Re: [Suit] Introducing draft-moran-suit-manifest-04

Brendan Moran <Brendan.Moran@arm.com> Thu, 13 June 2019 15:42 UTC

Return-Path: <Brendan.Moran@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19EF51202D2 for <suit@ietfa.amsl.com>; Thu, 13 Jun 2019 08:42:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7r7DNlYhBkfC for <suit@ietfa.amsl.com>; Thu, 13 Jun 2019 08:42:29 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50062.outbound.protection.outlook.com [40.107.5.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B0F31203AA for <suit@ietf.org>; Thu, 13 Jun 2019 08:42:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sTEu4xh9Q6nq17SChBKk2dE081/VwlsrZsAYdbjpz+4=; b=OtAprQTDZLt4VhBHTzDKgLJjphHVAGAjxt4Z1TwDaSUD4e+mFHzrJh1T+UlqZQ8NOP6Ux7IkeCiECNF6O9eQItvAON7Z1fNmOe/9BUWpA/CTjP8VWUc64DtqI50rJiS7EOuSOrh6LH5nCUDU+JvoHK8iYgvkwBRKUj73vXRiQKY=
Received: from DB6PR0801MB1879.eurprd08.prod.outlook.com (10.168.84.137) by DB6PR0801MB2039.eurprd08.prod.outlook.com (10.168.87.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1965.17; Thu, 13 Jun 2019 15:42:25 +0000
Received: from DB6PR0801MB1879.eurprd08.prod.outlook.com ([fe80::2450:8832:f217:9327]) by DB6PR0801MB1879.eurprd08.prod.outlook.com ([fe80::2450:8832:f217:9327%4]) with mapi id 15.20.1987.012; Thu, 13 Jun 2019 15:42:25 +0000
From: Brendan Moran <Brendan.Moran@arm.com>
To: "Rønningstad, Øyvind" <Oyvind.Ronningstad@nordicsemi.no>
CC: "suit@ietf.org" <suit@ietf.org>, "Kvamtrø, Frank Audun" <frank.kvamtro@nordicsemi.no>
Thread-Topic: Introducing draft-moran-suit-manifest-04
Thread-Index: AQHU2L81a2mzuoq9DkiQC46t4fwGyKY2x2+wgABw2OCAYxNrAA==
Date: Thu, 13 Jun 2019 15:42:25 +0000
Message-ID: <45E47993-636B-4275-B3D8-1885F23BECAC@arm.com>
References: <16EC7DB9-1649-4A86-A370-F77CB03305AC@arm.com> <HE1PR05MB32285B66AB7015921D83F852882F0@HE1PR05MB3228.eurprd05.prod.outlook.com> <HE1PR05MB32285EE3C40D73345D217935882F0@HE1PR05MB3228.eurprd05.prod.outlook.com>
In-Reply-To: <HE1PR05MB32285EE3C40D73345D217935882F0@HE1PR05MB3228.eurprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.102.3)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Brendan.Moran@arm.com;
x-originating-ip: [217.140.106.51]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b2fba1d7-f7c9-45cc-60cf-08d6f015bbb2
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:DB6PR0801MB2039;
x-ms-traffictypediagnostic: DB6PR0801MB2039:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DB6PR0801MB2039C35FC0444863895CBF6CEAEF0@DB6PR0801MB2039.eurprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0067A8BA2A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(366004)(396003)(346002)(136003)(39860400002)(199004)(40434004)(13464003)(189003)(256004)(71200400001)(14444005)(71190400001)(8676002)(66574012)(478600001)(25786009)(81166006)(81156014)(236005)(2616005)(5024004)(6246003)(86362001)(11346002)(2906002)(6486002)(486006)(476003)(316002)(66066001)(54906003)(53936002)(91956017)(66446008)(73956011)(966005)(66476007)(446003)(68736007)(36756003)(5660300002)(33656002)(53546011)(54896002)(66946007)(76116006)(26005)(186003)(30864003)(4326008)(6506007)(229853002)(72206003)(3846002)(6916009)(99286004)(6512007)(6436002)(102836004)(76176011)(14454004)(57306001)(8936002)(50226002)(6116002)(64756008)(6306002)(7736002)(606006)(66556008); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0801MB2039; H:DB6PR0801MB1879.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: QMg8ToLWTQXx0iud1AB5kjjnNdsE9kmzXDsCJNdomif6NmPp35R7h8GpwJpst3loOLCrqRk14cs4eSsgeyqxFguYdbs/o0p6cgxLV8QhnJYQD8gto9fv3Ko9jrModYAGwuMXGBdEASOiq9nKw+XJPeWi/Ct3tPw0sAhwEM1VPL/US8oQ6HyVdshgnWAd04XTqB5lsyhur11IiCaUoR2ardOsK2GjJneln+J34DtFMp77FSXZFrNI9k7uEYipjb1aV/o1k/b78lfzHcrPQKw8aELDy4rMUBG7rOwI+wFGtSxgCqL8h8inFl4nKJnEn8mRy4xbnjhX+Akfz6UCbC/U5+c0JW4bLAFTs+cRlIzIlLNWH/R4YHqs4FC5gJFtbX2Lk8Zh54mZOx7fqBKMiDbK9Xr6B05E3/zAT14GrqQ3eUk=
Content-Type: multipart/alternative; boundary="_000_45E47993636B4275B3D81885F23BECACarmcom_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b2fba1d7-f7c9-45cc-60cf-08d6f015bbb2
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jun 2019 15:42:25.2351 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Brendan.Moran@arm.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB2039
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/RYQlpnxOKZg8PrWC6-iO_N_VqqU>
Subject: Re: [Suit] Introducing draft-moran-suit-manifest-04
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jun 2019 15:42:35 -0000

Hi Øyvind,
I’ve done a run through your comments. Thanks for your review.

Thanks,
Brendan

On 11 Apr 2019, at 16:02, Rønningstad, Øyvind <Oyvind.Ronningstad@nordicsemi.no<mailto:Oyvind.Ronningstad@nordicsemi.no>> wrote:

I did a full pass through the document today, and wrote down (quite a few) comments, see below. I think this document is very exciting!

- Øyvind


The digest-algorithm-ids list is missing the following SHA-2 family functions:
- SHA224
- SHA512/224
- SHA512/256
Also, the functions that are truncated to 128 and fewer bits will not be secure against brute-force attacks, so I question their inclusion here.

The algorithm identifiers are borrowed directly from the Naming Things with Hashes RFC (RFC 6920). https://www.iana.org/assignments/named-information/named-information.xhtml. If possible, I would like to avoid constructing another IANA registry for digest algorithm identifiers. I confess, I do find it a bit strange that RFC 6920 has IDs for SHA3-224 and SHA256-128, but not for SHA224. If we need to construct a new registry, so be it, however I would rather not. Perhaps there is another digest algorithm registry that is appropriate?

The requirement that all manifests must have a sequence number higher than their dependencies might be inconvenient when dependencies are validated by version ranges, since a dependency might be updated to something that is created after the root manifest, but still fulfills the check. Comparing sequence number dependency<->dependent might be superfluous, since the dependency is already referenced quite specifically in other ways. Alternatively, the requirement can be valid only up to and including installation.
Also, the text should probably mention that if a manifest is replaced by an update, the new manifest must have a higher sequence number.

Currently, the design calls for manifests to be referenced by digest. If that is the case, then a manifest’s digest (and, therefore, sequence number) must be known at time of creation. For fuzzy dependencies, such as those based on version matching, the direct dependency mechanism clearly doesn’t work. This was originally modelled as mutually independent components (those that are not updated together). Does this need to be made more explicit, or does it require a new or modified dependency mechanism?

What directives/conditions can apply to components in suit-dependency-components? I don't quite understand the purpose of the suit-dependency-components list.

The purpose of suit-dependency-components is to enumerate the components that are described by the dependencies. This may or may not be necessary. As I have described it in draft-moran-suit-manifest-04, it is a list of all components that are affected by all dependencies. This is useful for three reasons: 1) it allows the device to evaluate whether or not it implements the targeted components prior to downloading the whole manifest tree, 2) for a single-pass processor, it allows the device to verify that it has enough storage to store the variables that will be used by each component. For a multi-pass processor, it allows the device to iterate through affected components, handling each one in turn.

There are tradeoffs here. If many components are listed in a deeply nested tree, it will make the top-level manifest enormous. This is a problem that is not well-addressed by this model. It was chosen for small numbers of components in a small tree on small devices. We may need to consider whether it will continue to be the correct choice for larger systems. Perhaps we should consider the option of making the field optional and specifically for multi-pass processors.

I read it many times now, but I don't really understand the last paragraph of "8.4.  SUIT_Component". Can you elaborate on the assumptions? How are the values dependent on installation offset? Who updates the parameters to match what? What does "defining a component" mean?

I think this probably needs some rewording. The idea was that each component is only permitted to exist in a single SUIT_Component, whereas it could exist in zero or more SUIT_Component_Reference elements. The unique feature would be that only a manifest that defines a SUIT_Component for a particular component ID would be allowed to set the digest for that component ID.

However, I’m not certain this is necessary. Where ACLs are present, this should be implemented as an ACL for the digest parameter. Where ACLs are not present, this should be implemented by setting the digest with Override Parameters in the same manifest as the Verify command. If we make the assumption that manifests deeper in the tree are typically more privileged, then it should be adequate in either a single-signer environment or a an ACL-environment.

I might have missed something, but can you elaborate on how scoping of parameters work, specifically when are they unset? For example Encryption Info, does it become unset after being used once? Which parameters are inherited into a Run_Sequence or Process_Dependency? Does a Set_Component_Index/Set_Manifest_Index effectively unset all parameters that have scope "Component"/"Dependency". How does scoping affect parallell processing (how to keep track of the value of a parameter for a given Directive/Conditition if they are executed out of order)?

Parameters are scoped to a specific component ID. Parameter lifetime isn’t well-defined in the draft. It should be. This is an area where there is some work left to do.

The fundamental assumption is that two successive commands should be presented with the same set of parameters (exceptions: set_parameters, override_parameters). However, there are use-cases for Run_Sequence that break this assumption: conditional set. However, where out-of-order/parallel processing is used (Strict order = false) it can be very beneficial to be able to modify a local copy of parameters, rather than creating synchronisation points for setting those parameters, so there are two use-cases for Run_Sequence with different expectations.

A dependency manifest must not change the value of a parameter that is later consumed by the dependent manifest or another dependency. This could be accomplished in two ways: either the environment could be duplicated for the dependency or tooling could be used to ensure non-interference when authoring the dependent manifest, including replacing values that have been overridden.

This seems to indicate the following set of rules:

Parameters:

  1.  Are scoped to a specific component ID
  2.  Are initialised by:
     *   The dependent manifest (ignored for the root manifest)
     *   The common section of the current manifest
  3.  Live for the duration of the current section of the root manifest or the current section of the current manifest and its dependencies (see below)
  4.  Are guaranteed to be unmodified by:
     *   Run_Sequence when Strict_Order = false
     *   Process_Dependency

The guarantee in 4 can be done in one of two ways: either a) the parameters are duplicated prior to the call by the device or, b) the tooling that constructs the manifest parses the manifest tree to ensure that parameters are not overridden and, if they are, the correct values are restored after any invocation that could override a parameter. A) is more suitable for larger systems and b) is more suitable for more constrained systems, but we should have a consistent view of the behaviour of the interpreter. This seems to indicate a capability and a flag that is required. This inconsistency in behaviour between large scale systems and constrained systems is not something we want. I think a better solution is needed, but it’s not clear what would be simpler and still behave as expected.

Set_Component_Index and Set_Manifest_Index effectively just moves a pointer to the current working set between several options. Parallel processing is mostly unaffected. Changing a parameter effectively creates a synchronisation point. If you want to do that and maintain parallelism, the solution is to wrap each parallel process in a Run_Sequence.

SUIT_Unpack_Algorithm_Delta should be split into individual IDs for algorithms like SUIT_Unpack_Algorithm_VCDIFF.

That seems reasonable. The other option would be to break it down into hierarchical IDs, but I don’t think there’s much benefit to that approach.


I think there's a quirk with the versions where comparisons can be subverted. If you have a dependency on version 1.x of something, it's hard (impossible in the general sense) to express those bounds with the greater/lesser comparisons. This is because there is no well-defined highest or lowest version with a given prefix such as "1." (unless the version list has bounded length).  If you have a bound on the length of the version list, you could express the upper bound e.g. as "Lesser or equal than 1.INTMAX.INTMAX..." etc. which isn't very pretty. Can we find some better way? I'm assuming 1.1 is equivalent (equal) to 1.1.0 etc.

I’m not sure I understand the problem. The test is: >=1,<2. In this instance, any version that has a prefix >=1 will pass that comparison, and any version that has a prefix <2 will pass that part of the comparison. The number of elements in the list to process is assumed to be defined by the test.

If SUIT_Directive_Set_Component_Index is set to ALL components, is the order in which it applies to the components well-defined? Same question for SUIT_Directive_Set_Manifest_Index.

The order is defined to be the order in which they are listed in the manifest.

Can you give an example of providing an argument to SUIT_Directive_Fetch?

Certainly. This is primarily intended describe information that the device will use, but is not sent to a remote, making a URI inappropriate for containing it. Several examples would be:


  1.  Broadcast interval
  2.  Key Identifier to use for TLS client authentication
  3.  Transport configuration to use during the download (e.g. MTU)

The CDDL for Condition, Directive and Parameters should have the name as part of the CDDL (i.e. as a label/type, not a comment) to make it more amenable to machine parsing.

Noted. I’ll have a look at that as I prepare draft-moran-suit-manifest-05


*The rest is nitpicking*

The nitpicks make sense. I’ll do my best to incorporate them.


The SUIT_Manifest CDDL references Digest instead of SUIT_Digest.

Should suit-install be MANDATORY if suit-payload-fetch is present?

I suggest being more specific about suit-validate. Something to the effect of: "suit-validate is a SUIT_Command_Sequence to execute in order to validate that the result of applying the update (i.e. the state of the device after suit-install) is correct."

When forwarding a dependency to a component that is capable of parsing its own manifests, the dependency manifest might not be SUIT-formatted, so it should not need to be interpreted. This could be elaborated on in the text.

This sentence should probably be fixed (typo etc.): "It consists of three elemnts: the component identifier that represents a component that will be affected by this manifest."

Can a SUIT_Component_Reference refer to a component in a dependency of a dependency?

For readability, I suggest placing the "name" column (of the manifest parameters table) further to the left.

Can you elaborate on the "Skip" flag for parameters? Even just mentioning that it is TBD.

This could be more specific: "This index is a numeric index into the component ID tables defined at the beginning of the document."

SUIT_Directive_Set_Parameter_State_Append is not mentioned in the table.

Should "dependent-components" be "dependency-components" instead?

For the sake of completeness: In "Access Control Lists" I envision another situation, where ACL is implemented as a function that e.g. takes the Component ID and returns the identities that can manipulate it. This is for when Component IDs can alias each other, or the component ID contains a flash address, so it doesn't make sense to store every conceivable component ID in a list.

The names in the example in "Creating conditional sequences" don't look right, are they outdated?

An example with dependencies would of course be useful.




-----Original Message-----
From: Suit <suit-bounces@ietf.org<mailto:suit-bounces@ietf.org>> On Behalf Of Brendan Moran
Sent: Tuesday, March 12, 2019 11:35
To: suit@ietf.org<mailto:suit@ietf.org>
Subject: [Suit] Introducing draft-moran-suit-manifest-04

draft-moran-suit-manifest-04 has now been published.

https://tools.ietf.org/html/draft-moran-suit-manifest-04

This draft is the result of combining the information model in draft-moran-suit-behavioural-manifests-00 (the 01 version fixes example formatting only) with that in draft-ietf-suit-information-model, then serialising the result in CBOR. This is a significant departure from previous drafts. It attempts to preserve flexibility, fully define the behaviour of recipient, simplify the manifest structure, reduce code-size of the recipient, and reduce the size of the manifest. This ambitious set of goals required a significant change in approach as compared to draft-moran-suit-manifest-03 and before. In order to outline the approach clearly, we have separately published draft-moran-suit-behavioural-manifests-00. draft-moran-suit-manifest-04 focuses more on the serialisation of the manifest.

I look forward to discussing this draft in more detail.

Best Regards,
Brendan
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

_______________________________________________
Suit mailing list
Suit@ietf.org
https://www.ietf.org/mailman/listinfo/suit

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.