[Suit] Transactional updates
Phillip Hallam-Baker <phill@hallambaker.com> Tue, 24 October 2017 13:31 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5F7613F4FC for <suit@ietfa.amsl.com>; Tue, 24 Oct 2017 06:31:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ke6NvpeFGrFK for <suit@ietfa.amsl.com>; Tue, 24 Oct 2017 06:31:07 -0700 (PDT)
Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10A3E13F3D5 for <suit@ietf.org>; Tue, 24 Oct 2017 06:30:59 -0700 (PDT)
Received: by mail-oi0-x231.google.com with SMTP id h6so36885168oia.10 for <suit@ietf.org>; Tue, 24 Oct 2017 06:30:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=1Q3l1S7NsMKtE1UHXe1R7/w4CiWM4iYuAX/55R8AIbM=; b=eCBHI7rdzi7HpL48z9a+sadoD7ficNHZmf0aENR+U9WRQoy4sIN6ui3loNpeg4XoOS W28YRKPVyl0MULatGwE7HWclI4OnA3XMImir8fdVDvsC0efl2XZJRMmx/H8Fg4G3WJZv pj0SRdFTzMpqOyZZAwiJzeuY+lJowGIk5N5YC2AYJI4OtcsbGZXqTXqVTQWsuSXQEag1 XiMWqx5f3Pwm0B9eG2khZ0fkNlS19nteh3euGriqQDcogg+YujAgJcFcNe/gwDE7Knsl nk6UOiKi8uzIWGs/DxXJXq67NSJkZ2B7d4RL68iYGaraT16Yo2XwtX44N14dgTC7UlEZ iBlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=1Q3l1S7NsMKtE1UHXe1R7/w4CiWM4iYuAX/55R8AIbM=; b=evhUAW6uPgIyNgogz2gNHttBts90zBYe1RSe5b6+hiy6ykHOOa+nBtnW+L6Fj56BSz R7SCo3XRmy9bGdtCkSVRMDm6YF4esyMwTdYDimUqo3rCnBUOnn/jp1t4y0JWVnTI509S Oh8rnGCP7ykljTOnJkJe51nyjIRrJK85lkfF680oXsvlhBaDxIQQUdQOdLq1KubiBtKr ZSErvpik+P1lv+HwKoEaznr5ky81IzPqkOl1cRonTlVAod7cauX0lAnj11fFA1BNCP6O dm6+SHRSAxWthlT9nYFVbPG/bjHOSUIfimXItkwgQwQ7Tus/UB0WyO5kNsSJPDmjB6Hh wu1g==
X-Gm-Message-State: AMCzsaUG8VM3mWn+BPJzVHRTtM5T5mVJfC4U9Jt0t7u3bX28weAdVWNm p8skACm5a+HLIO66czTNCJ8DoeUFf9AxlQVsB38Ntg==
X-Google-Smtp-Source: ABhQp+TG9JhqwVo7w3cWjvvjnEAIub4XOmePRgNmutuTY5bYOXoaXO+VBf29MVtSOudmjjAJkj/03IPcesxz+H+PB/s=
X-Received: by 10.202.58.194 with SMTP id h185mr7834873oia.99.1508851857980; Tue, 24 Oct 2017 06:30:57 -0700 (PDT)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.157.80.42 with HTTP; Tue, 24 Oct 2017 06:30:57 -0700 (PDT)
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 24 Oct 2017 09:30:57 -0400
X-Google-Sender-Auth: bk8R7tEwgcWfwIV59WbwsG6Eq-0
Message-ID: <CAMm+Lwiik1m+rLVd6mvf5LgSxFO34fsGUZ0+gz6m6bj8kpNYuQ@mail.gmail.com>
To: suit@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/OdyrrHczgycMPpgZDOWCLt8VBO0>
Subject: [Suit] Transactional updates
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2017 13:31:10 -0000
I don't know about you, but I am fed up of the time it takes for software updates on my desktop. First the update has to be downloaded and then it has to be installed. Why can't this be instantaneous? What I would like is to download the software update and then tell the O/S to simply overlay the update on top of the file system as an atomic operation. So installing a software update takes a millisecond, no more. Rolling back a software update is just a matter of telling the O/S to stop applying the overlay. It seems to me that this sort of capability would be very useful at the device level as well. Even more so as the chief concern in any software update scheme is that you end up bricking a device. Building the ability to roll updates forwards and backwards is powerful. I would also like this to be integrated into software signing and in an intelligent fashion so that the signature encompasses both the code and the data and it is possible to validate components independently. There is of course going to be a cost and it is the need for storage. The traditional file system organization is a response to highly constrained storage. I have not yet fully considered space optimizations because I have been thinking about the constrained device but I think my approach could be modified for a fairly constrained device. My approach is not going to be appropriate for your PIC controllers but it is definitely feasible at the Arduino level and above. My approach is based on a Merkle Tree based container format. This may sound intimidating but it shouldn't be. I designed, documented and implemented the scheme in under a week: https://tools.ietf.org/html/draft-hallambaker-jbcd-container-00 or in HTML with diagrams at http://prismproof.org/Documents/draft-hallambaker-jbcd-container.html The draft describes a container format that consists of a sequence of variable length chunks that has the property that the sequence can be traversed with equal efficiency in the forward and reverse directions. This can optionally be indexed via a binary tree to allow random access to any frame in log(n) time. Chain and (Merkle) tree digests may be constructed which may be signed. Each frame consists of a header and an optional payload. The payload may be encrypted and/or signed using JOSE. The only fixed requirement for the header encoding is that frame 0 has to have a header encoded in JSON (for interop). The code supports use of JSON, JSON-B, JSON-C and ASN.1 for header encoding, the container uses JSON-B frame encoding because it has to support the read in either direction property. The original concept here was to provide an append only container format that could be used as the basis for synchronizing Mesh portal logs between nodes and also as an encryption format for end-to-end encrypted Web sites. Static content is straightforward, but people expect to be able to support applications like Web forums. The idea was to see if we could support a Web forum run on a cloud server that does not have the ability to read any of the content (yes). The authentication scope is intentionally limited to the payloads, and the signature parameters. The headers are not authenticated which allows them to be mutable. A device may store the whole update as a single file or break it apart into attachments. The latter approach making garbage collection of unused attachments possible without a separate sweep/collect cycle. I am not sure that the encryption capability is needed for software update but it might turn out to be useful allowing devices to be shipped with code for a wide range of applications and only enabling the specific modules required. I do not like devices to have more code than is necessary for their purpose. Authentication is obviously necessary. The way I would see this applied to software update is that the device/desktop would download and verify the incremental updates as a background task (when bandwidth permits). It would then request user permission to apply the update (if required) and set a flag internally telling the loader to use the new version in place of the old. Any processes that needed to be restarted would be restarted. This could be used to effect updates across multiple devices at the same time. It could also allow support for features such as testing the configuration and performing an automatic rollback if the test failed. Besides providing a more secure process, this provides a better user experience. The code required to support the container format is comparable to that required to implement a SHA-2 or the like. implementation in a TPM or such would be entirely feasible.
- [Suit] Transactional updates Phillip Hallam-Baker
- Re: [Suit] Transactional updates Hannes Tschofenig
- Re: [Suit] Transactional updates Phillip Hallam-Baker
- Re: [Suit] Transactional updates Hannes Tschofenig