IETF Logo Mail Archive

Re: [Suit] Firmware Transport Protocol

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 24 October 2017 16:45 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39FD8139553 for <suit@ietfa.amsl.com>; Tue, 24 Oct 2017 09:45:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.909
X-Spam-Level:
X-Spam-Status: No, score=-2.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tXzQ1JAACF5H for <suit@ietfa.amsl.com>; Tue, 24 Oct 2017 09:45:36 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50086.outbound.protection.outlook.com [40.107.5.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 601FA1394EB for <suit@ietf.org>; Tue, 24 Oct 2017 09:45:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=uhFJAxiGVBb6iOZCgrrKV9KsW+2Jb5s3K8yZ62RQvF8=; b=JMXwOBhKP+IHj99M9BJNIPBCGB7/FyTBR1b18W/LTmu5iKNOvS4dzqTyLSU0AkJD6FEV+Ua3kHOKyvXeNFdqJOKzqhaI4TdtmxBvU0xpTnbfc7yz4Es/F95anS060COyXjvQYR5CU5/RNcvaiaqCwOSJiiMUT3hzEQyFvQnYfts=
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com (10.167.90.148) by AM4PR0801MB2705.eurprd08.prod.outlook.com (10.167.90.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.156.4; Tue, 24 Oct 2017 16:45:32 +0000
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::403b:850e:c32c:fad6]) by AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::403b:850e:c32c:fad6%13]) with mapi id 15.20.0178.004; Tue, 24 Oct 2017 16:45:32 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Alexander Pelov <alexander@ackl.io>
CC: Suhas Nandakumar <suhasietf@gmail.com>, "suit@ietf.org" <suit@ietf.org>
Thread-Topic: [Suit] Firmware Transport Protocol
Thread-Index: AQHTTIliEOBeUHGRlkaB2Alzn0YozKLyl0AQgAAHyoCAAAAxIIAAA/gAgAAAkgCAABJ8AIAAF8xQgAADroCAAAB4EIAAYKCAgAACL+A=
Date: Tue, 24 Oct 2017 16:45:32 +0000
Message-ID: <AM4PR0801MB270622C0E35FFFFC582573C2FA470@AM4PR0801MB2706.eurprd08.prod.outlook.com>
References: <CAMRcRGS6eJBXFNgsWUr8fLziWEF5ou5hcd-dHSMEeTBcgMBm1A@mail.gmail.com> <AM4PR0801MB2706C77E1B52A9970216048CFA470@AM4PR0801MB2706.eurprd08.prod.outlook.com> <563BCDC6-F43D-44B8-AEAB-2ED7F017EBB5@ackl.io> <AM4PR0801MB2706658687112F537B708588FA470@AM4PR0801MB2706.eurprd08.prod.outlook.com> <D4EED54C-50F1-47BB-BF73-4681B0E591F4@ackl.io> <AM4PR0801MB27069B9660D38AC6B03BA537FA470@AM4PR0801MB2706.eurprd08.prod.outlook.com> <08378A64-F473-4A8A-BB26-5F0832AD5598@ackl.io> <AM4PR0801MB2706ECA6DD479575FF87B652FA470@AM4PR0801MB2706.eurprd08.prod.outlook.com> <79A60383-3CA6-461D-8D99-0A8F99D69319@ackl.io> <AM4PR0801MB2706360F7F3F28A865F79410FA470@AM4PR0801MB2706.eurprd08.prod.outlook.com> <388CD4A3-C17C-4D21-8306-D0810B99BDCC@ackl.io>
In-Reply-To: <388CD4A3-C17C-4D21-8306-D0810B99BDCC@ackl.io>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.116.6]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0801MB2705; 6:DZytOGMHSe9ihsUru43HsQWH2I29wvFSjNv6gvPDVulFS9BVVuf3gQITWUdUm0jdRmVUVHX8pymK7He+ODtMjiQAhDFwtiFLTXIuF7CNf9y7qhb6OSNahknccP3gYZqGQu3HnGm9ECk3BbZT3PCNKl4mIm7rRYBJ1pjtNbwCmlGOS9xkI0KfzBfFL4TBBFhcy9oLbIckhO60j4PjVU6zNiZ9lAZDvr5SQDwug3z6WhseyAFIiLggmxjuM8quf/u5yL6Wbwgn1YkDqz7wqzd9hP7yplBkdpdyhVF501+ybaAQfft+sba2G5PswY09KcZZVLBaddGlP4uuSYcaodj0dg==; 5:HMlteN/2vl6L6oh23hx0BlwAeHp0x3FXybDe5KIdo/r8bRRxQFWVGKhUo4si0PITxOF7ygiC0Byf+VK8Ot/XXAfgmu6oYMRO9Dc2MfGd19jX4Nyd97UC9bnpjmYfU8K54Kv+i3CzVHqvnppwmbII7g==; 24:gMhIOKRIyN5KZgbWSQTmqoIereUdP++Mc1lHpFxHw+NKn4xCoJXVc85QiNYaIeCxgu8Z/frJvud56HwM28DIWb4wR+akOcHzND1sBIlgfjw=; 7:b/H1F7RC1a8OQmk7HRQNTZJgvM8rCHFaUGSu/YIr0B+GmXtoWEd8Las4Ho+nn5b8XN4K/R3Enn+oO7X9oC1EvA5uvWFDSUXRnLGDlT3X3/mc0yXifH0wunu9QgC648wrLVHb9iQHvR8QLdorI7uGLljUm06ZVOWozOk/dabmS29xDRHBWKAz+U9jZAG/TbOM/uJ3FDzIM4mMY/EpuUKhtjLSUPR8Q4CktJtY9ZR6+44=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 192f7462-56f0-48df-2109-08d51afea458
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603199); SRVR:AM4PR0801MB2705;
x-ms-traffictypediagnostic: AM4PR0801MB2705:
x-exchange-antispam-report-test: UriScan:(158342451672863)(180628864354917)(192374486261705)(21748063052155);
x-microsoft-antispam-prvs: <AM4PR0801MB2705543662F7187382F64F18FA470@AM4PR0801MB2705.eurprd08.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(93006095)(93001095)(3002001)(10201501046)(3231020)(6055026)(6041248)(20161123558100)(20161123562025)(20161123564025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:AM4PR0801MB2705; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:AM4PR0801MB2705;
x-forefront-prvs: 047001DADA
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(39860400002)(199003)(51914003)(40434004)(189002)(236005)(3280700002)(54896002)(790700001)(102836003)(7736002)(316002)(606006)(25786009)(9326002)(53936002)(2950100002)(6916009)(39060400002)(105586002)(68736007)(54906003)(106356001)(478600001)(5660300001)(7696004)(966005)(6116002)(72206003)(3846002)(8936002)(74316002)(6246003)(86362001)(8676002)(81166006)(81156014)(97736004)(54356999)(14454004)(2900100001)(6436002)(50986999)(53546010)(33656002)(189998001)(76176999)(101416001)(93886005)(9686003)(6306002)(5890100001)(53946003)(55016002)(5250100002)(99286003)(66066001)(2906002)(229853002)(4326008)(6506006)(3660700001)(579004); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0801MB2705; H:AM4PR0801MB2706.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_AM4PR0801MB270622C0E35FFFFC582573C2FA470AM4PR0801MB2706_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 192f7462-56f0-48df-2109-08d51afea458
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2017 16:45:32.3578 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0801MB2705
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/IjPVTCemkqUEfflaeORot3H7jXY>
Subject: Re: [Suit] Firmware Transport Protocol
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2017 16:45:40 -0000

Hi Alexander,

A few remarks below:

From: Alexander Pelov [mailto:alexander@ackl.io]
Sent: 24 October 2017 18:34
To: Hannes Tschofenig
Cc: Suhas Nandakumar; suit@ietf.org
Subject: Re: [Suit] Firmware Transport Protocol

Hi Hannes,


Le 24 oct. 2017 à 12:59, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> a écrit :

Hi Alexander,

Great! So I think we can converge on the YANG part and if necessary we can work on it together (there will probably be a YoT side meeting during IETF 100, so we can actually try to prepare this ahead of the BoF?)

Sounds good.

On the encoding: we’re using CBOR in the application layer, so there are already CBOR encoders in place.
I am not sure if we can actually live without ASN.1 (e.g. if we don’t need X.501 certificates and all the rest)..

You would need COSE in addition since CBOR itself just defines the encoding.

Currently our description explains what we had implemented and the solution is based on asymmetric crypto and the use of X.509 certificates. While it is possible to use raw public keys our experience with the industrial sector has been that they are somewhat conservative and want to re-use their existing infrastructure. When you use X.509 certs then you will also have an ASN.1 parser. Even if you use COSE you are most likely going to have an ASN.1 parser since the requirements for X.509 certs will not magically go away when you switch to a different encoding.

As a consequence, yo you will have to implement COSE, CBOR, and the ASN.1 parser. Furthermore, the functionality of a firmware update mechanism makes it quite security sensitive and hence you will put the code into the bootloader (Brendan provided more details in earlier email exchanges on the FUD list). ASN.1 parsers are widely available (since they are part of every security stack these days) and their quality is quite high.

We raised the question about the use of symmetric key cryptography since this is something we had mixed feelings about but nobody responded. On one hand it is a more efficient mechanism but on the other hand it provides weaker security properties.

But this actually brings up an interesting question:
- What are the requirements for the manifest file
(because, if you but ASN.1 or CBOR there, then it becomes a MUST for the end-device to support it)

Could you explain your question a bit more?

Thanks for the detailed explanation. Actually it is what I meant by saying about the ‘MUST’ statement.

The question is, will a device which supports SUIT be required to implement X.501 certificates? (I am not against - I like them quite a lot).
Another way to say it - what is the scope of SUIT? Is it X.509-only based firmware update system for IoT? (including the future architecture that will be defined and so forth)?

Are we going to start with X.509 and then add other as we continue?

[Hannes] The charter leaves this open for discussion by the folks involved in the group. Only because we have implemented an X.509-based solution doesn’t mean everyone should do the same. The draft also allows for the use of raw public keys. We understand the desire to have something more lightweight but at the same time everyone wants to have it secure as well, which is a challenge with a plain PSK-based mechanism.

Is the focus primarily on the Manifest file (and thus, the importance to chose one path), or is it on the process (and thus potentially allow for several mechanisms)?
As currently proposed it is focused on the manifest format, which includes the security wrapper. It is not focused on the process, since standardizing processes is not something the IETF is particularly great at.

I don’t think we should make a complex solution - and I would encourage a simple one that works. I think it would benefit if we try to narrow down before / during the BoF on these points.

Thanks.

Ciao
Hannes


++
Alexander




Ciao
Hannes



++
Alexander



Le 24 oct. 2017 à 12:39, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> a écrit :

Hi Alexander,

we have actually thought about exactly doing the same as well (in the anticipation that the usual encoding discussion comes up). Unfortunately, our Yang language expertise is a bit limited. (Note that our interest was really only in Yang as a language for describing the format rather than in anything else.)

While the encoding appears to be a fundamental thing it is actually just a distraction from discussing the semantics of the fields and the security stuff.

Regarding your preference for CBOR I will ask you the same question as I did to Suhas: do you have actually any reasons?

Ciao
Hannes

From: Alexander Pelov [mailto:alexander@ackl.io]
Sent: 24 October 2017 11:09
To: Hannes Tschofenig
Cc: suit@ietf.org<mailto:suit@ietf.org>; Suhas Nandakumar
Subject: Re: [Suit] Firmware Transport Protocol

Oh, I see, sounds good !

For information - during the last Yang of Things meeting (which very unfortunately was in the same time slot as FUD), we discussed the use of YANG model for this description. (the manifest file then can be expressed in CBOR, XML, or JSON.. (I’ll be tempted to default to CBOR).

Do you think this could be something of interest for the BoF and for the follow-up of Suit ?

Alexander





Le 24 oct. 2017 à 10:28, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> a écrit :

>  Thanks for the quick reply! Ok, I think I understand a little bit better.

>  So, it’s about the File Format that contains the firmware? (so that we have nice things, such as signing, verification, delta-updates, and so forth ?)

Yes, it is pretty easy to understand. Just try to implement a firmware update mechanism and you will notice that the security part is the complex part. That’s probably not super surprising since we made this observation already numerous times already with other work in the IETF.

If you want to know the details of what we have implemented, just take a look at https://tools.ietf.org/html/draft-moran-fud-manifest-00. As mentioned earlier, we are polishing our code right now and will release it as open source (Apache 2 license).

Ciao
Hannes

Alexander


Le 24 oct. 2017 à 09:56, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> a écrit :

Hi Alexander,

I believe the work has to start somewhere.

What do we have today?

If you are using a general purpose OS, like Linux, then there are lots of software/firmware update mechanisms available. I know that there are still problems with using them on devices like home routers but those problems are often related to non-technical aspects, such as discontinued support or pushing updates through the long value chain. (This problem has even been recognized with smart phones.)

Furthermore, there are also various “transports” for getting a firmware image from A-to-B.

Hence, I had suggested to focus on the gaps that exist today, namely a standardized firmware format for use with low end IoT devices.
Before we started our implementation work more than 2 years ago there was not much available in terms of standardized formats. Hence, we used RFC 4108 as a starting point.

If we manage to complete this part of the work we will then be able to use it with a number of transports. Cisco may prefer a HTTPS based communication with the firmware update server pre-configured. We continue use our LwM2M approach with CoAP. Maybe someone else will switch to QUIC in the future or (as some of the low power WAN guys do) just shuffle it over their radio without using IP.

Does this make sense?

Ciao
Hannes


From: Alexander Pelov [mailto:alexander@ackl.io]
Sent: 24 October 2017 09:45
To: Hannes Tschofenig
Cc: Suhas Nandakumar; suit@ietf.org<mailto:suit@ietf.org>
Subject: Re: [Suit] Firmware Transport Protocol

Dear Hannes,

Thanks for clarifying some of the points and for getting the work started!

Just for my understanding, if I over-simplify, the goal si to define a manifest format (will all the behavior that is related to it) necessary to perform secure firmware update for IoT, is this correct?

(I imagine the way bindings are defined to the actual L2/L3 protocols that perform the update would be defined in the manifest file)

Best,
Alexander



Le 24 oct. 2017 à 09:20, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> a écrit :

Hi Suhas,

The beauty of the charter text is that it already allows any transport mechanism to be used.

While home routers use HTTP and TFTP lower end IoT devices use CoAP or distribute the firmware images directly over the link layer protocol. See, for example, a recent write-up from my co-worker where he is using the firmware manifest we described and implemented over LoRa with differential updates: https://os.mbed.com/blog/entry/towards-fota-lora-crypto-delta-updates/

Ciao
Hannes

From: Suit [mailto:suit-bounces@ietf.org] On Behalf Of Suhas Nandakumar
Sent: 24 October 2017 07:32
To: suit@ietf.org<mailto:suit@ietf.org>
Subject: [Suit] Firmware Transport Protocol


On the protocol to transport firmware, the vast majority of firmware updates we see  the industry using run over tftp and http with perhaps coap in the future. We think the charter need to explicitly allow for a design that allows any one of those three to be use by the IoT device and is to be clear how they are each used.


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________
Suit mailing list
Suit@ietf.org<mailto:Suit@ietf.org>
https://www.ietf.org/mailman/listinfo/suit

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________
Suit mailing list
Suit@ietf.org<mailto:Suit@ietf.org>
https://www.ietf.org/mailman/listinfo/suit

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you._______________________________________________
Suit mailing list
Suit@ietf.org<mailto:Suit@ietf.org>
https://www.ietf.org/mailman/listinfo/suit

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email