835PDOgP8dqqBgksC2wDD1YX6Wu3bR7wpYEVi15A2MH92DB9HSQtHp+Xn1JdgNB/6xKAN3I3SMbFWIFSuZoezbWs8cKKYb/gZCep7gg2UmogZAffmnemR99S1V7z+H+/0vj+/ek30k6thD2rbgopmHZGWinr4wNHNr97hIYtH+8MA9n6HZcDLnWRAfK3tRtDQdH/7XeJMos3tsbTqEZLo5UhLep/1a7HSTFap8F4cowa5hTJyAGU3NnzsesPTxlWAB2mbYUluMxkwwqLlTxocmZlOd4mxfGmV3R0Pwdw9ZLvBCy0riDwlNyLekqNJzpl37ea1ejHQfwDf3H3lglumo3O773fZlu6WY/pbdhsF34qhvK5exwLGNmKhosliRZ0FyHrtjK5FYpYqyAvT7UQcsidcsABq9b0moLdGhJZHoWeW15kYUwXrDn4GSagqdmYH6Ozj/FsgciPZWKhyp2+29mt4Fse0hb8oT/+wh7oP92Ie0u2S8pJlA0A==
Content-Type: multipart/alternative; boundary="_000_AM9PR05MB766827642091BA812BAC891188809AM9PR05MB7668eurp_"
MIME-Version: 1.0
X-OriginatorOrg: nordicsemi.no
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM9PR05MB7668.eurprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1165af1a-5e69-43f3-9a5c-08da5f521cae
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jul 2022 13:19:09.9195 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 28e5afa2-bf6f-419a-8cf6-b31c6e9e5e8d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: l0aX5eGDqHd7Wk3/KU6/sRkVb8WjFp4Lwnmju2Vb2df4omQGVaoF/FZys6Q1X6EbQ32yE1ecOJQxC8UiOZKoUDVJjV5+BnSWV+0YCfvidiC9zEajIoVEqXTJUR5WfnvQ
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR05MB4366
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/6AQzebRQf5UAgPoxfhBghuUqCJg>
Subject: [Suit] On device resets during manifest processing
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jul 2022 13:19:20 -0000

Hi
When implementing a SUIT manifest processor, it's essential to make sure that a power failure, or resets from other reasons, doesn't leave the system in a bad state.

In update procedures (fetch, install, process dependency), the "instructions" cannot be replayed. Or rather, certain procedures might be unrepeatable, for example with this sequence:

  1.  Copy from address 100 to 200
  2.  Copy from address 300 to 100

The final state will be erroneous if 1 is replayed after 2 has happened, since the source address 100 has changed. This means that the processor needs to non-volatilely cache its current state in some way, in case the chip is reset while processing the manifest.

The problem is that we can't know what the current state is. There might be some later instruction that relies on the state of a certain non-volatile memory location, but if a reset happens, that location is corrupted.

It's possible to construct command sequences that are impossible to properly guard against power failures, without caching the entire non-volatile memory component. For example:

  1.  Copy from component Foo (non-volatile) to component Bar (volatile)
  2.  Copy from somewhere to Foo
  3.  Copy from Bar to Baz (non-volatile)

If a reset occurs during 2 or 3, some or all of Foo will be overwritten, and Bar will be impossible to reconstruct, unless Bar has been cached in non-volatile memory between 1 and 2.

I think requiring all non-volatile components to be written to non-volatile memory when caching is not a viable solution. Rather, command sequences should be constructed in a way that, at most, the current parameter values and current instruction needs to be cached.

Even with well-constructed sequences, caching between every instruction is unnecessary, and would make it close to impossible to use volatile memory components as these always need to be re-initialized if a reset happens.

The best solution might be that the manifest author has to manually specify via a directive when the current state (current parameter values, current instruction) should be cached.

An alternative would be to always store at certain points, e.g. at the end of a sequence. This is awkward since it will interfere with the other reasons one has to group sequences in a certain way. This will also embed the decision of when to cache into the structure of the manifest, so there might as well be an explicit directive.

Another alternative is to say that all update procedures must be constructed in such a way that they are intrinsically safe from resets. This places the restriction that a component cannot serve as a copy destination after it has been a copy source, unless it was also a destination before it was a source. It also precludes the use of e.g. the swap directive (unless it has its own revert machinery). This will certainly be ok for a lot of applications, but may be too restrictive as a general rule.

(Certain directives like swapping and delta patching need their own internal state-saving in any case)

The final alternative is to have the manifest processor infer from the manifest which points it should perform caching at. This requires finding a simple and robust method of making this inference. It likely requires the manifest processor to be aware of when different memory components are used as copy sources, and also the lifetime of volatile components. This might become tricky if e.g. multiple component IDs refer to the same memory areas.

Regardless, I propose that we add some text about this in the manifest document, about the usage of volatile vs. non-volatile memory components, and procedures for recovering from resets. It might also make sense in the information model, if there is ever an update to that. Something like the following:

                THREAT.DEVICE.RESET: Forcing a reset of the device

                Classification: Tampering with data

                An attacker sends a valid update, then cuts power or otherwise forces a reset of the device while the update is being processed, leaving the device in an invalid state. Depending on how the manifest processor handles such resets, this could force unintended copying of data from a component that is in the wrong state, causing destruction of data, or booting or transmission of bad data.
All of this applies most strongly to the fetch, install, and process dependencies steps. The validate, load, and run steps already obviously need to handle device resets, but it might be good to mention that this includes resets that happen in the middle of any of the steps.

BR, Øyvind Rønningstad

v2.23.0 | Report a Bug | By Email