IETF Logo Mail Archive

Re: [Suit] Introducing draft-moran-suit-behavioural-manifests-00

Brendan Moran <Brendan.Moran@arm.com> Tue, 12 March 2019 10:02 UTC

Return-Path: <Brendan.Moran@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 616BA130F13 for <suit@ietfa.amsl.com>; Tue, 12 Mar 2019 03:02:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ItqvfwRcWeMy for <suit@ietfa.amsl.com>; Tue, 12 Mar 2019 03:02:14 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0608.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1f::608]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AECDA1274D0 for <suit@ietf.org>; Tue, 12 Mar 2019 03:02:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=v7aIzvb3M1gI20/b5Jkra/xhmoNC5QhrHIl5Z9lpZKE=; b=N9kp79bLev3CccxPd57bESlFp6LGj22JlkCF3gpP450D7Tml9J7rFB1OaTUXLTO5VvM6je1xuD7Oe832B9oHaeCy8zUiNR0Bv2uGrpYbntj9Eq2M8JIDPZvnIXrGgNJMG4KGe1yGHzMeEiqRsPpIV6/1qFbmtNCJpidU2k+QGNY=
Received: from DB6PR0801MB1879.eurprd08.prod.outlook.com (10.168.84.137) by DB6PR0801MB1254.eurprd08.prod.outlook.com (10.168.11.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.18; Tue, 12 Mar 2019 10:02:10 +0000
Received: from DB6PR0801MB1879.eurprd08.prod.outlook.com ([fe80::b135:ad5e:4ab2:48f6]) by DB6PR0801MB1879.eurprd08.prod.outlook.com ([fe80::b135:ad5e:4ab2:48f6%7]) with mapi id 15.20.1686.021; Tue, 12 Mar 2019 10:02:10 +0000
From: Brendan Moran <Brendan.Moran@arm.com>
To: "Kvamtrø, Frank Audun" <frank.kvamtro@nordicsemi.no>
CC: "suit@ietf.org" <suit@ietf.org>
Thread-Topic: Introducing draft-moran-suit-behavioural-manifests-00
Thread-Index: AQHU1b7FshUEgr2F5EypCp48YE0jsqYGbW0AgAFcZgA=
Date: Tue, 12 Mar 2019 10:02:10 +0000
Message-ID: <64367D8F-3B10-46D4-B133-74E4E056804A@arm.com>
References: <A65149C9-4CEF-4343-9B03-20BC8E60288E@arm.com> <VI1PR0501MB22885868BFB301CA087E621DFC480@VI1PR0501MB2288.eurprd05.prod.outlook.com>
In-Reply-To: <VI1PR0501MB22885868BFB301CA087E621DFC480@VI1PR0501MB2288.eurprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.102.3)
x-originating-ip: [217.140.106.51]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a7051033-5cdb-4af3-affd-08d6a6d1cb28
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:DB6PR0801MB1254;
x-ms-traffictypediagnostic: DB6PR0801MB1254:
x-ms-exchange-purlcount: 2
x-microsoft-exchange-diagnostics: 1; DB6PR0801MB1254; 20:e5peaw24y5JAPyPiP5iuLXRBuwUC5rzJHtTB39aahVfo4IQ6qajiUSqZoMZDb7aBylY3LJ47EEHfKHKfk31QpSdFtUZi0fAJjEg6JAeKGdaKycuU9IOaSy/7zwCjgyBfN73pJhQNtu7kfceyQyssgyk4sdIhiJN+W9JcZwFLsd0=
x-microsoft-antispam-prvs: <DB6PR0801MB1254E0FF58C29C35066F8DB9EA490@DB6PR0801MB1254.eurprd08.prod.outlook.com>
x-forefront-prvs: 09749A275C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(376002)(346002)(396003)(39860400002)(366004)(54094003)(189003)(199004)(13464003)(40434004)(5660300002)(2906002)(478600001)(71200400001)(71190400001)(33656002)(66066001)(97736004)(53936002)(57306001)(6306002)(105586002)(106356001)(966005)(83716004)(14454004)(99286004)(305945005)(102836004)(6512007)(72206003)(6916009)(7736002)(36756003)(446003)(2616005)(53546011)(486006)(11346002)(229853002)(6116002)(76176011)(82746002)(3846002)(6506007)(6436002)(316002)(256004)(5024004)(14444005)(6246003)(186003)(4326008)(68736007)(25786009)(476003)(81166006)(81156014)(8676002)(6346003)(50226002)(6486002)(26005)(8936002)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0801MB1254; H:DB6PR0801MB1879.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Brendan.Moran@arm.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 7Muuddo4/wR1idi+zW3uphSJhvU9lkuGaVqQw6Syo3DwFuqOLa/8w5sUGF8cMhAAuKj4vLTPte10AT3xo0sGeAQDmc+4FWS3YREObLtdwi/A/o0nrWzWTRqvprTeZMKmwS5ForDuYwYEGs7X+MJuVJ9YEHslotgBzA+9pqDkLSdKTvkQNApfnsTyzDNoyv8i0SeIQHYfx7QuCHDBOCO95hlfor24nA7QwFgR86R7hfh24FH93cpN7r/katBiT8qFfLieGLB0TY2NgkJxzFGODYdMkwtxUjMra9jTaBCtXTZ8wRgsXKaSPCnCJlwpzg8BqsB7f+PVbSiRyzlYt+yGCRgn1v+zbumCT1TrFMFgNoM6kIGNaJ8NfzUtMPatCiQPnc/54lAfwY0D/HxMNjTLR1uBUKHSsyI3VeVYl5gOqdc=
Content-Type: text/plain; charset="utf-8"
Content-ID: <9CF309100BDD174BBC9C9EDA4A7A8651@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a7051033-5cdb-4af3-affd-08d6a6d1cb28
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2019 10:02:10.5400 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB1254
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/QAsZ4mwfYLAV7AmlTjD4rsVZhUU>
Subject: Re: [Suit] Introducing draft-moran-suit-behavioural-manifests-00
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2019 10:02:17 -0000

Hi Frank,

I think you’re right, the draft should, at least, specify that the behavioural document, as a whole, needs to be authenticated.

> On 11 Mar 2019, at 13:15, Kvamtrø, Frank Audun <frank.kvamtro@nordicsemi.no> wrote:
>
> Great to see work on this!
>
> I wonder if this document needs to be a bit more distinct with regards
> to secure boot. It is mentioned in the ingress, but there are not a lot of
> indication right now on where to put e.g. an asymmetric signature or MAC to
> ensure the validity and/or integrity of the processable items as part
> of the behavior described in this draft…

You’re correct, the document as a whole needs to be authenticated. In other words, the document lives inside an authenticated container.

>
> From looking at multiple standards on security the term "verify" is often
> distinctly reserved to mean cryptographic verify functionality, e.g. using a
> signature or a MAC qualifying the next jump etc. In this draft "verify" is
> stated in 5 different versions of conditions, but none of them clearly defines
> a behavior I would equate to a cryptographic verify function. In my mind
> I'm able to put said cryptographic verification functionality in the
> conditions in commands 5.2, 5.4 and 5.5 dependent on the use-case.
> Such functionality is not explicitly mentioned in any of these except from
> a loose reference to doing a similar type operation, i.e. cryptographic hash
> function in 5.2 - Verify Image presence, but then the assumption must be
> that there is a signature at a different level, safeguarding the digest.

I could easily change the term to “validate” or “check” or “test” without significant change to the semantics of this draft. I’ll take that on and define the terms.

>
> I also struggle with this due to a collision in text at the end of chapter
> 3 where in a paragraph before and after talk about processing steps in
> chapter 4.1:
>
>    "System validation is used to ensure that all required dependencies
>     are present and that all required images are preset. This process
>     is equivalent to that used in the validation portion of Secure boot
>     workflows".
>
> I as a reader would equate this to validation being a processing step
> in 4.1, although the concept "validation" is fairly broad on this level
> compared to the use of conditional verification in chapter 5.
>
> If a cryptographic verify function is to be understood to live inside
> conditional commands in chapter 5, then I have some proposals:
>
> -Change the wording in processing steps (4.1) to limit them to
> "doing" operations, so instead of stating "symmetric cryptographic operations"
> simply state "decryption". This means that MAC operations isn't
> falsely included as a processing step.
> -Be more explicit on the location and intention of doing a cryptographic
> verify operation (asymmetric signature check or MAC) inside one or more
> of the verify commands in chapter 5 or in the ingress of chapter 5
> so that it is tighter coupled with the concept of a "condition”.

I think you’re correct on both points. If we were to tighten up the wording by stating “decryption,” rather than “symmetric,” it would be clearer. I think it would also be useful to say explicitly that all digest verification happens in conditions. Signature/MAC verification only happens when identifying the authority behind a manifest, as described in Chapter 7.

> If the content of this operational description is *not* based on a
> signature check inside said behavioral description, but rather a
> signature around the complete set of behaviors, then this could be
> made clearer in the ingress in my opinion

Signatures around the whole behavioural description are the intent. I will try to make that clearer in the next draft.

> The term "signature" is not mentioned once in this document, and I wonder
> if this is done on purpose... I think it should be mentioned since
> secure boot is referenced at several locations in this draft, even if
> signatures as a concept is skipped on purpose…

Signatures are treated as a mechanism for establishing authority and authenticity in this draft. Signatures and MACs can both be used for this purpose, which is why they are explicitly excluded. The whole document starts from the assumption that authenticity has already been established.

draft-moran-suit-manifest-04 has now been published and goes into much more detail on these points.

Best Regards
Brendan

> Regards
> Frank Audun Kvamtrø
>
>
>> -----Original Message-----
>> From: Suit <suit-bounces@ietf.org> On Behalf Of Brendan Moran
>> Sent: 8. mars 2019 15:54
>> To: suit@ietf.org
>> Subject: [Suit] Introducing draft-moran-suit-behavioural-manifests-00
>>
>> After IETF103, it became clear that we need to focus more on very
>> constrained devices and that optimising the format for constrained parsers
>> was very important. Simultaneously, we were presented with several more use-
>> cases that required extension and complication of the format. It very
>> quickly became clear that the existing serialisation would not meet the
>> stated goals of reducing complexity in constrained devices, but also enable
>> all the desired use-cases.
>>
>> This made it very clear that we needed to take a new approach.
>>
>> Internally, at Arm, we have been developing a new sort of mechanism for
>> describing firmware updates and secure boot. It is a significant departure
>> from the format we were developing before, but it comes with a lot of
>> advantages. I’m pleased to be able to share it with SUIT today!
>>
>> https://datatracker.ietf.org/doc/draft-moran-suit-behavioural-manifest/
>>
>> This approach focuses less on describing the data that a process needs and
>> more on describing the actions the process should take. We’ve been
>> evaluating it against the use cases in draft-ietf-suit-information-model-02
>> and more besides, and it produces compact results.
>>
>> The forthcoming draft-moran-suit-manifest-04 will be based on a union of
>> draft-ietf-suit-information-model-02 and draft-moran-suit-behavioural-
>> manifest-00.
>>
>> Best Regards,
>> Brendan
>> IMPORTANT NOTICE: The contents of this email and any attachments are
>> confidential and may also be privileged. If you are not the intended
>> recipient, please notify the sender immediately and do not disclose the
>> contents to any other person, use it for any purpose, or store or copy the
>> information in any medium. Thank you.
>> _______________________________________________
>> Suit mailing list
>> Suit@ietf.org
>> https://www.ietf.org/mailman/listinfo/suit

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email