Re: [Suit] How are firmware and firmware versions expressed in manifest?

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 09 June 2020 11:53 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C3BD3A080E for <suit@ietfa.amsl.com>; Tue, 9 Jun 2020 04:53:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=UKUY04Mc; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=UKUY04Mc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VG5rHChP6iqJ for <suit@ietfa.amsl.com>; Tue, 9 Jun 2020 04:52:57 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10048.outbound.protection.outlook.com [40.107.1.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B17F83A080C for <suit@ietf.org>; Tue, 9 Jun 2020 04:52:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7SBjFBvvECjBmt3rGwduwjKU/d2O4r4WSYRXdXZupMI=; b=UKUY04McR21rvHvVPwvhc6JN7yz/ZnwcZoE4VPqWPPDbjGM7ZzsErHFcUJ+f2RP8xHgvqIYVgDdiL+ONO6ky0mN1fextGtVhr9gNR3BmtXdp0/BByhz/F9s0OmxGxjIzJ6/B3F+SDSZgo2Cglrrh87Ja27lLXdqEq8YQ0vdXkIs=
Received: from AM7PR02CA0021.eurprd02.prod.outlook.com (2603:10a6:20b:100::31) by AM6PR08MB4983.eurprd08.prod.outlook.com (2603:10a6:20b:e4::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.18; Tue, 9 Jun 2020 11:52:51 +0000
Received: from AM5EUR03FT014.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:100:cafe::65) by AM7PR02CA0021.outlook.office365.com (2603:10a6:20b:100::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.18 via Frontend Transport; Tue, 9 Jun 2020 11:52:51 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT014.mail.protection.outlook.com (10.152.16.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18 via Frontend Transport; Tue, 9 Jun 2020 11:52:51 +0000
Received: ("Tessian outbound d3ae83885012:v59"); Tue, 09 Jun 2020 11:52:51 +0000
X-CR-MTA-TID: 64aa7808
Received: from e17c7f14461e.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id E299C548-A0D4-405A-BD5B-C7732C781CB2.1; Tue, 09 Jun 2020 11:52:46 +0000
Received: from EUR04-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id e17c7f14461e.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 09 Jun 2020 11:52:46 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UuY6ET/bYjO0dba0jYEzIU0cQuUuBuz9Kl/U2kS8/caNy1m2+QAYtwfVpruRt7WVFQ+eDWTRjBCJcspUGoIkJ2Tv6OCAFX837KNPMtTs0A/RUutXMxU18tGdbd+qrqXt9IQeXI7fXgPjhJ5wWjFAHG4hSe95ryHFgHsKTBbqHbatk7beQBYzf24EKWLlFMk/ShduSe30laIovSZi6ppEEhJEJo8t6TJUEF1inAywK+HUXX48mwzuc/2gT7MQrK0bt5XM6DFRfOqVZVPIolD995JJP9WlObpj60SYx5r6SK/gq5HGpdgrTUnLy4cwlKShVhh8VMNtEya8y2vhuZVYog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7SBjFBvvECjBmt3rGwduwjKU/d2O4r4WSYRXdXZupMI=; b=kHkA+8XD8sl5iTH204Bkg1pGLiPMfp8DSAd71yv922jq+urAcCRqXgbvsjvOuJoAXm1lrKgIKC4PAy0/bQ3K2fTqDmjjNLJaHUkMYSOZMRmEwS4Cfq/du5CNRZljeyLnWxA3M0YQoD8rp0PqqjuxlJEJTsRDsyYUCtZ4FoXG0GH9pSftum84mMWU8DQurG7QwrKBw/Sg/tju28ebruIfS/TIR6sXofLiJnhHCpT5qPJYH38tX+FayxpoZdbOGIcIw3ZA59kXC1NWbKbynUjUvejeFIeaiTLIL53RvroX/aS/yyH0hw8ir5X0XGmOEJCstaO4t04Qsj66AYoj9xJfqg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7SBjFBvvECjBmt3rGwduwjKU/d2O4r4WSYRXdXZupMI=; b=UKUY04McR21rvHvVPwvhc6JN7yz/ZnwcZoE4VPqWPPDbjGM7ZzsErHFcUJ+f2RP8xHgvqIYVgDdiL+ONO6ky0mN1fextGtVhr9gNR3BmtXdp0/BByhz/F9s0OmxGxjIzJ6/B3F+SDSZgo2Cglrrh87Ja27lLXdqEq8YQ0vdXkIs=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM0PR08MB4226.eurprd08.prod.outlook.com (2603:10a6:208:147::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18; Tue, 9 Jun 2020 11:52:44 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::39f5:e4d9:51ff:eae]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::39f5:e4d9:51ff:eae%7]) with mapi id 15.20.3066.023; Tue, 9 Jun 2020 11:52:44 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Eliot Lear <lear@cisco.com>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "suit@ietf.org" <suit@ietf.org>
Thread-Topic: [Suit] How are firmware and firmware versions expressed in manifest?
Thread-Index: AdY5iIX3N33NtGULTtOAukxF+Y4+yAAR9vKAAC3Wx2AAEkCYgAAahNIAAAZpzwAAAp+aoAAIpk6AABYvlVAAHvLyAAAcNwsgAF5KPQAABQ4GMA==
Date: Tue, 9 Jun 2020 11:52:43 +0000
Message-ID: <AM0PR08MB371665CB0C2F1D4543FA8367FA820@AM0PR08MB3716.eurprd08.prod.outlook.com>
References: <AM0PR08MB371631B7C1E6B50DCA29049AFA880@AM0PR08MB3716.eurprd08.prod.outlook.com> <8b6d01d639d0$62614150$2723c3f0$@reliableenergyanalytics.com> <AM0PR08MB37166AD36B5AA36EA7D7CA9BFA890@AM0PR08MB3716.eurprd08.prod.outlook.com> <20437.1591317129@localhost> <1076601d63b3a$d53f5d90$7fbe18b0$@reliableenergyanalytics.com> <BF5D5E46-4A7C-44A7-8554-5DE1E03A3F21@cisco.com> <AM0PR08MB3716C555048993639B14D76FFA860@AM0PR08MB3716.eurprd08.prod.outlook.com> <5820.1591393073@localhost> <AM0PR08MB3716939E832E5483CB8575EBFA870@AM0PR08MB3716.eurprd08.prod.outlook.com> <5789.1591484358@localhost> <AM0PR08MB3716D94B177DA76F0512D824FA850@AM0PR08MB3716.eurprd08.prod.outlook.com> <224F26E6-D4C3-4B10-A343-71D55E1A2EE2@cisco.com>
In-Reply-To: <224F26E6-D4C3-4B10-A343-71D55E1A2EE2@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 1112f30f-c942-46ec-ae9e-f8cb87bb3d0f.0
x-checkrecipientchecked: true
Authentication-Results-Original: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [156.67.194.193]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 552eb880-5534-4059-c478-08d80c6ba356
x-ms-traffictypediagnostic: AM0PR08MB4226:|AM6PR08MB4983:
X-Microsoft-Antispam-PRVS: <AM6PR08MB49835424F1F50C242CB4D0B9FA820@AM6PR08MB4983.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
x-forefront-prvs: 042957ACD7
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: dQLUJVwyJGCLXbTh3dzsHLtCq2DL2r+LbOew2m5EsV6QfF5SARPHloZJwfYQKQbVU4Pm5SmR7kEZEiUITtSlc3ZrA3ObXIBdEmCPuyZ8SQ6FXBw13nYULopS2YCY8QHghKBJgGmnupQ1Y++ZCCXOME6HI3pqhz2hf8ZgpFaSzDrD17ogg+m0moInc1omYoYf9YKbm78SfUPH6WZls4ocagAr8+ipIr5T2ONyjQlTGmQj4SE7yAo2XmtEFN3wmmhifg+V98vo2BwjGHc3xkwP44L9wh9I/qlG3ayGlCWbCzTJIFmNyX/m0sUAjA3DCzRL9PcjTrQnkkz0KC20Jm7Rfw==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(346002)(376002)(396003)(39860400002)(366004)(66556008)(71200400001)(8936002)(52536014)(86362001)(7696005)(5660300002)(6506007)(9686003)(4326008)(6916009)(186003)(76116006)(2906002)(66946007)(64756008)(66446008)(26005)(66476007)(55016002)(83380400001)(8676002)(33656002)(316002)(478600001)(54906003)(53546011); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: wyraDNCSxtNglVoAEWDCaQW1JGK8w2q/u9SbSzj/x+lA7pG6VU4ELuFDPYJfdnD2NCEn8VKzAT8d8w01XpkMJtZ2CjlyOt+3mJdD95F0za3lZ5WnxZ31CteT/6npC3FCwTuCB+CS0tUss3eOkyonV5USNdDL/sWIgMcHEyAJqH8cAcu7ZgSLWwJq2MHoeffQBndV2TXcQTvWKpFRnYBihcO9qzlilrTDUI4XeYt3kjs5WOIAvkxRyX7Y1CMa+Y1anwIDUOdopttV3tdCU7+SMwKMfAYGkHe9SuD7B4WjiTr63h3owfuW1Z4WrMQOLIMgnxbI2Sn4360Ks0+5AUtcqvWIEHTG41NNg2AkQokngz2hY3ZwsXUwTtZxvJzxt9fqucsxFXLcZBTN4tocP0PxpTWDbJC6AP8fxqHTg2CVdgkplbIPkYECZ/o3+9Bo4m/HT5KCTpYNL3v1YNH4eCPLwBGY6vAXk8L/YpbOGNFch9NbRmTcN8bO/TFtJFmPSrCC
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR08MB371665CB0C2F1D4543FA8367FA820AM0PR08MB3716eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB4226
Original-Authentication-Results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT014.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(396003)(136003)(39860400002)(376002)(346002)(46966005)(478600001)(8936002)(5660300002)(86362001)(33656002)(4326008)(82740400003)(6862004)(55016002)(356005)(316002)(26005)(9686003)(36906005)(7696005)(336012)(53546011)(82310400002)(47076004)(54906003)(33964004)(186003)(6506007)(81166007)(2906002)(70206006)(70586007)(83380400001)(52536014)(8676002); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: c29790ac-8fab-4923-dca7-08d80c6b9eec
X-Forefront-PRVS: 042957ACD7
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: usisXv41Xu7+nRPrJc+PEUiSosn2UxSAePOrwbsJeziBIHR0ny5dhVuEBaxIq7SqGHwEF93zQ300vn3KSXDDV1ek5nPAn18mf9woXtZytrGM+XzsgwrUa6ldYbaQpZuLucT5JsaMuRzXxC9b73bB0/hGVHggS6Zcc9rD/0+xddDt7Q0L+7FqGF3KVhGJJlSuHj8zTM3FsEng+Ybf7fwcIyjaYxbbRlZ3+KlIS5kWBiPmQhTTb2O5jAoSAX8WH3C6RnN6SBnC9wTnU+aAh1Z+4eBknodqZZZ9S7V0bM1isvWNz3cMxAQ1DD0LGB/CYFS8Uysr5hLQlAITJEHsozAu0EZPkxz1gW7QAB4ojTYvv6OCZnGzNGc1D7p1OOywIIbqBfY28ND0WwdxRTVUYfglpA==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Jun 2020 11:52:51.3468 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 552eb880-5534-4059-c478-08d80c6ba356
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4983
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/bb9ND8WvXbWQkzw9c2vSVst9-UE>
Subject: Re: [Suit] How are firmware and firmware versions expressed in manifest?
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2020 11:53:00 -0000

I guess we have to wait and see how this will play out. My understanding is that the manifest can accommodate for all sorts of meta-data attachment and from that side we are doing fine.

Ciao
Hannes


From: Eliot Lear <lear@cisco.com>
Sent: Tuesday, June 9, 2020 11:27 AM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>ca>; suit@ietf.org
Subject: Re: [Suit] How are firmware and firmware versions expressed in manifest?

Hannes


On 8 Jun 2020, at 13:27, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> wrote:

I have to look at the links Eliot shared but I hope that people are not overly excited about the value of having information about what software version is on their devices for the purpose of drawing security conclusions. You have been at many hackathons where we created firmware for Cortex M-class devices and we used, for example, Mbed TLS in many instances. Does this tell you anything about the security? Can you draw conclusions when you hear that version X has a security vulnerability? Should you be concerned when a security researcher was able to mount a fault injection attack against a specific MCU with a specific version of Mbed TLS running on it? No, not really because you have to know what compile-time configurations were used to build the firmware, what hardware it is running on and what run-time configuration is present.

Actually, the people who should be concerned are the manufacturers, who are going to receive calls from customers who have learned that the manufacturer used EmbedOS but didn’t know that the option in a particular device is disabled.  This is an aspect of SBOMs that is understood to be problematic, and so discussion is gradually shifting to something they call Vulnerability EXchange (VEX) (I hate the name, but as someone who created something called MUD I have no real leg to stand on).  The idea behind VEX, fuzzy as it is, is that one would be able to query to determine if the manufacturer has investigated and affirmatively determined whether a particular product has a particular vulnerability.  I like the concept, because in industrial much of the tooling is already flagging quite a lot of false positive CVEs.

Eliot
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.