Re: [Suit] [dev-mcuboot] Reference implementation of SUIT manifest parsing

David Brown <david.brown@linaro.org> Thu, 21 June 2018 11:59 UTC

Return-Path: <david.brown@linaro.org>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA96A1277D2 for <suit@ietfa.amsl.com>; Thu, 21 Jun 2018 04:59:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=linaro.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ljMNyZYJcXQt for <suit@ietfa.amsl.com>; Thu, 21 Jun 2018 04:59:02 -0700 (PDT)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38B87130DC3 for <suit@ietf.org>; Thu, 21 Jun 2018 04:59:02 -0700 (PDT)
Received: by mail-io0-x234.google.com with SMTP id q4-v6so2734393iob.2 for <suit@ietf.org>; Thu, 21 Jun 2018 04:59:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version:content-transfer-encoding; bh=whQ/Rr6t6x64ihEab7X0BNo6ovWqdsJ/2mXMYeGuRDk=; b=FS4Mc90/azWU/NOHUQ6LstYxUBJfudCLvygtKXiizmAldGbSrLyEicmXrjAnlGUrj/ 7GkE4Yij1GtlWMsstBfvAKf4UTBTJmXwHyvuy+jU6c+4Gt0umX0QguzaueyFSIsEQ9sq mGHac0Tk70ffmhr5QV5bHHLFI3bS9GZoX5dTo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=whQ/Rr6t6x64ihEab7X0BNo6ovWqdsJ/2mXMYeGuRDk=; b=mK7HsHcwUMld56BPgNsOQP+bXB6+YbZQjrav2jhluCVXVIVpmsMoAWIcFxLmLPTfsq kvs9BXuj6vHofySpPbUSNKc4rYYkggjYAwBamDYlROZYFJOnAHXffk5UPemW+zZuWE7d 9NzzM7fqudwo6lRFalW7TUG9lMr8qx1hwJM9AJQKeaCbdzzDzIdbfqZMr/AfEZXd2e5w JqMcTLSTFifJw8Sj36TCq4kg3vQD0Dg+r8BRZB19MWoxyLFfKNBDO5b5qHWO4OOzxFtb G68Wj4tDddK1+VCJhDY9/noJuzpPGtmPDqQV6SF1qkp1Pn0EGeXa0j421v9LjszKzPLR yikQ==
X-Gm-Message-State: APt69E0THEFxUx1cwfQUIcL/5A1/OtZ4vDMqdr34twp0EySDpLwLomdZ smHuhDsBr4LiMmEZFgbPjil/1w==
X-Google-Smtp-Source: ADUXVKKxU6d5Etaf6HsY3UrlMziUWEjsIW8fPZ5np5QovlOjM0qSluadk5cbT/LGiIlICbr1nGhzsA==
X-Received: by 2002:a6b:b802:: with SMTP id i2-v6mr19121922iof.41.1529582341289; Thu, 21 Jun 2018 04:59:01 -0700 (PDT)
Received: from [10.0.1.3] ([2601:283:4300:987c:fd6e:ffa3:57bb:972e]) by smtp.gmail.com with ESMTPSA id d136-v6sm2324887itd.22.2018.06.21.04.59.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Jun 2018 04:59:00 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/10.e.1.180613
Date: Thu, 21 Jun 2018 05:58:59 -0600
From: David Brown <david.brown@linaro.org>
To: Tamas Ban <Tamas.Ban@arm.com>, suit <suit@ietf.org>
CC: "dev-mcuboot@lists.runtime.co" <dev-mcuboot@lists.runtime.co>
Message-ID: <10617C16-B988-42D2-AFB3-BCAC52AABB15@linaro.org>
Thread-Topic: [dev-mcuboot] Reference implementation of SUIT manifest parsing
References: <20180619214859.GA4341@davidb.org> <AM6PR08MB312603F07009683980046297E2770@AM6PR08MB3126.eurprd08.prod.outlook.com>
In-Reply-To: <AM6PR08MB312603F07009683980046297E2770@AM6PR08MB3126.eurprd08.prod.outlook.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/FmzkhuDxF9jNFYcFca1N8H3VVdg>
Subject: Re: [Suit] [dev-mcuboot] Reference implementation of SUIT manifest parsing
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 11:59:05 -0000

I don't really have an idea on the code size change.

However, I don't think we should use an existing library for the parsing, but write custom processing code for the things we support, similar to how we process the TLV data and the signatures now.  It will be best to not just allow any arbitrary signature type, but specifically require certain specific signature types.

David

On 6/20/18, 9:05 AM, "Tamas Ban" <Tamas.Ban@arm.com> wrote:

    Hi David,
    
    Do you have any rough estimate how much will be the code size increased due to the libs for the parsing manifest files in CBOR/COSE format?
    
    Does it need a separate lib for parsing CBOR(i.e: tinycbor, cn-cbor) and a different one to verify COSE signing?
    
    Tamas
    
    -----Original Message-----
    From: dev-mcuboot <dev-mcuboot-bounces@lists.runtime.co> On Behalf Of David Brown
    Sent: 19 June 2018 23:49
    To: suit <suit@ietf.org>
    Cc: dev-mcuboot@lists.runtime.co
    Subject: [dev-mcuboot] Reference implementation of SUIT manifest parsing
    
    At the last hackathon, work was done on implementations of the SUIT manifest format.  One way to describe this kind of work would be as a reference implementation: something that could be a starting point for anyone wishing to use SUIT to develop something.
    
    However, I had to limit my involvement in this effort, because some of the code being used was covered under the LGPL 2.0.
    
    I'm wondering if it would be useful to develop equivalents of this code under a license that would be usable by a larger audience.  I'm actually having a pretty hard time understanding how there is any audience for bootloader code covered under the LGPL.
    
    A few of the reasons that the LGPL doesn't work for me (and I believe doesn't work for many of the current uses).
    
      - The FSF considers the Apache 2.0 license to be incompatible with
        the GPLv2 (including the LGPL).
    
      - The Apache Software Foundation considers GPLv3 to be compatible in
        only one direction (Apache 2.0 code can be linked into an
        otherwise GPLv3 application, but GPLv3 code cannot be brought into
        an Apache 2.0 project).
    
      - The Apache Software Foundation considers the GPLv2 (including
        LGPL) to be incompatible with the Apache 2.0 license.
    
      - By Mynewt and Zephyr are licensed under the Apache 2.0 license.
        Mynewt is an Apache project and would fall under their constraints
        of forbidding the including of any code under a GPL license.  The
        Zephyr project requires included code to be under the Apache 2.0
        license, and occasionally will allow other more liberal licensed
        code to be included.
    
    Regardless of the above, I see a conflict between the LGPLv2 requirement that the user be able to modify the LGPLv2 licensed code, and the general purpose of SUIT to enforce that only authorized images run on the device.  One of the purposes of a signed manifest is to restrict the very action that the LGPLv2 requires.
    
    My conclusions:
    
      - libcose (and any other LGPLv2 code) cannot be used by Zephyr,
        Mynewt, due to policies by these projects.  At best, it would end
        up being something that end users would have to incorporate, and
        SUIT support would not be able to become standard support on these
        platforms.
    
      - libcose (and any other LGPLv2 code) cannot be used by Zephyr,
        Mynewt, mbed OS, and MCUboot, due to incompatibility between the
        LGPLv2 and the Apache 2.0 license.  (Specifically, I do not
        believe the current mbed OS SUIT work is allowed).
    
      - Very few of our end users would want to meet the LGPLv2
        requirement allowing end users to replace the firmware.
        Specifically, those users desiring signed manifests to ensure only
        authorized images can be run are likely intending to prohibit end
        users from running their own versions of the code.
    
    I've tried to avoid even looking at the libcose code (and making sure to look at licenses carefully) since it seems likely that I, or someone working on Zephyr or MCUboot) will need to implement COSE support in order to support SUIT.
    
    David
    
    _______________________________________________
    MCUBoot: a secure, open source bootloader for 32-bit MCUs http://lists.runtime.co/mailman/listinfo/dev-mcuboot_lists.runtime.co
    IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.