IETF Logo Mail Archive

Re: [Suit] Introducing draft-moran-suit-behavioural-manifests-00

Kvamtrø, Frank Audun <frank.kvamtro@nordicsemi.no> Tue, 12 March 2019 12:00 UTC

Return-Path: <frank.kvamtro@nordicsemi.no>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 859BD130F24 for <suit@ietfa.amsl.com>; Tue, 12 Mar 2019 05:00:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.922
X-Spam-Level:
X-Spam-Status: No, score=-0.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nordicsemi.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yArh24Q8K9Ny for <suit@ietfa.amsl.com>; Tue, 12 Mar 2019 05:00:23 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40049.outbound.protection.outlook.com [40.107.4.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11067130E6C for <suit@ietf.org>; Tue, 12 Mar 2019 05:00:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nordicsemi.onmicrosoft.com; s=selector1-nordicsemi-no; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=saaWsrrz8a4zIwEwPirsbVDlNoV6VmNI05StU57TFBE=; b=wxpyGweucHHQlV8PPn2ERkhRts/YZmXP0VVTe0M67d4+JIxuJxKIMsHKkfhSLn4W3d1DdAzwLLoTmhKL/etY7LXlSe3CZt5wwTmLxu9iMYcfi7Oeu1xLDK+g/3NQ05MBI15+wGWu12CW9TpUnEDYIkqIi2gMdx15kRSodzJYTIo=
Received: from VI1PR0501MB2288.eurprd05.prod.outlook.com (10.169.135.13) by VI1PR0501MB2704.eurprd05.prod.outlook.com (10.172.15.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.19; Tue, 12 Mar 2019 12:00:14 +0000
Received: from VI1PR0501MB2288.eurprd05.prod.outlook.com ([fe80::b00c:a435:903a:2c88]) by VI1PR0501MB2288.eurprd05.prod.outlook.com ([fe80::b00c:a435:903a:2c88%8]) with mapi id 15.20.1709.011; Tue, 12 Mar 2019 12:00:14 +0000
From: "Kvamtrø, Frank Audun" <frank.kvamtro@nordicsemi.no>
To: Brendan Moran <Brendan.Moran@arm.com>
CC: "suit@ietf.org" <suit@ietf.org>
Thread-Topic: Introducing draft-moran-suit-behavioural-manifests-00
Thread-Index: AQHU1b7FUHOtQLPEbkmOXwapehVVpKYGW6HwgAFuMgCAABz3EA==
Date: Tue, 12 Mar 2019 12:00:14 +0000
Message-ID: <VI1PR0501MB22880D5928006E6341DFCBF2FC490@VI1PR0501MB2288.eurprd05.prod.outlook.com>
References: <A65149C9-4CEF-4343-9B03-20BC8E60288E@arm.com> <VI1PR0501MB22885868BFB301CA087E621DFC480@VI1PR0501MB2288.eurprd05.prod.outlook.com> <64367D8F-3B10-46D4-B133-74E4E056804A@arm.com>
In-Reply-To: <64367D8F-3B10-46D4-B133-74E4E056804A@arm.com>
Accept-Language: nb-NO, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=frank.kvamtro@nordicsemi.no;
x-originating-ip: [194.19.86.146]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 608e4cc1-2aec-4891-f3fb-08d6a6e2494f
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:VI1PR0501MB2704;
x-ms-traffictypediagnostic: VI1PR0501MB2704:
x-ms-exchange-purlcount: 2
x-microsoft-exchange-diagnostics: 1;VI1PR0501MB2704;23:eyvBBzUbTcD2/er9zTZxeq5ypzJjSgJcFmbkP85xPARma84+S7yPKfBxjOS0y3oGTovBlPJDfCiGH9jgYOwnX12H91ng0gOmZtuw9kQgHKJf0ouR2P9SQwYRNk5KzI4/81eX6Fa0jbg8ZsFsUA3kmdEE8P/jclTCs8utn8N7XQnxF2RltHIhbAy3cnZQT5Zf2hALGXznQFRfdfoLkhhSTeGYa+r3XBCwLwFclrhS2a/iJBu+m9wszUr3j3MbuoEWMgu0F9NQpjwcI8Fe2aAPH12EzGTOnI5Osmyjqa1p3W/JPQub2JxpNPhzqlpbBnKxQe+ejLMNpRuaUVhNfvFcF0Qim26V6QGGZsOGArBnE3l9pW9gyB2HeMvKPs07nBmnNtxYE0YwsD3Yc9jvCOSBpqJ1C9SfPZBmhzpPlS2MxltC/jFhylCNa55Z//vHebECn2x4674moqx2LjuCDbgfH/Eb3GfWh1Uhv/83s/064fGNcy3lMBxCkZlU8Jl6mRsyju/6uA3m6C9pcaYVLoswco4xUcXmGYnYPQjF6FtOgwFetfGwePQW6SJS9ro5LKI+k4eQFrFOVFf3wGo2GGQF6UZ/0rzsUAvnG0hAPcXTtTg2Qp1ov8sJMsfY2bp7Xljd8tbFkuLRDFdQ+OLslcxfPUuIa8xPU43L3/gECtDX0U//ONV9VH24sxB2dJItKOrdmiEN5dnbxhYSRjzuHf/f+kHedlJVToO/P1e/6geW9kVgf2IMMWvPvKkJjAJYNfVn83nOiupqUXBJ9OB33Avw8W/lkyP21vsmojs+I5LFtmMy7Bbumw7R+JgQXLv4NA7jn1nSt8VGJN31a0UAIy3ZwpCsmB6LwqqL711HChNWLmK7DwbrpKB2FHRo63xb6QsjY+1MDSpHcQTJQBKQ9GQPLCcrffW0KWrlnJzjJ2hwUvVnTG137cF9cJPSFGqpskSnoPeJMIFWAXoDWbWLyEUHM3CU7G+1hmF/abZl5kvKinqm0tX6NMqhy56HBNEqg1lCjgTbpLl5BnQjI3Dm07WxxDMa66PE15Rzl/bg6JaG7QPczrZ5PHpRxSM7kqGjehFcAYXGt07qNYVvKMoCWRxeBsqAG1F/6eef6iqpfjrZChXgIE0/gd1Q4zqun03Uf7fTfNcBTDsAGdGpvaX9M6U8l0CCgG+RiOVMJ2onQTADEzgBEOiYyeiINIx9+2esK7/0Mas5JmDoumZuq7mwndGJFuPtXNaPkeXmM2ZrUI9aF/+MKg/VLrN/gcn6v9zBpbBez+efQuTXAQf1TK5Y6fvhYzTECf+gULm/18+T1KqWWHfNdaOfkBUVAO6GCBnfZTwGt0PMcXeXq5VVzdA0etyw5wYm6QR8mqo1iTOIj5fIUiW/pBRnLIfdZWEn0GRlPn4W
x-microsoft-antispam-prvs: <VI1PR0501MB2704917EFCFDA1A9BB9A9949FC490@VI1PR0501MB2704.eurprd05.prod.outlook.com>
x-forefront-prvs: 09749A275C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(376002)(39850400004)(136003)(346002)(396003)(13464003)(199004)(189003)(54094003)(6246003)(74482002)(2906002)(106356001)(97736004)(6116002)(68736007)(486006)(105586002)(66066001)(3846002)(6306002)(53936002)(86362001)(99286004)(9686003)(55016002)(25786009)(8676002)(81156014)(316002)(76176011)(81166006)(229853002)(102836004)(11346002)(4326008)(14454004)(7696005)(6506007)(186003)(5660300002)(256004)(5024004)(6436002)(14444005)(53546011)(8936002)(52536013)(85182001)(478600001)(7736002)(26005)(6916009)(446003)(476003)(74316002)(71200400001)(966005)(33656002)(71190400001)(305945005)(777600001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0501MB2704; H:VI1PR0501MB2288.eurprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nordicsemi.no does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: vT1gjxpvyHp/sXseNSbuZJPtCa99fhiwkmqfkYjYvAl/xxPEXPTqjPcRM8Y+61iem2LXCUouYDSxsBJGsIrb4IN/dQ5luy9WqTHdpMHSXn+4+jtS8hWqCB+SyKEhou/fU2aLN64lmGwo4cxzKqDK3zEklnsTAY9b7NabgSEtOvRcvuGvk7mHbIC8Cpw702bLxnpRYkDtw4DVgy8aEGfUHOEbUsQpTF0426cxJvj1LuvmJgWhQiNaSjmKoLXDzzSp08TW5qsxkTx7VTDMVl3fLUS31R3pM91xRBlAbJACbCObYFPdrOT4Ue4BdSz/7fndNctcn9SZeFRLsUZ5HgBV21yDrOmHKGMpR2pB6lIxhqXr2soKk+SWnUC2wXKFue00M644W38Kr1RZLIbzxh5c+KqhCMM3ImzQOdsWRULGckA=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nordicsemi.no
X-MS-Exchange-CrossTenant-Network-Message-Id: 608e4cc1-2aec-4891-f3fb-08d6a6e2494f
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2019 12:00:14.1789 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 28e5afa2-bf6f-419a-8cf6-b31c6e9e5e8d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0501MB2704
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/A2-OQ9xQB65YnlrBbge5qxIdCdg>
Subject: Re: [Suit] Introducing draft-moran-suit-behavioural-manifests-00
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2019 12:00:27 -0000

I agree with all your responses and have no further comments on the document.
This cleared up a lot!

I don't have any strong preferences on the terms, although "check" is 
probably the item that can't be misinterpreted on a different domain
(e.g. validate like validate the format of a condition or test as in a 
system test instead of the actual condition test). This is all subjective,
though. Any of these terms are usable as long as there is good wording
introducing the concepts

Regards
Frank Audun Kvamtrø


> -----Original Message-----
> From: Brendan Moran <Brendan.Moran@arm.com>
> Sent: 12. mars 2019 11:02
> To: Kvamtrø, Frank Audun <frank.kvamtro@nordicsemi.no>
> Cc: suit@ietf.org
> Subject: Re: Introducing draft-moran-suit-behavioural-manifests-00
> 
> Hi Frank,
> 
> I think you’re right, the draft should, at least, specify that the
> behavioural document, as a whole, needs to be authenticated.
> 
> > On 11 Mar 2019, at 13:15, Kvamtrø, Frank Audun
> <frank.kvamtro@nordicsemi.no> wrote:
> >
> > Great to see work on this!
> >
> > I wonder if this document needs to be a bit more distinct with regards
> > to secure boot. It is mentioned in the ingress, but there are not a
> > lot of indication right now on where to put e.g. an asymmetric
> > signature or MAC to ensure the validity and/or integrity of the
> > processable items as part of the behavior described in this draft…
> 
> You’re correct, the document as a whole needs to be authenticated. In other
> words, the document lives inside an authenticated container.
> 
> >
> > From looking at multiple standards on security the term "verify" is
> > often distinctly reserved to mean cryptographic verify functionality,
> > e.g. using a signature or a MAC qualifying the next jump etc. In this
> > draft "verify" is stated in 5 different versions of conditions, but
> > none of them clearly defines a behavior I would equate to a
> > cryptographic verify function. In my mind I'm able to put said
> > cryptographic verification functionality in the conditions in commands
> 5.2, 5.4 and 5.5 dependent on the use-case.
> > Such functionality is not explicitly mentioned in any of these except
> > from a loose reference to doing a similar type operation, i.e.
> > cryptographic hash function in 5.2 - Verify Image presence, but then
> > the assumption must be that there is a signature at a different level,
> safeguarding the digest.
> 
> I could easily change the term to “validate” or “check” or “test” without
> significant change to the semantics of this draft. I’ll take that on and
> define the terms.
> 
> >
> > I also struggle with this due to a collision in text at the end of
> > chapter
> > 3 where in a paragraph before and after talk about processing steps in
> > chapter 4.1:
> >
> >    "System validation is used to ensure that all required dependencies
> >     are present and that all required images are preset. This process
> >     is equivalent to that used in the validation portion of Secure boot
> >     workflows".
> >
> > I as a reader would equate this to validation being a processing step
> > in 4.1, although the concept "validation" is fairly broad on this
> > level compared to the use of conditional verification in chapter 5.
> >
> > If a cryptographic verify function is to be understood to live inside
> > conditional commands in chapter 5, then I have some proposals:
> >
> > -Change the wording in processing steps (4.1) to limit them to "doing"
> > operations, so instead of stating "symmetric cryptographic operations"
> > simply state "decryption". This means that MAC operations isn't
> > falsely included as a processing step.
> > -Be more explicit on the location and intention of doing a
> > cryptographic verify operation (asymmetric signature check or MAC)
> > inside one or more of the verify commands in chapter 5 or in the
> > ingress of chapter 5 so that it is tighter coupled with the concept of a
> "condition”.
> 
> I think you’re correct on both points. If we were to tighten up the wording
> by stating “decryption,” rather than “symmetric,” it would be clearer. I
> think it would also be useful to say explicitly that all digest verification
> happens in conditions. Signature/MAC verification only happens when
> identifying the authority behind a manifest, as described in Chapter 7.
> 
> > If the content of this operational description is *not* based on a
> > signature check inside said behavioral description, but rather a
> > signature around the complete set of behaviors, then this could be
> > made clearer in the ingress in my opinion
> 
> Signatures around the whole behavioural description are the intent. I will
> try to make that clearer in the next draft.
> 
> > The term "signature" is not mentioned once in this document, and I
> > wonder if this is done on purpose... I think it should be mentioned
> > since secure boot is referenced at several locations in this draft,
> > even if signatures as a concept is skipped on purpose…
> 
> Signatures are treated as a mechanism for establishing authority and
> authenticity in this draft. Signatures and MACs can both be used for this
> purpose, which is why they are explicitly excluded. The whole document
> starts from the assumption that authenticity has already been established.
> 
> draft-moran-suit-manifest-04 has now been published and goes into much more
> detail on these points.
> 
> Best Regards
> Brendan
> 
> > Regards
> > Frank Audun Kvamtrø
> >
> >
> >> -----Original Message-----
> >> From: Suit <suit-bounces@ietf.org> On Behalf Of Brendan Moran
> >> Sent: 8. mars 2019 15:54
> >> To: suit@ietf.org
> >> Subject: [Suit] Introducing draft-moran-suit-behavioural-manifests-00
> >>
> >> After IETF103, it became clear that we need to focus more on very
> >> constrained devices and that optimising the format for constrained
> >> parsers was very important. Simultaneously, we were presented with
> >> several more use- cases that required extension and complication of
> >> the format. It very quickly became clear that the existing
> >> serialisation would not meet the stated goals of reducing complexity
> >> in constrained devices, but also enable all the desired use-cases.
> >>
> >> This made it very clear that we needed to take a new approach.
> >>
> >> Internally, at Arm, we have been developing a new sort of mechanism
> >> for describing firmware updates and secure boot. It is a significant
> >> departure from the format we were developing before, but it comes
> >> with a lot of advantages. I’m pleased to be able to share it with SUIT
> today!
> >>
> >> https://datatracker.ietf.org/doc/draft-moran-suit-behavioural-manifes
> >> t/
> >>
> >> This approach focuses less on describing the data that a process
> >> needs and more on describing the actions the process should take.
> >> We’ve been evaluating it against the use cases in
> >> draft-ietf-suit-information-model-02
> >> and more besides, and it produces compact results.
> >>
> >> The forthcoming draft-moran-suit-manifest-04 will be based on a union
> >> of
> >> draft-ietf-suit-information-model-02 and
> >> draft-moran-suit-behavioural- manifest-00.
> >>
> >> Best Regards,
> >> Brendan
> >> IMPORTANT NOTICE: The contents of this email and any attachments are
> >> confidential and may also be privileged. If you are not the intended
> >> recipient, please notify the sender immediately and do not disclose
> >> the contents to any other person, use it for any purpose, or store or
> >> copy the information in any medium. Thank you.
> >> _______________________________________________
> >> Suit mailing list
> >> Suit@ietf.org
> >> https://www.ietf.org/mailman/listinfo/suit
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email