Re: [Suit] Introducing draft-moran-suit-behavioural-manifests-00

Brendan Moran <Brendan.Moran@arm.com> Fri, 14 June 2019 13:45 UTC

Return-Path: <Brendan.Moran@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BECD12004E for <suit@ietfa.amsl.com>; Fri, 14 Jun 2019 06:45:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E3uMlCuDDkLt for <suit@ietfa.amsl.com>; Fri, 14 Jun 2019 06:45:19 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50083.outbound.protection.outlook.com [40.107.5.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2AAF120044 for <suit@ietf.org>; Fri, 14 Jun 2019 06:45:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=my8HXrHAAFQVnIbK9QIseiv8cZwKgEZ6OhExK/3lK+Y=; b=rGtL+qTuZhJdsz4uYHQtlKH3VgYeTcLSJvY25e19Bph6yTjY0H8pA6BPNR5dJSiaJFurNBXmej1gNiljNfXu1wIiWDiMQq3DKH9BjdlO0jplP3GGQ4UATA8rtRyNBK0NScQtS0dmk5s0dU0tvX/yPmg9/lgqHAUNRBk2Ee4Ws4A=
Received: from DB6PR0801MB1879.eurprd08.prod.outlook.com (10.168.84.137) by DB6PR0801MB1973.eurprd08.prod.outlook.com (10.168.84.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1987.13; Fri, 14 Jun 2019 13:45:15 +0000
Received: from DB6PR0801MB1879.eurprd08.prod.outlook.com ([fe80::2450:8832:f217:9327]) by DB6PR0801MB1879.eurprd08.prod.outlook.com ([fe80::2450:8832:f217:9327%4]) with mapi id 15.20.1987.012; Fri, 14 Jun 2019 13:45:15 +0000
From: Brendan Moran <Brendan.Moran@arm.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "suit@ietf.org" <suit@ietf.org>
Thread-Topic: [Suit] Introducing draft-moran-suit-behavioural-manifests-00
Thread-Index: AQHU1b7FshUEgr2F5EypCp48YE0jsqYGbW0AgAFcZgCAABfWgIA908OAgFYN3wA=
Date: Fri, 14 Jun 2019 13:45:15 +0000
Message-ID: <6DF845C6-5D6E-489C-88ED-F33A301B64D3@arm.com>
References: <A65149C9-4CEF-4343-9B03-20BC8E60288E@arm.com> <VI1PR0501MB22885868BFB301CA087E621DFC480@VI1PR0501MB2288.eurprd05.prod.outlook.com> <64367D8F-3B10-46D4-B133-74E4E056804A@arm.com> <9941AE75-5071-4F3E-ABDD-A35C4EDFD714@tzi.org> <8284.1555789035@localhost>
In-Reply-To: <8284.1555789035@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.102.3)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Brendan.Moran@arm.com;
x-originating-ip: [217.140.106.50]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: adc46895-8ecc-42b9-d4cb-08d6f0ce880c
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:DB6PR0801MB1973;
x-ms-traffictypediagnostic: DB6PR0801MB1973:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <DB6PR0801MB1973E22EE0DACE958815B7ECEAEE0@DB6PR0801MB1973.eurprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0068C7E410
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(136003)(376002)(396003)(366004)(39860400002)(40434004)(199004)(189003)(71200400001)(8936002)(25786009)(476003)(6246003)(4326008)(2616005)(14454004)(71190400001)(81156014)(966005)(14444005)(256004)(486006)(8676002)(5024004)(86362001)(57306001)(11346002)(446003)(72206003)(50226002)(5660300002)(81166006)(53936002)(66446008)(186003)(64756008)(66556008)(561944003)(66066001)(6486002)(66476007)(6116002)(3846002)(91956017)(76116006)(26005)(73956011)(66946007)(478600001)(36756003)(76176011)(229853002)(99286004)(6512007)(6306002)(316002)(2906002)(305945005)(6436002)(68736007)(6506007)(53546011)(7736002)(33656002)(102836004); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0801MB1973; H:DB6PR0801MB1879.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: X6YDHUR9lu8PxFS6pGCN+pUHPaE0qE9UDeSGmLrwKEeq33lIJk/PRH1p3ZswHf4UAJ8xmBy3itL2LnG0QWi16fwxQx1rFma4/jX+w/SliJuAcdXBXn5zhkoWzpRphPUdKfRnUKywIqbbh51oD9++oWiuevRuUJy1gBg+rzTf/xKhiUDnqlE5CPBMa/ydnkJTWoRCXr4k/SmBc1JbEGOPGMWpHWUsQ0G4CrAbMKUxkrkQSNxpgZu12IyazzqbsBWmUNvONwdEAU0I8YtQgon2Kc8+r7wl7S6qRysRgaQcnkmK4sf/+ROex5LCV7TQ70xJFUzcBiET8eWs6A/Y0/PacDIV/10psSG1GforqGYUxQBuKMO+d4V6gcRnm+jttY1oLSWPObtAnuiD4rS/dS3VXA5sA6itYOF8PcgIB7TEW3U=
Content-Type: text/plain; charset="utf-8"
Content-ID: <729128234A4E754583B8118473B78193@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: adc46895-8ecc-42b9-d4cb-08d6f0ce880c
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jun 2019 13:45:15.4404 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Brendan.Moran@arm.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB1973
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/Rz97TcR0NFuQIxWiyl34aGXf_Dw>
Subject: Re: [Suit] Introducing draft-moran-suit-behavioural-manifests-00
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jun 2019 13:45:22 -0000

Hi Michael,

Thanks for brining up these concerns. I’ve done my best to address them. To summarise, the point of this draft is NOT flexibility. The point is: a single encoding with few optional fields for many use cases that’s easy to parse and where it’s plausible that a small number of tools will be adequate.

See below for additional details.

Best Regards,
Brendan

> On 20 Apr 2019, at 20:37, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>
>
> I've been through the document and I've read the thread, and I watched the
> IETF104 video (I had a conflict).   I have a number of concerns.
>
> I find some of the conversation about the details of the operations
> indicative that coming to agreement for an proceedural mechanism may be
> rather difficult to get consensus on; but I could be wrong here.

Could you point out which operations you see as concerning?

> I feel that this proposal brings us away from a declarative manifest that can
> be reasoned about without regard to time.  I'm not exactly sure I understand
> the rational for the flexibility that is presented.
> It could be that I just don't understand this well enough; I tend to
> understand things by writing code, and I haven't written any code around
> this.

This absolutely does, deliberately, move us away from a declarative document. The rationale is NOT one of flexibility; that’s just a happy side-effect.

We have many use cases. This creates a lot of complex information that needs to be transferred to a recipient. There are three obvious ways that we can deal with this:
1. We can eliminate use cases to make the format simpler
2. We can use a per-use-case encoding
3. We can use a hierarchical encoding that wraps the required information for each use case.

Each of these has a problem. 1 limits the applicability of this standard, leading to potentially many overlapping standards. 2 causes problems for the user experience of device management: when each type of device uses a different encoding, it can be easy to make mistakes and this is multiplied when different vendors use different tools. 3 causes a high degree of complexity in the tooling. It also makes it hard for users to select the correct use case among many similar use cases. If some, but not all tools implement a particular use case, a user may end up needing to choose among many similar tools in an effort to find the one that implements the encoding for a particular use case. Hierarchical formats also naturally introduce more complexity in the parser: a separate tree description/parser stub/validator needs to be constructed for each use-case container.

All of these approaches also suffer from another problem: implied behaviour. When we imply behaviour in response to a declarative document, we leave room open for misinterpretation. What is the exact behaviour of a device for any given use case?

So, it appeared that another approach was needed. In attempting to construct a better hierarchical format, it became apparent quite quickly that virtually all firmware update and secure execution use cases were composed of the same operations with different endpoints, different algorithms, and different orders. What if, instead of telling a device what an update *is*, we were to tell the device what to *do*. This eliminates, at a stroke, any room for misinterpretation of intended behaviour. It also makes it simple for a tool to encompass many use cases without extensive special case behaviours. It also dramatically simplifies the device-side parser.

The simplicity of device-side parser is the real goal here. We want a simple device-side parser without constructing the UX confusion of devices that implement a narrow slice of a hierarchical format or require a specialised encoding, specific to their use-case.

> I feel that this proposal brings us away from a declarative manifest that can
> be reasoned about without regard to time

This is still a question. However, I think it’s reasonable to say that devices should not pay the penalty for intermediate systems reasoning about an update; we can fix the reasoning question with additional tooling. I have a few ideas about how to manage this that we can dig into later.

> Is there an example (maybe in the draft that I mis-understood) that would
> provide a pair of use cases where being able to do things in different
> orders, *at the control of the firmware update author* would make sense?
> If product A always needs to do action-1 before action-2, and product B
> always needs to do action-2 before action-1, I see no value in a behaviour
> manifest.
> It's when product A sometimes should do action-1 before action-2, and
> sometimes action-2 before action-1 that the behaviour makes sense.

Yes, if it were solely about the flexibility, then I would agree. However, there’s more to it than that.

>
> Again, maybe I just don't understand the proposal.
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
>
> _______________________________________________
> Suit mailing list
> Suit@ietf.org
> https://www.ietf.org/mailman/listinfo/suit

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.