IETF Logo Mail Archive

Re: [Suit] draft-ietf-suit-trust-domains: proposal of new command sequence

Brendan Moran <brendan.moran.ietf@gmail.com> Wed, 17 January 2024 13:31 UTC

Return-Path: <brendan.moran.ietf@gmail.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0760AC151080 for <suit@ietfa.amsl.com>; Wed, 17 Jan 2024 05:31:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e6bmlC2ZsO40 for <suit@ietfa.amsl.com>; Wed, 17 Jan 2024 05:31:42 -0800 (PST)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B1C1C151061 for <suit@ietf.org>; Wed, 17 Jan 2024 05:31:42 -0800 (PST)
Received: by mail-pl1-x629.google.com with SMTP id d9443c01a7336-1d5f4c9c2a6so11192095ad.3 for <suit@ietf.org>; Wed, 17 Jan 2024 05:31:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705498301; x=1706103101; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=yP2aI1mUuFqyVyR2hWVT74Yw+g+7C/xK0EK2URPsGsc=; b=W5l94NC9xcfkN3hIqsxcRQHSV9n0+sKtlfDq7K3TfqPnjgNTWhZa+57bIng8xYyPA0 PnunzN+IUqLDUhvY2lXWn+9KQhEMdF5DRxRDm0uihl5J8ZUcMcevoWapEhWWbJKuUQZe yrzJrng3rOESPfVZWQo3FT+6DXrA1RYZBxuQi/EjXOl44/X/kJDxToKpWSXEEZ/7E0lC bOcJgXqsf2p+oD169EnJbuJOmiNo2N0jGYEwqhz7sASfULR9bes6xfQ0Ozgg1bQJfAES 3DMecW5YvENkKAJiRsg2iq0x2pTheWFg//iWYZSKN1IrSxKT+R5twJXKTaqEy772GV5Q t2zg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705498301; x=1706103101; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=yP2aI1mUuFqyVyR2hWVT74Yw+g+7C/xK0EK2URPsGsc=; b=b9NlgP9sCGtKXhyZYgPzBChMb+fwkDOHFGn6DR5kPjZVNxPVT18Ns7SqM386QsdVCT K+m1da2v8meGLbyF25Md3Mu8iqnoMWqT43eFDtpJnJEKUL2L6jAHMsmptSIOBVh8O5lu Ru6OeqGu15rqDjMxvCU/xif6ktodW4xx/idgm7rWy4Hb5w7oS8iw3v0yw+g40kzZz52N 0eiURwzQuB0thKIrlfkUhoudc0ib+Wzs/JbErrGUjoEM52qX87sqKmAK4aoo+K3J1xBD xCyMgTaK3ARjFkHoNVGGKfWIAPlev+IYDKPpUtSE92uUSvIK7mc3FAf5FAUCseeUPj0g YgQg==
X-Gm-Message-State: AOJu0YxB+Ee71i4Y2lsA3+G8FzXWz4MlFaYEYRN9XqPpp+s/A7QRMr+a sjcbdFdngZRMX87dOcvHnxE+c7SZ7MlnpeyI/Sg=
X-Google-Smtp-Source: AGHT+IGsKTkLYfiPNoY0uK+ftU+MNJULO0nQTqN9ElHPgqGHzxois76ncBj9Xw21M0mRiQe8bofLM33f0vU+kDjCG1Q=
X-Received: by 2002:a17:90a:9a2:b0:28c:fdcd:ba47 with SMTP id 31-20020a17090a09a200b0028cfdcdba47mr6047623pjo.25.1705498301307; Wed, 17 Jan 2024 05:31:41 -0800 (PST)
MIME-Version: 1.0
References: <DU0PR05MB1007598D80C708EF5E31D6C1FF196A@DU0PR05MB10075.eurprd05.prod.outlook.com> <DBAPR08MB5576FEBEC9ADFCEFFA5C9F51EA96A@DBAPR08MB5576.eurprd08.prod.outlook.com> <DU0PR05MB10075EA07524D2FDEF829D988F195A@DU0PR05MB10075.eurprd05.prod.outlook.com> <DBAPR08MB557690042715F2B1DC523EBCEA95A@DBAPR08MB5576.eurprd08.prod.outlook.com> <DU0PR05MB100754DCE8CCCE2E161D9AD8FF194A@DU0PR05MB10075.eurprd05.prod.outlook.com> <DBAPR08MB5576463CBE50C94061E5723AEA6F2@DBAPR08MB5576.eurprd08.prod.outlook.com> <DU0PR05MB10075E115F960173C2A2EBB49F1722@DU0PR05MB10075.eurprd05.prod.outlook.com>
In-Reply-To: <DU0PR05MB10075E115F960173C2A2EBB49F1722@DU0PR05MB10075.eurprd05.prod.outlook.com>
From: Brendan Moran <brendan.moran.ietf@gmail.com>
Date: Wed, 17 Jan 2024 13:31:30 +0000
Message-ID: <CAPmVn1Ne_-skgZgHOgY2Ltc0mqzn6sKFPpu0XDtvjwALYN1eHw@mail.gmail.com>
To: "Kończyk, Sylwester" <sylwester.konczyk=40nordicsemi.no@dmarc.ietf.org>
Cc: Brendan Moran <Brendan.Moran@arm.com>, "suit@ietf.org" <suit@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/SYJZlOItxluB5zfzuKdEvfhlJws>
Subject: Re: [Suit] draft-ietf-suit-trust-domains: proposal of new command sequence
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jan 2024 13:31:43 -0000

Hi Sylwester,

I think I haven't been completely clear on this. Please see my comments inline.

Best Regards,
Brendan

On Wed, Jan 17, 2024 at 7:23 AM Kończyk, Sylwester
<sylwester.konczyk=40nordicsemi.no@dmarc.ietf.org> wrote:
> To make sure I understand your examples - When you are mentioning "System Validation sequence" - are you referring to SUIT_Command_Sequence suit-validate? In case of "load sequence" mentioned in your last post - does it refer to SUIT_Command_Sequence suit-install?  As I understand, the trick would be to execute suit-validate twice, first time - prior to suit-install, second time, in invocation procedure, prior to suit-load.

[BM] For lazy installation, I am referring exclusively to the elements
of the Invocation Procedure.
By "System Validation sequence," I meant suit-validate.
By "load sequence," I meant suit-load.

Suppose there is a device that has a staging area (Component ID
["Staging"]) and an active firmware (Component ID ["Active"]). A
manifest (JSON-style) that would satisfy your needs is as follows:

{
    "suit-authentication-wrapper" : "omitted",
    "suit-manifest" : {
        "suit-common": {
            "suit-components" : [
                ["Staging"],
                ["Active"]
            ],
            "suit-shared-sequence" : [
                "suit-directive-set-component-index", 0,
                "suit-directive-override-parameters", {
                    "suit-parameter-image-digest" : "<Staging image digest>"
                },
                "suit-directive-set-component-index", 1,
                "suit-directive-override-parameters", {
                    "suit-parameter-image-digest" : "<Installed image digest>"
                }
            ]
        },
        "suit-payload-fetch" : [
            "suit-directive-set-component-index", 0,
            "suit-directive-override-parameters", {
                "suit-parameter-uri" : "https://suit.example/lazy-install.bin"
            },
            "suit-directive-fetch", 2,
            "suit-condition-image-match", 2
        ],
        "suit-validate" : [
            "suit-directive-set-component-index", 1,
            "suit-directive-try-each", [
                [
                    "suit-directive-set-component-index", 1,
                    "suit-condition-image-match", 2
                ],
                [
                    "suit-directive-set-component-index", 0,
                    "suit-condition-image-match", 2
                ]
            ]
        ],
        "suit-load": [
            "suit-directive-set-component-index", 1,
            "suit-directive-try-each", [
                [
                    "suit-condition-image-match", 2
                ],
                [
                    "suit-directive-override-parameters", {
                        "suit-parameter-source-component" : 0
                    },
                    "suit-directive-copy", 2,
                    "suit-condition-image-match", 2
                ]
            ]
        ],
        "suit-invoke":[
            "suit-directive-set-component-index", 1,
            "suit-directive-invoke", 2
        ]
    }
}

As you can see, each time the device boots, the bootloader uses
suit-validate to check whether EITHER the active image is correct OR
the staged image is correct. If EITHER condition is true, then it
proceeds to suit-load. During suit-load, the manifest directs the
bootloader to determine whether the active image is correct. If it is
not, the bootloader (having already verified that the staged image is
correct) copies the staged image into the active image component. Once
the copy is finished, the bootloader verifies that the active image is
correct. Then, it proceeds to suit-invoke. suit-invoke simply invokes
the active image, having already verified that it is correct.

>
>
>
> Logical steps, applying “lazy installation” on examples from my post would look like:
>
> 1.            Staging procedure carried out by the APP.
>
>                 - suit-dependency-resolution
>
>                 - suit-payload-fetch
>

[BM]: Step 2 not needed.

> 3.            Invocation procedure carried out by the BL.
>
>                 - suit-validate
>
>                 - suit-load
>
>                 - suit-invoke

... SNIP ...

>
> Getting to conclusion - both solutions ("lazy installation" and introduction of suit-pre-install-validate) would work. The only question is what is simpler, or rather what kind of simplicity should be sacrificed:
>
> Having two dedicated validation sequences - in that case existing specification shall be extended.

[BM]: The specification would be slightly more complex. I don't know
if it is enough additional complexity to be an issue. The bigger
problem is that suit-install could exist in one of two procedures.
This leads to some implementation challenges that I find quite
concerning. Changing this requires a change to the Manifest
Specification. It seems that it would be safer to add two sequences:
one pre-install-validation sequence and a separate,
post-validation-install sequence, then group both of these in a
separate procedure--would these new sequences be severable? I would
assume so since they are not needed once installation has completed;
that said, they should be minimal in size, which makes the value of
severing them questionable.

> Adding extra logic to suit-validate and execute it twice - it will require a more complex content of suit-install.

[BM]: As I described above, suit-install is not executed twice.
suit-load is used instead.

>
>
> Obviously, I would prefer to have dedicated suit-pre-install-validate at disposal. I see following benefits of such approach:
>
> Having clear separation of two concerns - validation prior to installation and validation prior to invocation. I would be glad to have similar clarity as it is already achieved for invocation procedure and three available command sequences.
> Simplified logic in appropriate sequences, causing that definition (creation) of manifest would be less error prone.
> suit-pre-install-validate could be severed after installation, therefore space reserved for installed manifest could be smaller.

[BM]: As described above, suit-load is for loading images into their
executable locations, post validation. While suit-load can be used for
loading into volatile RAM, it can also be used for loading into NVRAM.
This seems to be your use case.

My big question is whether you see sufficient semantic difference,
between this type of loading operation and a discrete installation
step, that we would require a whole new procedure. I'm definitely open
to that, I just want to be sure we have covered the alternatives
first.

v2.23.0 | Report a Bug | By Email