Re: [Suit] [Teep] Unique Identifier of TA_ID in TA_LIST for TEEP_QueryResponse

Akira Tsukamoto <akira.tsukamoto@aist.go.jp> Wed, 13 May 2020 11:19 UTC

Return-Path: <akira.tsukamoto@aist.go.jp>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6830B3A1063; Wed, 13 May 2020 04:19:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.896
X-Spam-Level:
X-Spam-Status: No, score=0.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, BITCOIN_SPAM_02=2.497, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, PDS_BTC_ID=0.499, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aist.go.jp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r5v5AdTmLgNU; Wed, 13 May 2020 04:19:46 -0700 (PDT)
Received: from JPN01-OS2-obe.outbound.protection.outlook.com (mail-eopbgr1410045.outbound.protection.outlook.com [40.107.141.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76FA23A09A2; Wed, 13 May 2020 04:19:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aNNzfnRApsT/rfQrWK+dnOhgpYj74a91eqx/vciMooAYdpxBKshMfolHaKf0YcREm51Tt+Q+2a2oI/y5yx+lEXsfa6gHCKrZ00srNGhBU74esrCcLmUWNVDNSJIpy7ZPcEY1eypM7OpxjbS5TY0YkKxxOStx4Iz4b1nO0I64xlhe73eeddEGSuvBHDh3igDak8EyYGBYLzpBBvMD0VENyryGbd23xQKI5Ac7z2MndxxEqJdog3Tn4Z3jJWbDiy6dYnxvYiuy1ANhRyZMElbcafKkPgdP0X2CZAP8L/MwHarQu4ukcK/NfF0eS5YH5pZsoMsuIE3jLOBjDoRsQTjigg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QYGeASVcr2FtgzyD1bidI7NTsZBy5DXapA+JV37+0h8=; b=jF1kfbnFuwAiLvjaKzo3xuCibG9s8k8G0FZX8cDTt4Es9Uu/JSdyS0THw3/3q1NRJQI5ymgDS7ukfdZ2oIwrl3/tY/5duC622xWUO/a7QOC/M71BAAR2fdHe51P7h1IMpdkRyGKQA6AAsKKUXoRpye75S/pVuqTnuT48QKRqUnyFgl3KL2Ku2rDqhHQBipSe/MCoUwlfq46dGFd88BrHVslYi4gXTc+2wEYHk7GuWW8m7768HbWdKDs4iXO5Box2OSXBssXQbY1y5DzbQLsPjHOQC7OJWINNc7d+kFK2FIH2YdcPByi3P1mpS1ajBS3Bdgm2h6MKq7uNCDEzsliUNA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=aist.go.jp; dmarc=pass action=none header.from=aist.go.jp; dkim=pass header.d=aist.go.jp; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QYGeASVcr2FtgzyD1bidI7NTsZBy5DXapA+JV37+0h8=; b=IQ+cJ77TglC7EB6ydati3rvbUCsn9nXleJTN3XstYaZvll9UaOUAFcPhxsAOrn/44IRBYSO/UfaqPp4DxukHsZRUDMBJicJXl9XsQgUlHVYBOplk5ryHcJaI58CAW2JMH2DevGgbjWnhFBIp+rhdM9wSiODfZMbjtuII1Krq4qY=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=aist.go.jp;
Received: from TYBPR01MB5328.jpnprd01.prod.outlook.com (20.180.224.205) by TYBPR01MB5471.jpnprd01.prod.outlook.com (20.180.225.79) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.29; Wed, 13 May 2020 11:19:44 +0000
Received: from TYBPR01MB5328.jpnprd01.prod.outlook.com ([fe80::dc2:dddc:31e4:65dc]) by TYBPR01MB5328.jpnprd01.prod.outlook.com ([fe80::dc2:dddc:31e4:65dc%7]) with mapi id 15.20.2979.033; Wed, 13 May 2020 11:19:44 +0000
To: Mingliang Pei <mingliang.pei@broadcom.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: teep <teep@ietf.org>, "suit@ietf.org" <suit@ietf.org>
References: <7526678c-9ebc-e265-514c-435dce7595bc@aist.go.jp> <AM0PR08MB37161FA69D215123ACBC632FFABE0@AM0PR08MB3716.eurprd08.prod.outlook.com> <CABDGos5LfjqdK8LHijnqTiceu7E823SmA=4Vtyq144jH2Kx-Hw@mail.gmail.com>
From: Akira Tsukamoto <akira.tsukamoto@aist.go.jp>
Message-ID: <00515b62-b2ae-405e-2c44-c533c6857873@aist.go.jp>
Date: Wed, 13 May 2020 20:17:39 +0900
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
In-Reply-To: <CABDGos5LfjqdK8LHijnqTiceu7E823SmA=4Vtyq144jH2Kx-Hw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-ClientProxiedBy: TY2PR02CA0023.apcprd02.prod.outlook.com (2603:1096:404:56::35) To TYBPR01MB5328.jpnprd01.prod.outlook.com (2603:1096:404:801f::13)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.1.153] (103.2.250.188) by TY2PR02CA0023.apcprd02.prod.outlook.com (2603:1096:404:56::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.30 via Frontend Transport; Wed, 13 May 2020 11:19:44 +0000
X-Originating-IP: [103.2.250.188]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: ff1fad1e-f4c9-4e07-7eb4-08d7f72f89b6
X-MS-TrafficTypeDiagnostic: TYBPR01MB5471:
X-Microsoft-Antispam-PRVS: <TYBPR01MB5471A8798BB0E6A75073D74CD8BF0@TYBPR01MB5471.jpnprd01.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 0402872DA1
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: mlID6aLyJg63KsTrnejvYV6ONK41J+X+qA8G3eFN9uwb65QBLfBUuWwIKlxwQ7rrFmEgh7c5nyTOVL5DXR/FUn2Wg4ULQqoQd7lwYPYj3f1qMsZmcSeCVzhoarziQPArZsrRSzTkLhCTiTto1fkVybRbhSNhWtoelNo6wYRxNq+soFS/64NCC6gpl1Ea55zDB6N/u52FKT6dKPno501cvIx8mLW9H8DPPxDovgkbWrVonapf6lKbPt2gaiKKDhXYWXpoIQCZvbayVKNJKElRSIIme8OePVJmthwzK1zDWrhwGyo06I2l+zLqdI4QDPW5e+A2CdYnoSLaB+eAbpQbjlIPTddgZ44CdQSCvyVNfaxcfhYiGvhck7MemnGUdlCq6mHqDazBB5l37ZNPKMTlLhYr54jAt+rRoi/iS19TP7OG31KNRIWTe2IgiCu+tf1FDtWS+0xRglDREKqvnyBsAlXI7/VNvhSRL/erfYEMMGcSBJ0LRQ+G/wg2zA0JMQs4V0L5r9+74aFBvQkeksUqtFozpH+64eZ1sAOfK9RVorvbFmi6E7v3eM8HniPkuHNMWOsrVsfjKpPKMeKOGM3q60e1oN3Wja9MOKTx8ou8brfAm+Nu/O6xntjs4X12DEfgw3W8Qm/zJpXELiTQdJm3A2/lVKOd0pEVcazcFwMNfnM=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:TYBPR01MB5328.jpnprd01.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(346002)(396003)(376002)(366004)(136003)(33430700001)(31686004)(478600001)(44832011)(31696002)(26005)(16526019)(16576012)(966005)(186003)(54906003)(52116002)(316002)(110136005)(6486002)(36756003)(8936002)(66476007)(66946007)(53546011)(66556008)(2906002)(86362001)(33440700001)(5660300002)(6666004)(2616005)(956004)(4326008)(8676002)(222643001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: Jcf48QrXlPMoR1Ze7ATYMpRCc/XDCsXAVaVDytiXvOnLf//Ypq4/JiWYDq9yR5YLg8dFZHj9lMSf8MCgotgJ9tKDkdBJ4NTwxsWS9Oq4pDyrgkssL8nA6ANmEmmikW4HA8nlIdBd94V06EvH+WARxPdZPX19jk1qDH6Bv/bsfRqVlukUtUzXqjv7hG+YhZf0IlYRr52bx5ZEm8ZGNyTrRJd0wNInV8SCUyvxXJZdQgNx/wPsOK6GYjfriN8kYAUMQ0AULttxjjwemSERv3lj7LsH3etFLyjE4PNRGDHvxwQnAldZf98W4LL0Q5A7BuKsyOifrhWRLUxP75N4sZAIQuKThEtp8u816MR2Zu9S6koESxRkxlb6PuASL2ud6Vzr0JpRI9HjpZoFHw6po6fMR48WKCCeZJi7fK2EUPda/aQVE5TIwDgPDEowFCfIBBdE6Mke4Ge3ICsy+sjdUMLg27CKHgKQMLItUrQkAU8Dk1g=
X-OriginatorOrg: aist.go.jp
X-MS-Exchange-CrossTenant-Network-Message-Id: ff1fad1e-f4c9-4e07-7eb4-08d7f72f89b6
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 May 2020 11:19:44.3948 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 18a7fec8-652f-409b-8369-272d9ce80620
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 4IpCFZzGtsYcgCGbpkxE5KWrCI0bE5TIy7H31GaNF/3L7a0qm7Qrq4w2g7yZW7/Vo7QHqtaZq+W3L2iXEp6hgdtfaeEM/7WIz3BJqFEmsFI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYBPR01MB5471
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/H0pCLaIw0xQQvOhNyMHczLQTE50>
Subject: Re: [Suit] [Teep] Unique Identifier of TA_ID in TA_LIST for TEEP_QueryResponse
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2020 11:19:48 -0000

Hi

What I was thinking of images similar to the pseudocode bellow.


typedef struct {
     uint16_t vender_id; /* RFC4112, type5, 128 bit, 16 byte */
     uint16_t class_id;  /* RFC4112, type5, 128 bit, 16 byte */
     uint16_t device_id; /* device unique-ID, 128 bit, 16 byte */
} teep_uid_t;

     digest[MDSIZE];
     teep_uid_t uid;
     sha256_ctx_t ctx;
     uint32_t hash_uid; /* 256 bit */

     memset(digest, 0, sizeof(digest));
     memset(&uid, 0, sizeof(uid));

     sha256_init(&ctx, MDSIZE);

     sha256_update(&ctx, &uid.vender_id, sizeof(uid.vender_id));
     sha256_update(&ctx, &uid.class_id, sizeof(uid.class_id));
     sha256_update(&ctx, &uid.device_id, sizeof(uid.device_id));
     sha256_final(digest, &ctx);

     convert_d_uid(digest, hash_uid);

Then use the hash_uid as TA_ID in the teep message.

This way the TAM do not have to separately store the TAs with
vender_id and/or class_id.

And good definition of vender_id, class_id and device_id are in the suit manifest draft,
therefor, we do not have to mention the details in teep drafts.

We have to specify which sha256 or anything else to use.

-Akira

On 5/13/20 15:00, Mingliang Pei wrote:
> One of the questions is: who creates or assigns an ID as the TA_ID to a TA?
> 
> A TAM is responsible to install, upgrade, or delete a TA. It may give it an identifier to track it. Different versions of TAs may use the same TA ID but add a version convention. This allows a TAM to identify a TA for upgrade.
> 
> To ensure uniqueness, a UUID is a good choice for a TA ID where a TAM may create to be unique.
> 
> Should the TA developer create and provide TA ID to the downstream systems? It can but I think a TAM may override it if it needs to do so. The TA developer should define a friendly display name for the TA. When a TAM manages many TAs, a TAM operator will like to see friendly display names rather than the opaque TA IDs that are created for machine consumption. A TAM may locally maintain a mapping between TA names and TA IDs.
> 
> With SUIT compatibility, a UUID Component ID for TA ID can work. Is there a place holder in SUIT for a TA friendly name? A TA name doesn't need to be passed to the TEEs for management; it may help debugging logging but may not be worthy of the bandwidth and size cost.
> 
> Thanks,
> 
> Ming
> 
> 
> On Tue, May 12, 2020 at 2:14 AM Hannes Tschofenig <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>> wrote:
> 
>     Hi Akira,
> 
>     I had a chat with Brendan about this topic.
> 
>     In the SUIT model there is a manifest somewhere and it provides a pointer to where the binary, and other data is.
>     That pointer is a URI. This is used to fetch the information from some repository.
> 
>     The vendor id and class id are identifiers used by the device to determine whether it is looking at a manifest that can be applied to itself. A device must not install software/firmware it is not supposed to because otherwise you can quickly DoS the device.
> 
>     For me, the question is what information should the device report when it is asked what software it runs. Brendan suggested to use the Component ID and we would make recommendations regarding the construction and the uniqueness we would like to have. For example, we could say that the component id for a TA should be a UUID and the same TA binary would have the same UUID. Note that this component ID could subsequently also be used as a filename but we could also keep it separate.
> 
>     What do you think?
> 
>     Ciao
>     Hannes
> 
>     -----Original Message-----
>     From: TEEP <teep-bounces@ietf.org <mailto:teep-bounces@ietf.org>> On Behalf Of Akira Tsukamoto
>     Sent: Monday, April 13, 2020 7:46 AM
>     To: teep <teep@ietf.org <mailto:teep@ietf.org>>; suit@ietf.org <mailto:suit@ietf.org>
>     Subject: [Teep] Unique Identifier of TA_ID in TA_LIST for TEEP_QueryResponse
> 
>     Hi all,
> 
>     I would like to restart the discussion of Unique Identifier of TA_ID in TEEP's QueryResponse which was one of the item came up at TEEP interim meeting last week.
> 
>     The discussion started between the Hackathon in Singapore and Berlin.
> 
>     This is the link to the github.
>     https://clicktime.symantec.com/38kWqaWA3sW14euWCDuBdWf7Vc?u=https%3A%2F%2Fgithub.com%2Fietf-teep%2Fteep-protocol%2Fissues%2F4
> 
>     After going though again, I started to have my preference.
> 
>     The usage of TA_ID in TEEP message is to distinguish the required TA in the device by parsing of identification id.
>     The it will be good to be able to match the TA with one bstr for one TA.
> 
>     I started to think hash value might work.
>     Using the hash value from the properties of Parameters in Section 5.4.1 in SUIT CBOR Manifest for each TA.
> 
>     The generating hash from adding all the properties.
>     These are the requited parameters.
>          -  Vendor ID.
>          -  Class ID. # Could be file name for SGX, uuid for op-tee. uuid is used
>                         as file name in op-tee anyway
>          -  Image Digest. # This is version of TA It is up to the user who would like to add optional parameters for the seed.
> 
>     We have to consider which hash function to use too, and easiest to come up is probably sha256.
>     The hash value of sha256 is 32 bytes which is still going to be second largest member than NONCE in TEEP message.
>     I prefer smaller bytes to reduce the teep message size but raw parameters of all three above would be larger than 32bytes, so it may be acceptable.
> 
>     The purpose of the hash value here is mainly for prevent colliding between different TAs or different version in the TAM server.
> 
>     -Akira
> 
>     _______________________________________________
>     TEEP mailing list
>     TEEP@ietf.org <mailto:TEEP@ietf.org>
>     https://clicktime.symantec.com/3bbx7gUqzexL4igHH5sBig7Vc?u=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fteep
>     IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> 
>     _______________________________________________
>     TEEP mailing list
>     TEEP@ietf.org <mailto:TEEP@ietf.org>
>     https://clicktime.symantec.com/3bbx7gUqzexL4igHH5sBig7Vc?u=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fteep
>