Re: [Suit] [suit]: draft-moran-suit-manifest-02
David Brown <david.brown@linaro.org> Fri, 13 July 2018 16:18 UTC
Return-Path: <david.brown@linaro.org>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99305130E52 for <suit@ietfa.amsl.com>; Fri, 13 Jul 2018 09:18:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=linaro.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J9O7MQG3iKWt for <suit@ietfa.amsl.com>; Fri, 13 Jul 2018 09:18:52 -0700 (PDT)
Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04EF9130E59 for <suit@ietf.org>; Fri, 13 Jul 2018 09:18:52 -0700 (PDT)
Received: by mail-io0-x22a.google.com with SMTP id e13-v6so31785113iof.6 for <suit@ietf.org>; Fri, 13 Jul 2018 09:18:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=IEH9/dR5E/dX5cUjprnhwCvUDowKwL+d2jVcIB/ppTQ=; b=HbeMrCckhij/hR9x7S8I9p0LovnX55iXTMgmGWfkbVgX9EBazE+MmxYWH9yk6CtIpe Ye9iNY+4G36zS5HUPMX1pU+t+nzVCsgrTYKmnx5rE7jyie6cTAmNFXwDSZiQN9+iEWxy QHyENnQG0AAlD4wgUQkuWnPsu6UyZ+dZLbayU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=IEH9/dR5E/dX5cUjprnhwCvUDowKwL+d2jVcIB/ppTQ=; b=OJW3LD2p6fw6lSw2+epQ8vDP6snVfPi3ep0PI6u8kedDURzJosGT7pRWXHRd6XH4Fb 1QS6w5NNtbaT287s2ohOXLbGaND4SgiGhjSiIBi1/V6mAsJfkRm7bQbgQFjzJ5nQ9zHA 0X2IlZ3d6IZZgXU6DtszGApDEXh3S5wCRPDzKf4OEzZKiprK7FTTXOwPU//8HDAgjxJe opIWY0ZiqNo5O5oDAGxRWa0vxEC7bN4Tzvw7wAzKPFYWTD1uq6HAQYGXpi4fj5F+lnie tg6eAWgUhc3CXKqJEEXIl2c5cxm9Q0JjIRI5q8luNdUGBpP+d6BsE5EXcBcsgQopBhvu Jb9g==
X-Gm-Message-State: AOUpUlGd57QIgFSDMm8OxaCnRdymwTQyPP5m3OiOBgWeZelSRB8s6tzF CUkDApGRkrLJCKscrJerkJ1hSw==
X-Google-Smtp-Source: AAOMgpfgXIslAszTYVNx1ZRxqwhdGgKzYl64Ed9gC5rxYFFkVQvcNwiUfkOwLsbpBylqoghZm4vJgA==
X-Received: by 2002:a6b:a313:: with SMTP id m19-v6mr31582283ioe.98.1531498731072; Fri, 13 Jul 2018 09:18:51 -0700 (PDT)
Received: from davidb.org ([2601:283:4300:987c:6245:cbff:fe6d:5400]) by smtp.gmail.com with ESMTPSA id k200-v6sm3692402ite.39.2018.07.13.09.18.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 13 Jul 2018 09:18:50 -0700 (PDT)
Date: Fri, 13 Jul 2018 10:18:48 -0600
From: David Brown <david.brown@linaro.org>
To: Brendan Moran <Brendan.Moran@arm.com>
Cc: suit <suit@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Message-ID: <20180713161848.GB27373@davidb.org>
References: <FDAB87B5-A7CB-4BBC-B7CF-763355B099D8@arm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <FDAB87B5-A7CB-4BBC-B7CF-763355B099D8@arm.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/QCapvPfT7rEwuBHVTmSxhPzJsSA>
Subject: Re: [Suit] [suit]: draft-moran-suit-manifest-02
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2018 16:18:55 -0000
On Tue, Jul 03, 2018 at 09:08:02PM +0000, Brendan Moran wrote: >This draft is a significant departure from previous drafts, so I think it is >important to highlight the changes. The draft requires a lot of text that >hasn’t been written yet, so I will try to put some of that here for discussion. > >[1]https://datatracker.ietf.org/doc/draft-moran-suit-manifest/ Yesterday, I spent some time going through this draft to try and create an example manifest based on how MCUboot currently behaves. I found many things that I wasn't clear on the meaning of, and wasn't quite certain how to structure the manifest for my, what I believe, is a fairly simple case. In addition, I feel there is an assumption in the manifest that the processing will be done in two parts: 1. Parse the CBOR into some kind of in-memory data structure. 2. Traverse this structure in various ways, making decisions and performing processing. This is a lot to ask of code on a resource-constrained device, where we likely are going to only have tens of kB of code space available. I would like to consider making the manifest in such a manner that it is possible to construct at least a simple version that can be processed linearly (in CBOR order). ## What MCUboot does Targets using MCUboot currently use a manifest format that is combined directly with the image. It is formatted something like: ----------------------- | Header | ... | Image length | ... ----------------------- | Padding ----------------------- | Execute in place | firmware image | ... ----------------------- | Manifest header ----------------------- | TLV encoded manifest +---------------------- The flash memory is divided as follows: +------------------------- | Bootloader +------------------------- | Slot 0 | XIP Application Code +------------------------- | Slot 1 | Update image +------------------------- | Scratch +------------------------- The two actors involve that are running on the MCU are: 1. The update application, and 2. MCUboot itself. The update application is code combined with the normal application running on the target. It is responsible for downloading this image, possibly verifying it, and writing it into flash in Slot 1. This code is part of the image running in slot 0. Once this is written, it reboots. MCUboot, upon boot, checks slot 1 for a manifest, and if there is a valid update present, performs either a "swap", exchanging the data in slot 0 and slot 1 (using scratch to be robust against power loss), or overwrites slot 1 onto slot 0 (depends on how it is configured). It then verifies the image in slot 0, and if valid transfers control into the XIP image in slot 0. The TLV manifest is currently quite simple, an essentialy consists of a series of steps that MCUboot walks through. These steps can consist of: - Compute a hash of the image and compare with XXXXX - Verify a signature of the hash using a built-in public key. There can be multiple signatures, generally to support either multiple algorithms, or to support multiple signers. When it completes the processing, it checks that it did indeed verify a hash, and at least one signature, at which point it will boot. ## Encoding this in a SUIT manifest. My initial assumption was that we could place the SUIT manifest in the above images where the current Manifest header and TLV manifest live. It would not be difficult to distinguish between a COSE_Sign block and the existing header, although it is unlikely that the code could be compiled to include processing for both formats. I envision the processing something along the lines of: 1. MCUboot decodes the COSE_Sign data. Although COSE seems to also assume that it will be decoded into RAM and processed there, it isn't too difficult to simply record decoded offsets, and construct the Sig_structure virtually, invoking the hash algorithm incrementally. My initial guess is that the code to process this would take perhaps 2-3 times as much code to process as the current TLV processing. The result will be a pointer and length to the payload, which is the SUIT manifest. 2. MCUboot then decodes the SUIT manifest. The goal is for it to determine: 1. Does this manifest describe the attached image, 2. Is the manifest applicable, and 3. Should it do an image swap (for example if the newer image is in slot 1). In light of this, I tried to come up with a sample manifest, but it wasn't clear to me where and what things should be conveyed in it. Keep in mind that ideally, the manifest could be processed in a single pass, possibly with a small amount of RAM used to point back to key information gained. I came up with the following: - The preconditions would be one or more IdConditions to associated the image with a particular device. This adds functionality to what MCUboot currently does. - Possibly a 'dependency' resource (functionality needed for future multiple image work). - A payload resource that describes the payload this manifest is attached to. Perhaps this is sufficient for this use case. Given that I don't understand what the 'inode' and 'onode' fields represent, I'm not sure how processors and targets would be configured to describe this. Maybe they are intended for a more complex use case. I will send another email about my confusion in this regard. Given the above, in the manifest, the 'digestInfo', 'textReference', 'nonce', and 'sequence' would have meaningful values. There would probably be some 'preConditions', and 'resources', but the rest of the arrays would be blank. Does my interpretation seem reasonable? Or would it also be expected that the processing and/or directives be involved in this case. For our use case, the two actors perform different steps, and it may not even be meaningful to encode that information in the manifest. If we do want to encode the steps to perform, something would need to be added to indicate which actor is supposed to perform which steps. David
- Re: [Suit] [suit]: draft-moran-suit-manifest-02 Rønningstad
- Re: [Suit] [suit]: draft-moran-suit-manifest-02 David Brown
- [Suit] [suit]: draft-moran-suit-manifest-02 Brendan Moran
- Re: [Suit] [suit]: draft-moran-suit-manifest-02 Kvamtrø
- Re: [Suit] [suit]: draft-moran-suit-manifest-02 David Brown
- Re: [Suit] [suit]: draft-moran-suit-manifest-02 David Brown
- Re: [Suit] [suit]: draft-moran-suit-manifest-02 David Brown
- Re: [Suit] [suit]: draft-moran-suit-manifest-02 Kvamtrø
- Re: [Suit] [suit]: draft-moran-suit-manifest-02 David Brown
- Re: [Suit] [suit]: draft-moran-suit-manifest-02 David Brown