IETF Logo Mail Archive

Re: [Suit] [suit]: draft-moran-suit-manifest-02

Kvamtrø, Frank Audun <frank.kvamtro@nordicsemi.no> Thu, 12 July 2018 08:35 UTC

Return-Path: <frank.kvamtro@nordicsemi.no>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA2BE130ED0 for <suit@ietfa.amsl.com>; Thu, 12 Jul 2018 01:35:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.021
X-Spam-Level:
X-Spam-Status: No, score=-1.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nordicsemi.no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z-xx-M0YNc9z for <suit@ietfa.amsl.com>; Thu, 12 Jul 2018 01:35:33 -0700 (PDT)
Received: from ironport01.nordicsemi.no (mx01.nordicsemi.no [194.19.86.146]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 830C612F1A2 for <suit@ietf.org>; Thu, 12 Jul 2018 01:35:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nordicsemi.no; l=5990; s=default; t=1531384532; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=5K4fPZ6FVW4utBA3CXncl7giKlTrQavJAVxuZnBh+DQ=; b=bFSw6pSmgV56NCY5sRMTEUXiNHU9aItufNgdjeaKh5p4a5PgGEI8LfyM 1bdMIm20PumDH2TDHs9O5nDdLhgSybdQLBvraVsu5IBxceugzfsJxN5tJ SJdHTrBhE6f8euunVMqQ+FSgSuAYNALqeRN9EjtKypmm8+HedHC/6+NaX o=;
X-IronPort-AV: E=Sophos;i="5.51,342,1526335200"; d="scan'208";a="11311932"
From: "Kvamtrø, Frank Audun" <frank.kvamtro@nordicsemi.no>
To: David Brown <david.brown@linaro.org>, "Rønningstad, Øyvind" <Oyvind.Ronningstad@nordicsemi.no>
CC: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, suit <suit@ietf.org>, Brendan Moran <Brendan.Moran@arm.com>
Thread-Topic: [Suit] [suit]: draft-moran-suit-manifest-02
Thread-Index: AQHUExHtnaLT8k9ra0yYs7g0XR6lpaSKWGZX///exYCAAQNVoA==
Date: Thu, 12 Jul 2018 08:35:29 +0000
Message-ID: <a7a2b7ad4a54482fabc36555ac87f659@nordicsemi.no>
References: <FDAB87B5-A7CB-4BBC-B7CF-763355B099D8@arm.com> <790d40b227034bd784185bd9bdd52f4f@nordicsemi.no> <20180711174726.GB8918@davidb.org> <20180711174847.GA30365@davidb.org>
In-Reply-To: <20180711174847.GA30365@davidb.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.9.200.83]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/OvUSFeMzLBSFLRe_iTe6WUdGeIs>
Subject: Re: [Suit] [suit]: draft-moran-suit-manifest-02
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2018 08:35:36 -0000

Glad the meaning sunk in. I think we get into some small problems by creating
names that aren't self-explanatory. Especially if they are duplicated and/or
represented in a few different ways in the format.

We agree that we could place the textReference in the manifest so that we know 
what to discard at a later stage. It will make it easy for a simple bootloader 
to do the information severing, if it only needs to keep the signature and/or 
manifest after the update...

I've rewritten the initial idea by Øyvind for severability with the 
textReference  (now named textDigest) in the main manifest. I've also renamed 
the processReference to be updateProcessDigest. Stating digest in the instance 
name makes it easier for humans to parse IMHO.


; Example of extracting long-lived information so it can be stored while 
; short-lived processing info is discarded.
 
AuthenticatedManifest = [
  authenticatedManifest: COSE_Mac / COSE_Sign,
  updateProcess:         bstr .cbor UpdateProcess,
  text:                  bstr .cbor TextMap,
]
 
UpdateProcess = [
  nonce :              bstr,
  preConditions :      [ * PreCondition ],
  directives :         [ * Directive ],
  resources :          [ * ResourceInfo ],
  processors :         [ * ProcessingStep ],
  targets :            [ * TargetInfo ],
  extensions :         { * int => bstr}
]
 
Manifest = [
  manifestVersion :     1,
  digestInfo :          DigestInfo,
  sequence :            SequenceNumber,
  postConditions :      [ * PostCondition ],
  updateProcessDigest : bstr,
  textDigest :          bstr
]


I'm still a bit curious why DigestInfo needs to be split away from the digests.
I would like to support multiple digest-types through a manifest and I would
naturally assume the same methodology as the TLS standard - i.e. prepending the 
digest type with the digest (enum + digest content). It even allows for a TV 
encoding of the data instead of TLV (if need be). I'm not arguing against
removing the DigestInfo structure, in case there is a need for parameter data. 
But I think there should be little penalty changing the digestInfo  in the 
manifest to an array of DigestInfos, and using an enum/int identifier to 
reference between the digests and the DigestInfo...


Regards
Frank Audun Kvamtrø


> -----Original Message-----
> From: Suit [mailto:suit-bounces@ietf.org] On Behalf Of David Brown
> Sent: 11. juli 2018 19:49
> To: Rønningstad, Øyvind <Oyvind.Ronningstad@nordicsemi.no>
> Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; suit <suit@ietf.org>;
> Brendan Moran <Brendan.Moran@arm.com>
> Subject: Re: [Suit] [suit]: draft-moran-suit-manifest-02
> 
> Sorry, most of this can be ignored, as I missed the processReference field in the
> Manifest.  I would still suggest putting the textReference in the Manifest as well
> so that it doesn't require as deep of nesting to verify the text.
> 
> David
> 
> On Wed, Jul 11, 2018 at 11:47:26AM -0600, David Brown wrote:
> >On Fri, Jul 06, 2018 at 01:50:38PM +0000, Rønningstad, Øyvind wrote:
> >
> >>AuthenticatedManifest = [
> >>  authenticatedManifest: COSE_Mac / COSE_Sign,
> >>  updateProcess:         bstr .cbor UpdateProcess,
> >>  text:                  bstr .cbor TextMap,
> >>]
> >
> >>UpdateProcess = [
> >>  nonce :              bstr,
> >>  textReference :      bstr,
> >>  preConditions :      [ * PreCondition ],
> >>  directives :         [ * Directive ],
> >>  resources :          [ * ResourceInfo ],
> >>  processors :         [ * ProcessingStep ],
> >>  targets :            [ * TargetInfo ],
> >>  extensions :         { * int => bstr}
> >>]
> >
> >The textReference has to be in the Manifest that is covered by the
> >signature.  As stated here, none of the updateProcess or text
> >information is covered by a signature.
> >
> >This could be done by moving textReference above into the Manifest, as
> >well as adding an updateProcessReference that would contain a digest of
> >the updateProcess.  This adds complexity to verifying this additional
> >information, but would indeed then allow them to be severed, while
> >still being covered by the signature.
> >
> >David
> 
> _______________________________________________
> Suit mailing list
> Suit@ietf.org
> https://www.ietf.org/mailman/listinfo/suit

v2.23.0 | Report a Bug | By Email