Re: [Suit] Call for adoption on manifest draft

Brendan Moran <> Thu, 20 June 2019 13:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2D123120108 for <>; Thu, 20 Jun 2019 06:53:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PkUZHsD6v_V0 for <>; Thu, 20 Jun 2019 06:53:33 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8051312015D for <>; Thu, 20 Jun 2019 06:53:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lzeWmac7uLdsd6si/1h7mdWsMea2OAe8yy0ySDPA4dA=; b=DrWVoI0Aa6EjAumIibWD4V30ngKvmh6Tf1fJ9b41+iL4Nd1UHXdUH9FtUf3LKFQoAkUcwvYSZY7gQZlA4/tw5gPhfcKrGT6whp0P98yEpbjylb8e0124U0bDzj4n8+hEtIz6Uk47941v0iEaEYyaJeVDrX+8iEo1nAcdNoky+ps=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1987.11; Thu, 20 Jun 2019 13:53:29 +0000
Received: from ([fe80::2450:8832:f217:9327]) by ([fe80::2450:8832:f217:9327%4]) with mapi id 15.20.1987.014; Thu, 20 Jun 2019 13:53:29 +0000
From: Brendan Moran <>
To: Michael Richardson <>
CC: "" <>
Thread-Topic: [Suit] Call for adoption on manifest draft
Thread-Index: AQHVJSxgMr2ekVH4IUS4nJuL02lq+KahDuQAgADUjYCAAD1dgIACc+wA
Date: Thu, 20 Jun 2019 13:53:29 +0000
Message-ID: <>
References: <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-mailer: Apple Mail (2.3445.102.3)
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: def145e3-cfa0-47ea-d3c3-08d6f586ad08
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:DB6PR0801MB1960;
x-ms-traffictypediagnostic: DB6PR0801MB1960:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0074BBE012
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(136003)(396003)(346002)(39860400002)(366004)(189003)(199004)(51444003)(40434004)(76176011)(8936002)(50226002)(66946007)(6486002)(66446008)(5660300002)(66556008)(64756008)(2616005)(91956017)(476003)(26005)(66476007)(66574012)(186003)(76116006)(305945005)(7736002)(6246003)(6436002)(6512007)(99286004)(6306002)(11346002)(478600001)(72206003)(57306001)(446003)(36756003)(25786009)(14454004)(966005)(53936002)(73956011)(68736007)(6116002)(81166006)(33656002)(229853002)(256004)(486006)(102836004)(3846002)(86362001)(316002)(66066001)(71200400001)(14444005)(71190400001)(5024004)(81156014)(2906002)(8676002)(6506007)(53546011)(4326008); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0801MB1960;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: O2tzyCkI6k/h4pz2nO7DKXyxiJpf8L18uNYmFNsuRMNIxIhYrSD96RwlloR67ITO/VyYsIOGw2t8PgAInlSBzMcMAQB8zdSAU9FqeCmWQcXqPNVtb1ykNXyLY8zb/ht2iYrgaLOZl9tD+TJRcc4QlDmfMFJhnCTWyZi37RksfleUnH69+ZrHbVR8GiRl7mR6c0xQgo0Kz+24c3kouNAxNA5G4xwBeG/rXosZ0O8o2lOzl0KQsJzRbr7WwQQ9R76AG0mrFef6aTbuqtUT4WnUvHyuFKPQfyTj7I6KA6MDmsThOQAJZbURzJcVtD8xVIrhFtlHF7s1fiYNC/Ysv2sGOleec7v4xcwb3ubeOlYwEN7THAdtfQIbq0UWeaaugfnLxs9Uqc+3Ovz9sXVU3jZryw/BYULuD6l67d9z2oDR5h0=
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: def145e3-cfa0-47ea-d3c3-08d6f586ad08
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jun 2019 13:53:29.5131 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB1960
Archived-At: <>
Subject: Re: [Suit] Call for adoption on manifest draft
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Jun 2019 13:53:42 -0000

Hi Michael,

Thank you for all your feedback. I agree that some of the wording could be much clearer. I think I also should lay out the motivations for this change from declarative to procedural much better.

I believe that the behavioural (or procedural) approach has many benefits, but I want to stress that this is not about solving some arbitrarily complex problem; it’s about compact encoding, meeting the requirements we have, and enabling precisely defined device behaviour.

First, I have three observations about firmware update:

1. To eliminate a source of user error, simplify management, etc., we can’t have many similar formats, there needs to be just one.
2. Making a parser small and easy to validate requires a simple format, with few unique structures and low nesting depth.
3. Almost all user stories and security requirements are implemented with a small number of fundamental operations.

This makes behavioural manifests interesting. Because they are naturally shallow, repetitive encodings, they are simple to parse. Because the information contained in the manifest is very closely related to the operation the device must perform, they are simple to process. This should mean that we are able to achieve parser simplicity goals for a constrained device without sacrificing capabilities needed only on larger devices.

However, this simply makes behavioural manifests interesting, it doesn’t justify them for use in suit. For that, we need to look at the whole picture. A rough set of requirements for a manifest format in suit are:

1. Meets the information model requirements for usability and security
2. Simple to parse on a constrained node
3. Simple to process on a constrained node
4. Expressive enough to enable advanced use-cases on unconstrained(?) nodes, e.g. Linux.
5. Compact encoding
6. Extensible
7. Comprehensible by an intermediate system
8. Constructible by a moderately skilled user

I suspect that 1-6 are not up for debate and that 7, 8 are the contentious points. For 7, I think it’s important to look at the different systems we have in the constrained node use-case.

There are two classes of metadata used in firmware update, with two very different sets of constraints.
A. The metadata consumed by a constrained node in order to consume the firmware update.
B. The metadata used by an intermediate system to make decisions about the update

A) has to be small and easy to parse and process and B) has to be easy to reason about. In previous drafts, these have been the same. I now think this is detrimental to the constrained node. However, there are challenges posed by dividing metadata into consumer and intermediate metadata. I think we can resolve these issues in one of two ways: either by using tooling to extract relevant data from the “byte code” of the behavioural manifest, or by encoding two sets of metadata using severable sections, as previously discussed—this will be the default with encrypted or partially encrypted manifests anyway.

If the suit-wg chooses to pursue the behavioural manifest approach, I think we should focus on tooling to extract information. I don’t believe it’s complex to implement, and I’ll endeavour to prove that. However, there is certainly some value in being able to encode data for an intermediate system in a severable section. Since this has costs in manifest size, I think the best way to do this is to add a JSON blob as one possible element in the already severable text section.

To resolve 8, what we need is tooling that can construct a manifest to deliver one or more images, based on whatever capabilities are reported. We probably need to discuss what this looks like. A simple version would work by using templates for a set of standard use cases, but allow users to produce more advanced operations if needed.

However, I think there is one more consideration: implied behaviour. When a manifest is sent to a device, it is an instruction to do something. I think this makes procedural information a much better match. If the content of that manifest is purely declarative, then the behaviour of the device is implied. This means that the specification must make explicit what each information element implies a device should do. As long as each information element is isolated, this is achievable, but if information elements interact, this quickly leads to a combinatorial explosion in the specification. If the behaviour of the device for any arbitrary combination of information elements is not explicit in the specification, then the specification will be open to interpretation, which will inevitably yield surprising results. For a security-critical system, like firmware update, the last thing we want is surprising results.

I believe that the behavioural manifests are the best match for constrained nodes because they simplify the parser and the processor. They make the behaviour of the device explicit, rather than implicit. They are extensible without undue complexity on the target. They do present two challenges: interpretation on intermediate systems and construction by an unskilled (in behavioural manifests) user. I think that we can solve these challenges and I think that the interpretation challenge, at least, is less complex than it appears. I’m willing to trade complexity on intermediate/authoring systems for simplicity on a constrained node. What remains to be seen is whether the suit-wg agrees with my approach or not.

Best Regards,

> On 19 Jun 2019, at 01:26, Michael Richardson <> wrote:
> Michael Richardson <> wrote:
>> Are the problems we are trying to solve so complex, varied and unknown
>> that we need this?
> The most complicated situation that I see is one where there are multiple
> firmwares images and they need to be upgraded in a particular order, or
> things stop working.  The Android case of KERNEL image vs RADIO/BASEBAND
> image is perhaps the simplest example of this.  (On some phones, you'll
> not just lose LTE if they are mis-matched, but maybe WIFI too, and often
> you'll get a kernel panic.)
> {At this point, I wandered through the document and then into the
> architecture document looking for the terminology for where a firmware image
> goes into.  The best I came up was that it was a component.  Above, in my
> android case, there were RADIO and KERNEL as slots for firmware}
> I can readily imagine Industrial applications where it could even take
> multiple passes:
>    1) upgrade component A to version 1.99 (which tolerates B being at 2.00)
>    2) upgrade component B to version 2.00
>    3) upgrade component A to version 2.00
> It should, I think be possible to express this process in a single master
> manifest (with dependancies, I think) rather than staging it somehow via an operator
> action.  It might be that each step takes mulitple hours to days to transfer
> the image, and the device needs to be operational the rest of the time
> (double-buffering).
> I think that the current document can accomplish the above rather simply, but
> it seems to go a lot further.  (To infinity... and beyond!... so good work!)
> I think that the directives tries to assume some kind of universal firmware
> updating system that is identical everywhere, rather than assuming a
> universal firmware package format, with firmware updaters in specific to each
> device.  Perhaps this comes from being a SoC vendor that is trying to support
> customers with a large variability in uses, but wanting to provide them all
> with an identical baked-in-internal-flash firmware system.
> I would be interested in David Brown's view on this.
> ps: I think it's only the directives which are the problem. I think the
> SUIT_Conditions are perfect, btw.
> --
> Michael Richardson <>ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
> _______________________________________________
> Suit mailing list

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.