Re: [Suit] Transactional updates
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 24 October 2017 15:58 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29CD513941E for <suit@ietfa.amsl.com>; Tue, 24 Oct 2017 08:58:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.91
X-Spam-Level:
X-Spam-Status: No, score=-2.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gAShhBNN8lBN for <suit@ietfa.amsl.com>; Tue, 24 Oct 2017 08:58:45 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0088.outbound.protection.outlook.com [104.47.0.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB74F139209 for <suit@ietf.org>; Tue, 24 Oct 2017 08:58:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=eBXBHoYkqJDWDTzUX8rFL1EPt4JIdIHjWDJ+PshctkM=; b=Q8lV1gnSMe+A3hz57K0L6fkaMi868hsXeA6BJpyEo76etqzBH1SpdrKI4S136otzLTSJEmj7brmChbtC98/W45q34qigLew+GcSKv8Iw2FMAc9qAgSZqpQlgCnle+O5R+EMTs8hIoP9A08kuzUQjDC/MYj7oGWh+zzuig1VWuK4=
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com (10.167.90.148) by AM4PR0801MB2706.eurprd08.prod.outlook.com (10.167.90.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.178.6; Tue, 24 Oct 2017 15:58:41 +0000
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::403b:850e:c32c:fad6]) by AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::403b:850e:c32c:fad6%13]) with mapi id 15.20.0178.004; Tue, 24 Oct 2017 15:58:41 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
CC: "suit@ietf.org" <suit@ietf.org>
Thread-Topic: [Suit] Transactional updates
Thread-Index: AQHTTMxm72VqV5kScUuMbo0PhTEypqLzB3cQgAAVDYCAAAVwUA==
Date: Tue, 24 Oct 2017 15:58:41 +0000
Message-ID: <AM4PR0801MB27069CB588A0BE3B40EB6A65FA470@AM4PR0801MB2706.eurprd08.prod.outlook.com>
References: <CAMm+Lwiik1m+rLVd6mvf5LgSxFO34fsGUZ0+gz6m6bj8kpNYuQ@mail.gmail.com> <AM4PR0801MB2706F9611D2F99A89168AD36FA470@AM4PR0801MB2706.eurprd08.prod.outlook.com> <CAMm+LwgiV6FtDv2z0MAPnwjkpfJ0X=FV1jKd+WvocFdz_T15KA@mail.gmail.com>
In-Reply-To: <CAMm+LwgiV6FtDv2z0MAPnwjkpfJ0X=FV1jKd+WvocFdz_T15KA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.116.6]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0801MB2706; 6:ViK43M1PlEMnpnxuA3KA41Q8zXo1sppBm7aN+B6zIRn9nrtfSZZtiMBTzeYzFGvtxSzI//40mwO3L63yJe3s803ssDlRMNtD24rOiHK8cI9Dnz2+JSB8dnd6C+uNgu4s6yXmIecZLrGlWqiJ4v3ao2W8RJzjqjtHmqrpAXA5h44ePEJ4YAyZHsv83xhE03xR4adNxQJudivuNM2FF5FNE43qx7+RtjwbW/Am0nsbaJFa0fVZ7+u7YNi3/0ZIJ9ajru8dg8N+z+In/UITvV95NQ8VvFiZtFXVvmUzRibEj1B094RvRMkr/ielyRO2vwTvzQcbwyCat/P2E4fp2VBtB8r0j5tHCtbmAschI5x2fDo=; 5:yKF9EWvwNF+Fk6ZaSqeYqPcpj1DNmhRSi1cduS4PBvvOF2x6Al8jXfwCzUVkzJ8SbuD4t+ZhRhKMe0sc0fqyVdNGDHS0vLYbwQOaMio2Q64+T0Jd2fnmPZ3zUAaHd0qV/z7hUH5O4QCYUNhY+ITnqeYIT74K+SavLCXXjCtsw5k=; 24:2pmgRhJY3mxV4syyT5OonjVQdSHOId7uz+G6dgRAqgypo486HEUqcp6x31QOAKj1Rt0QWYMDgohk9tjI3EKlR+kuiAIwhgToZ3P1Jss+Rxw=; 7:4542XtPD+rRWkrS4fmerxluUDTE92ZzTwsdLeMSfX8aiHuSVPzBslHvqfZgHco0bplZ4UuuRefYHhwWPZQZvulq04KHuYjLjhPMS2mJ9ns9eT+4QfqscNm3PLT+FxkabFdHQuxeXzaYxYSlYBnUXq0JGBZEXgFAnkopi9H8qlRjQqQL/eLWCpxcZoK+s3gfdJsmN/jH9SSWR1m2mH2qsz3GjFUk+ltQK3YM17ZUT1rB4tU2I7zot5HlGE9/2u6d0
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: ef72e333-a250-4305-2c88-08d51af81910
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603199); SRVR:AM4PR0801MB2706;
x-ms-traffictypediagnostic: AM4PR0801MB2706:
x-exchange-antispam-report-test: UriScan:(158342451672863)(180628864354917)(278428928389397)(192374486261705)(275809806118684);
x-microsoft-antispam-prvs: <AM4PR0801MB2706B857281817A7C1A03D82FA470@AM4PR0801MB2706.eurprd08.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(10201501046)(3002001)(3231020)(100000703101)(100105400095)(93006095)(93001095)(6055026)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123560025)(20161123558100)(20161123564025)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:AM4PR0801MB2706; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:AM4PR0801MB2706;
x-forefront-prvs: 047001DADA
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(346002)(39860400002)(376002)(51914003)(40434004)(189002)(24454002)(13464003)(199003)(9686003)(2900100001)(53936002)(6436002)(316002)(2420400007)(66066001)(4326008)(6306002)(53546010)(5890100001)(5250100002)(74316002)(72206003)(6506006)(229853002)(10710500007)(966005)(3280700002)(3660700001)(2906002)(6916009)(2950100002)(6246003)(15650500001)(8936002)(25786009)(81166006)(81156014)(106356001)(76176999)(54356999)(68736007)(101416001)(86362001)(8676002)(478600001)(97736004)(7736002)(305945005)(7696004)(102836003)(7110500001)(6116002)(189998001)(3846002)(33656002)(99286003)(53376002)(55016002)(5660300001)(14454004)(50986999)(105586002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0801MB2706; H:AM4PR0801MB2706.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ef72e333-a250-4305-2c88-08d51af81910
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2017 15:58:41.6557 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0801MB2706
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/Hvk82qqityIPNmLAppqlV6wAjBQ>
Subject: Re: [Suit] Transactional updates
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2017 15:58:49 -0000
I think it is worthwhile to point out that there are a lot of things that need to be done in order to develop a fully functional firmware update solution for IoT. This is probably why it took us 2 years to develop our solution and not just a day. Luckily, most of them are outside the realm of the IETF. With respect to the standardization effort being proposed here we are talking about a somewhat smaller scope to get started, namely standardizing the meta data conveyed of firmware along with the security mechanism. You correctly noted that providing authentication and integrity protection will be key. Our partners also tell us that they want encryption to make it more difficult for attackers to reverse engineer the code. The question about user permission depends a lot on the type of environment we are talking about. For end user products (like in your home) you, as an end customer, may get asked about the firmware update but in an industrial setting the story is obviously different since a single person or a small group (call him/her/them administrator(s)) decides about a large number of devices and then triggers the update. The update may not happen instantly but may only start at a specific point in time or staged. Luckily this authorization step is also outside the scope of this work and also outside the scope in general of the IETF (since it is largely a UI issue). For rollbacks embedded devices often use a multiple, most often two, flash images. If you brick one then there is still a second one. This is quite common these days. Regarding the file system story presented below, I should note that most low end embedded devices don't even have a file system. File systems are mostly used on external storage, such as SD cards. Often the binary that is transmitted with the firmware update mechanism ends up on flash and it is the same code that is executed. "Compression", if used, is often done using differential updates -- not via zip or similar tools. What you see in these articles or videos about hacking IoT devices typically refers to some Linux-based device and then you see how the hacker uses binwalk or some other tools to extract the different parts of the firmware, including the file system. That's not what we are talking about here. This is what I refer to as high-end devices. To put the manifest (which includes the security mechanism) into a larger context we have actually written an entire architecture document, see https://tools.ietf.org/html/draft-moran-fud-architecture-00. In a nutshell, I believe we are solving the issues you raise but we focus on low end IoT devices. As you can see, there are some differences between general purpose operating systems and (real-time) OSs that run on low end IoT devices. So, in some sense that's good news. Ciao Hannes PS: I can take an ARM Cortex M class device with me to Singapore, and you can implement your ideas in an IoT OS (preferable ours, the mbed OS). That might be fun. -----Original Message----- From: hallam@gmail.com [mailto:hallam@gmail.com] On Behalf Of Phillip Hallam-Baker Sent: 24 October 2017 17:16 To: Hannes Tschofenig Cc: suit@ietf.org Subject: Re: [Suit] Transactional updates On Tue, Oct 24, 2017 at 10:44 AM, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote: > Hi PHP > > Thanks for the contribution. > > I am trying to find out what problem you are primarily trying to solve. You list lots of topics below. Let me start with one item where you write: > > "I am fed up of the time it takes for software updates on my desktop. First the update has to be downloaded and then it has to be installed. Why can't this be instantaneous?" > > Clearly, you cannot install software / firmware that has not been downloaded yet. You are not complaining about the slow transfer rate (although this might be a serious issue with many low power radio technologies). You aren't talking about differential updates or updates of individual libraries. Finally, you are not asking for a hitless update either. Lets look at the sequence of events 1) Download the software update 2) Unpack and write files to directories 3) Stop and restart processes or reboot. Each of these need to occur obviously and in many cases user permission is required at at least one point in the process. But the user experience for the desktop right now is: 1) Informed there is an update 2) Pestered into downloading the update, promised it will be applied automatically 3) Open machine to discover that the update could not be applied because software I don't care about was running. 4) Apply the update manually 5) Wait 15 minutes 6) Use machine. Another vendor has a different approach. I turn the machine on first thing in the morning and it tells me it needs to start applying updates. Neither of these approaches is going to be remotely acceptable for IoT because the whole point is to save time and you can't save time if you are giving people systems administration tasks. IoT is the harder use case with lower capability devices. It has to be possible for the process to take place automatically and transparently with the only input from the user (if any) being to authorize roll forward to the new software or to force a rollback to the old. So my preferred implementation would be 1) Detect and download update. This is done under prior user permission. 1a) Authenticate and validate. 2) Request user permission (if required, may be granted remotely) 3) Apply update atomically (may be scheduled) 4) Test (optional) Rollback if failed. > I feel like I am reading that you want to write the downloaded code directly over the code that is being executed. That cannot be true either. No. What I am saying is that the device acquires the updates and stores them somewhere. Then it compiles whatever local index is required to access them and switches from one index to the other as an atomic operation. We seem to be fixed in the 1970s notion of files in directories. This is merely an abstraction what we have in storage is a sequence of bits. If all we require is read access, we can store data in a zip file and read it as efficiently as if it was a set of separate files broken out on disk. We have to run the reader code on the constrained device of course. But file creation can take place on a real machine with real resources. > So, could you explain your first point in more detail? > > Ciao > Hannes > > -----Original Message----- > From: Suit [mailto:suit-bounces@ietf.org] On Behalf Of Phillip > Hallam-Baker > Sent: 24 October 2017 15:31 > To: suit@ietf.org > Subject: [Suit] Transactional updates > > I don't know about you, but I am fed up of the time it takes for software updates on my desktop. First the update has to be downloaded and then it has to be installed. Why can't this be instantaneous? > > What I would like is to download the software update and then tell the O/S to simply overlay the update on top of the file system as an atomic operation. So installing a software update takes a millisecond, no more. > > Rolling back a software update is just a matter of telling the O/S to stop applying the overlay. > > It seems to me that this sort of capability would be very useful at the device level as well. Even more so as the chief concern in any software update scheme is that you end up bricking a device. Building the ability to roll updates forwards and backwards is powerful. > > I would also like this to be integrated into software signing and in an intelligent fashion so that the signature encompasses both the code and the data and it is possible to validate components independently. > > > There is of course going to be a cost and it is the need for storage. > The traditional file system organization is a response to highly constrained storage. I have not yet fully considered space optimizations because I have been thinking about the constrained device but I think my approach could be modified for a fairly constrained device. My approach is not going to be appropriate for your PIC controllers but it is definitely feasible at the Arduino level and above. > > My approach is based on a Merkle Tree based container format. This may sound intimidating but it shouldn't be. I designed, documented and implemented the scheme in under a week: > > https://tools.ietf.org/html/draft-hallambaker-jbcd-container-00 > > or in HTML with diagrams at > > http://prismproof.org/Documents/draft-hallambaker-jbcd-container.html > > > The draft describes a container format that consists of a sequence of variable length chunks that has the property that the sequence can be traversed with equal efficiency in the forward and reverse directions. > This can optionally be indexed via a binary tree to allow random access to any frame in log(n) time. Chain and (Merkle) tree digests may be constructed which may be signed. > > Each frame consists of a header and an optional payload. The payload may be encrypted and/or signed using JOSE. The only fixed requirement for the header encoding is that frame 0 has to have a header encoded in JSON (for interop). The code supports use of JSON, JSON-B, JSON-C and ASN.1 for header encoding, the container uses JSON-B frame encoding because it has to support the read in either direction property. > > The original concept here was to provide an append only container format that could be used as the basis for synchronizing Mesh portal logs between nodes and also as an encryption format for end-to-end encrypted Web sites. Static content is straightforward, but people expect to be able to support applications like Web forums. The idea was to see if we could support a Web forum run on a cloud server that does not have the ability to read any of the content (yes). > > The authentication scope is intentionally limited to the payloads, and the signature parameters. The headers are not authenticated which allows them to be mutable. A device may store the whole update as a single file or break it apart into attachments. The latter approach making garbage collection of unused attachments possible without a separate sweep/collect cycle. > > > I am not sure that the encryption capability is needed for software update but it might turn out to be useful allowing devices to be shipped with code for a wide range of applications and only enabling the specific modules required. I do not like devices to have more code than is necessary for their purpose. Authentication is obviously necessary. > > The way I would see this applied to software update is that the device/desktop would download and verify the incremental updates as a background task (when bandwidth permits). It would then request user permission to apply the update (if required) and set a flag internally telling the loader to use the new version in place of the old. Any processes that needed to be restarted would be restarted. > > This could be used to effect updates across multiple devices at the same time. It could also allow support for features such as testing the configuration and performing an automatic rollback if the test failed. > > > Besides providing a more secure process, this provides a better user experience. > > The code required to support the container format is comparable to that required to implement a SHA-2 or the like. implementation in a TPM or such would be entirely feasible. > > _______________________________________________ > Suit mailing list > Suit@ietf.org > https://www.ietf.org/mailman/listinfo/suit > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Suit] Transactional updates Phillip Hallam-Baker
- Re: [Suit] Transactional updates Hannes Tschofenig
- Re: [Suit] Transactional updates Phillip Hallam-Baker
- Re: [Suit] Transactional updates Hannes Tschofenig