IETF Logo Mail Archive

Re: [Suit] draft-ietf-suit-trust-domains: proposal of new command sequence

"Kończyk, Sylwester" <sylwester.konczyk@nordicsemi.no> Tue, 02 January 2024 07:18 UTC

Return-Path: <sylwester.konczyk@nordicsemi.no>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EDF0C14F697 for <suit@ietfa.amsl.com>; Mon, 1 Jan 2024 23:18:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nordicsemi.no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GhdM5R0O8U9a for <suit@ietfa.amsl.com>; Mon, 1 Jan 2024 23:18:14 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on2089.outbound.protection.outlook.com [40.107.15.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94529C14F5FA for <suit@ietf.org>; Mon, 1 Jan 2024 23:18:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Sl0cGhLIdRDCP/BpbsS0AtLT6B7Q/xWdGDCMsgdfXD0AKcB33UlxQXCf0voCCxE8LNLZGxS0LExWalMnEEES09O5uPAMoiP3d8+V8DGzj3KkLGUD0+HvJfh0AON4D7hcTJPxCvRt/5JePNJTR8ffH5n4aEV03KIy459plTpKexfDuzn2CdD/RZGhXFqpN0M7E/CYb35j7aPqJEsP/WWhoNikpBslPfjsgIx1ZngblR68J4Z2UYq7optiTbt9ycYaKsjfm/Xxq+hXYQrE6sMcX6uIBKllX/fMv0ytjJfFh/lRPNPsqj334c+PZzyVo+/HrzwVMfIC7KdUmX2rRQxdfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GrIgwvQFa964ZtS68aLCgCj60jRB1+/Qn5xL2t20SqY=; b=efDyxAYnj/i2B2uUMX0JtQBp/k9BfCGSAy/HhFA99JaOp8kL9fEFJgRZ8Ssk4cIucSE7xMutsQYh8gOrL023SjRqlC8zCpocXNAgSB58Z/gR4DeM0rg4fLDh7A+dhhk48A/Q22u0iaAMnLZ0YwVFepM/k8SU8c+9WuJwzVG5iBNIi8uKvXvqbBn+wdjqS4c8Lxx5uljOUWC2SNS4cBVtn3HXmcTBHm2ihgpxmVInFeX1eARUmwsOiBQptQsJ35l+UNDLJK6gog9IeqDXbFwdjYplVan8QVc6+XnpUWiYsJiRMDIAoQhCbEbrY/plDjVYpQZVV3rtXXwbWlxc5kYPww==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nordicsemi.no; dmarc=pass action=none header.from=nordicsemi.no; dkim=pass header.d=nordicsemi.no; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nordicsemi.no; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GrIgwvQFa964ZtS68aLCgCj60jRB1+/Qn5xL2t20SqY=; b=Rh3NnXAeKOO+RYyCWrJbYKLx1PuAm94c/3lVUjArnzCoCsnk3y3B0qVuy+HSKD/6q836gcnyaO4BJzWYcBKT16jZAtP+LCsE7ed+TR27cz4wQQ0U01OvGmJe9fpO2flHe5+OvzmAv6VvRVESaFp8g/5e1/nJFs2fNad/xhs9kC16OEebj23l2x55jQ2MDR8DlRP+aw7djXHXQwL8wGVcUSsiUjw49qMQcD1MNryX/iYjADKQiRUOmsXvKlYOC+KDOLlwD51Yp/J9yz8oocc0lNvRz/4/bAMzpzJuqW0hWY68bYYq+ASOxem9bptkWn0wsgWyOihV3QVPoF9ww0mUlQ==
Received: from DU0PR05MB10075.eurprd05.prod.outlook.com (2603:10a6:10:441::7) by PAWPR05MB10619.eurprd05.prod.outlook.com (2603:10a6:102:35b::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7135.24; Tue, 2 Jan 2024 07:18:05 +0000
Received: from DU0PR05MB10075.eurprd05.prod.outlook.com ([fe80::34aa:d83d:4934:187c]) by DU0PR05MB10075.eurprd05.prod.outlook.com ([fe80::34aa:d83d:4934:187c%3]) with mapi id 15.20.7135.023; Tue, 2 Jan 2024 07:18:05 +0000
From: "Kończyk, Sylwester" <sylwester.konczyk@nordicsemi.no>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Brendan Moran <Brendan.Moran@arm.com>, "suit@ietf.org" <suit@ietf.org>
Thread-Topic: [Suit] draft-ietf-suit-trust-domains: proposal of new command sequence
Thread-Index: AdozF/DOyCDWPu2LSwmnIhxAAOCOKwAPuwVUABy6uMAACQFuqgA0009gAAnTboACGNuhIA==
Date: Tue, 02 Jan 2024 07:18:05 +0000
Message-ID: <DU0PR05MB10075D4F5B756CE7C2F15D248F161A@DU0PR05MB10075.eurprd05.prod.outlook.com>
References: <DU0PR05MB1007598D80C708EF5E31D6C1FF196A@DU0PR05MB10075.eurprd05.prod.outlook.com> <DBAPR08MB5576FEBEC9ADFCEFFA5C9F51EA96A@DBAPR08MB5576.eurprd08.prod.outlook.com> <DU0PR05MB10075EA07524D2FDEF829D988F195A@DU0PR05MB10075.eurprd05.prod.outlook.com> <DBAPR08MB557690042715F2B1DC523EBCEA95A@DBAPR08MB5576.eurprd08.prod.outlook.com> <DU0PR05MB100754DCE8CCCE2E161D9AD8FF194A@DU0PR05MB10075.eurprd05.prod.outlook.com> <16703.1703257575@localhost>
In-Reply-To: <16703.1703257575@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nordicsemi.no;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0PR05MB10075:EE_|PAWPR05MB10619:EE_
x-ms-office365-filtering-correlation-id: df204caa-7610-46ef-5317-08dc0b62f69e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: K3TW8lKLzvoddt2JOzIOMaY9J+hOyr9b/otm3Ve//EnnnAzbj+Bkrm+c9kA2tLOCu4JreJMWwXBWrNRzgUeZ4l3eT2CEjl5nzFe01OBpz4HMq5ZViDEVcactxJTsJnzhbcj+fiXzI0DYoD0UrmlZp2OlQdgr3FvSjWPUdvdX4+4GtESPbPThCDMgZDdUh9vt0oKfof+O5Icf7aRRpLeaA4NO4XmS+JQU1WXoo3EmOUORAOjY4FVR7FNyIDHso5J6wovaICU2+owYyTWLrKDegZ6nfV3Z1ZEy7i5Irrb6ZN2Uz95snPKYFyXuLHrNVZaggEIuGGt+qohCq39fxak14OVzXBiPjjK5AObhTkEMjptnrVR/aBYdICRhFmUWfqCRSd2U2V3Q2I2Dzs6lToW6GOajAATlO2j8yYfX1RcP3OnNJM/bW3ap1I5tLkVqXU+A9xf68AYROTkhHT1RL21Iwu1QzRMZYAypa+8UP/1mRy/zFlmYDdICVgqsly0ZZE81+BlG+V5Cp6cSdh1d4TJrWZQ0cUuVW+ZXIL0dFW8hPXuy3Diib9/IUTdWRjm2LchQTZ4lvY2CYibXzZHofqQhJSIT2T05NO/ZfXuKZmfk+0zA2VLlVfddVrn8ZCt6x4+P0TuG1NPu/yVjwVWIlVvQhL6BPGfvVROCdAZvTHjxUxw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0PR05MB10075.eurprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376002)(136003)(346002)(39850400004)(396003)(366004)(230922051799003)(451199024)(1590799021)(64100799003)(1800799012)(186009)(26005)(71200400001)(66574015)(3613699003)(122000001)(76116006)(38100700002)(83380400001)(110136005)(66946007)(64756008)(66556008)(66476007)(66446008)(316002)(478600001)(86362001)(85182001)(55016003)(5660300002)(2906002)(52536014)(33656002)(8936002)(8676002)(38070700009)(85202003)(1580799018)(7696005)(6506007)(9686003)(41300700001)(53546011); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: fA61h9JUC2AKF8yDZOnBSUCmXqRL8SMrfZVJe9gVLeECYzwj5sLwTAFDv5C1mFHMeXapLg0g92oR2rC3pCGYTdAs3MOsXAbRgE6bqjWFWZAA5V/E1kmIuUjdsSxA11xalz+CwjLSz3gPkxaPmlJ8hMhMlGaLzu5uChwl4vq8D3rxqpXYfuyctOVj+55QmHrpX8c2vc76eFBIw8hbdrv+XfUw1sHsqeYLqSDIXw5rnCjgC4qmF17dDJM4Ppf0oeWMVtds3fxm8/5Y7dROOCBbYF0HzXhEVjH+zpXqaLckkV/l0/bwID+3bGOEZZR2s6Xxw1OguQPKgg3ETo3+lv8wgtas1Ct9XzwvYFRjfvCoML5skhoN1IItznyAe5RlZElWxJNJbW2PAK4A/NqTZSsZeqkeKG8rFK6EUeiQKLWMF8y3+3BYu1SR4Do7ixrXMbBIBX54k7Zr5dknpdFxcWPNJgxnSriOCNl+WuBIQn52hn/EjXLrJGqw+MWNkq+mUCYxo+AAAizjUKJXvLhuXNXpaXe0RTEV23uPNMcj9TfJWPRov4H12bpSw5lfDQaFE8ev2+NvxtXL++Dzli6JpSYcGcmZjqPk47HJje+A8cu1XeTRXMzLZ0KWoqnKM1S/dDLtQ/ymiA5pt5N/0SNPWS8go5MVBwTHirSFtlOnMshcPxsQz95aLbUemGdk8AIZVdWDzJwjcP0dytu/Ocv1jduxcM5lnd2FFaMh3ndQ2yQf/ocyOISNe3Q23mtR4N8srLMGcLoYfb9uc5yjCku/PqGAVcd6o7DsyR3L7rdHkxNFGrXh2XGI78sAo6FQcDdaURnloZtPDTQrhFk5aRZKYBPVK2aTJ3zeJ8ojPnIxUQPiq/9cxC7hxnqZ+uCSo0gtxvjraRx3hk2NN8j/4OO0g4xs0wFw4ZSiDI2UZKcg2DaZCHHEC57mdwod22qWHJxIqR4JXMp46Ld6cJwadcXmdmgsS0XadxkgpctUETM1heVhTjhrlF3mv6DTo5BCkuL8ilNed0fGyU90MXXssKp3wUk5aj1DBhGaiSjqjV3yTbrE1yGYp6Q6/MAV3rKnbe7PgmhmF1S1wc40SEeFJgjoXysLkpn/vaTrtDhV/9TJSo1WkqcL/AfWNYdqgKnApLWJaXbxPyuM/RLkm9dDoL7/3NM1xCsqIAcDdqJdSRppFs1Qxkau4ZwJdEHkXPf7+1jTBOTYF8ENFu6vrbK1a2avBDKJ3i2bwceQkSgtTLccqKUftIBrAlsd4Uo0FbLdS165my8628uh5u8t9VX/r/3s69ekEAIEmH+DGsnVntTbBrrnswxNuwr2+2W7wlshjXdVmSK5aeqvJmYCRP5W5udZ1iZ2/kB/FUsfvfV9WU9BpxKL7fSd4OwEdIXy1oUvi8CM06c4YlhHTarnnzb7RzUIKFmN4ATwB4FkGTALyw47meWy82n5j93+G1NtEC4Luo0NC3jSXFXGbk5xkLSdon5kb79sPZs0nKPw6i2AtK6tTYdVrX/S/wYQ2doljCXQSZDWS4vmZmuIgwPOttIfiZayk0N7jKHBjGWNuN0FoKmmfpNjxIYJTLU8GSc4mfLwKOJiTFLlxu4+HxfsU5USq5OoS4xI8g==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nordicsemi.no
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0PR05MB10075.eurprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: df204caa-7610-46ef-5317-08dc0b62f69e
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jan 2024 07:18:05.1824 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 28e5afa2-bf6f-419a-8cf6-b31c6e9e5e8d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ze4RKatWyaacZGilXruLWOFoeHlXMoD9/2cPGay4uBqFXlK7Qki8sdY0Zj4hLHi262cS65+1A1YlWNk91D5OOz76b6JAm7tyPBTm4bd2ovc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR05MB10619
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/NRt9wqMbsQAFEp5dwPKEEKqIkXY>
Subject: Re: [Suit] draft-ietf-suit-trust-domains: proposal of new command sequence
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jan 2024 07:18:19 -0000

Hi Michael,

> Does this mean that there is an APP_A slot, and an APP_B slot, and also a "running" slot, or are you referring just to the manifest here?

Referring to your question (related to Example 2) - Purpose of that example is to demonstrate one of possible implementations of "stream-to-secure" approach mentioned by Brendan and justify that even in that case we can observe distinct staging, installation, and invocation procedures.

In this specific example - one of APP_* slots is active (or "running") at specific moment, APP_A here. APP_B is not running at that time, so overwriting its content at step 1d is feasible. Both APP_* are represented as distinct components in manifest. For sake of simplicity, slot for the manifest itself is not directly mentioned in this example, however moment when "candidate" manifest is stored in device non-volatile memory is reflected in step 2d.

BTW - someone may claim that "stream-to-secure" should be implemented similarly to "A/B Image Template", draft-ietf-suit-manifest-24. Unfortunately, that approach has its own issues, limiting its applicability in systems I am aware of. I will not elaborate it here, as it is a separated topic. 

With Regards,

Sylwester

-----Original Message-----
From: Michael Richardson <mcr+ietf@sandelman.ca> 
Sent: Friday, December 22, 2023 4:06 PM
To: Kończyk, Sylwester <sylwester.konczyk@nordicsemi.no>; Brendan Moran <Brendan.Moran@arm.com>; suit@ietf.org
Subject: Re: [Suit] draft-ietf-suit-trust-domains: proposal of new command sequence


Kończyk, Sylwester wrote:
    > Example 1:
    > Example 2:

    > System similar to one described in Example 1, but there are two slots
    > for the APP. Name it: APP_A and APP_B. And let's bring SUIT manifest to
    > the picture. Staging area is still there, but its size is reduced, just
    > to hold candidate manifest (an envelope, without integrated payloads).
    > Let's assume that initially the app is booted from APP_A, so APP_A is active.

    > Would you agree that following flow correctly describes logical steps:

    > 1.  Staging procedure is carried out by the APP (precisely - APP_A).
    > *   APP_A downloads candidate manifest to staging area.
    > *   APP_A verifies signature of the candidate manifest.
    > *   APP_A verifies applicability of the candidate manifest.
    > *   APP_A downloads APP_B image directly to APP_B slot (executing instructions encoded in candidate manifest)
    > 2.  Installation procedure is carried out by the BL.
    > *   BL verifies signature of the candidate manifest.
    > *   BL verifies applicability of the candidate manifest.
    > *   BL verifies APP_B (executing instructions encoded in candidate manifest)
    > *   BL overwrites currently installed manifest with candidate manifest
    > (only if previous step is successful).

Does this mean that there is an APP_A slot, and an APP_B slot, and also a "running" slot, or are you referring just to the manifest here?

    > Example 3:

    > More complex, yet still memory - constrained system. BL, APP_A, APP_B,
    > staging area, but additionally another non-trusted environment, this
    > time for the Radio. Name it - RAD. And we have extra requirements -

:-)

I read your entire email, and it all made sense to me.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email