Re: [Fud] initial comments on draft-moran-fud-manifest-00
Brendan Moran <Brendan.Moran@arm.com> Wed, 30 August 2017 11:33 UTC
Return-Path: <Brendan.Moran@arm.com>
X-Original-To: fud@ietfa.amsl.com
Delivered-To: fud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B718132FD1 for <fud@ietfa.amsl.com>; Wed, 30 Aug 2017 04:33:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DKgwShs9LFkk for <fud@ietfa.amsl.com>; Wed, 30 Aug 2017 04:33:35 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0049.outbound.protection.outlook.com [104.47.0.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F02A5132FDF for <fud@ietf.org>; Wed, 30 Aug 2017 04:33:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=dn4h/QZF9X5o6x9p/4L7gdKWzkuO4xRBza8bjgq9hqo=; b=ZPXO4eo8BgRNgVNbdr/aO93yt+N/7TgxoVH8vVE/tUv573pqNKsy3+ZKtP4FXOhi/vRf5AxaerrpC1Xc89TMtTpxshAxchA2+tXEuAF7AbEc7N7zw8vb8NJNqFdvXIKrTSgaSiWV5WAnH7YnroFo1xXtroRJdWdpKZZHwC6iPkY=
Received: from AM4PR08MB2836.eurprd08.prod.outlook.com (10.171.191.30) by AM4PR08MB2674.eurprd08.prod.outlook.com (10.171.190.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.13.10; Wed, 30 Aug 2017 11:33:32 +0000
Received: from AM4PR08MB2836.eurprd08.prod.outlook.com ([fe80::b9a4:51df:9b8:731]) by AM4PR08MB2836.eurprd08.prod.outlook.com ([fe80::b9a4:51df:9b8:731%13]) with mapi id 15.01.1385.014; Wed, 30 Aug 2017 11:33:32 +0000
From: Brendan Moran <Brendan.Moran@arm.com>
To: "fud@ietf.org" <fud@ietf.org>
CC: Emmanuel Baccelli <Emmanuel.Baccelli@inria.fr>
Thread-Topic: [Fud] initial comments on draft-moran-fud-manifest-00
Thread-Index: AQHTIYPOfF1uss4rc0SEDiee3LeIeg==
Date: Wed, 30 Aug 2017 11:33:32 +0000
Message-ID: <C264CEFB-71EB-43FB-BD12-5F116280F712@arm.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3273)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Brendan.Moran@arm.com;
x-originating-ip: [217.140.96.140]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR08MB2674; 6:u1DbdA88pnt3/rQP/2gBUwrZ9Lz5IVYRUWVZ46h5F274lf9I06FumWjHbK6/MJ+GDBbJh9i11Vc9QXg/zCCX1XpALgi/FWctP7oRdMwviGDLHQpzN4lnq8T9IJOfcSazg0H2fQG7J7OeExz2NZcbTHV2eXpkdzH3HV1sVQNhr5UlSs14/TaMQRp0quxDWewUa+eVh6UlIpYEdE7peIcyl6d+iy5ySQQ5A3l91q02EoN5+92xPldIsbik4fJUnwwF+KlRiGsOHntznnaXEpR+SZ+hI0Jf/1n5LcGp8+UOqG4ft35lgDKhVkQzzlzQCxgUBVH5P9wZAjRfDSo/Xt6rcQ==; 5:NfamDirs2/bLbDu8MfWE4xQ57C5zo48eP1e1T+9HAJguqBe+isT5ATYxUpFbG0/fXzyW0RoWonKlsQv7KUiXWpFvMVtY3mZyNO0xdRr1zcsmvXjylxQNp4S84i060TdvVTwCeItYIqm5sKYNHa4RkQ==; 24:5n3+OtTmVM2GQEQ6kuNKIPNFbjBkM1TxzRoghs684WJRlmBAf9+xfaPvUeTVznE0zFtS1W3pQgh5TDkLxMhhGHbWvPKjF9RyAZjUNRuLN3s=; 7:HLi1HyScyM6UEgyTYpjr9oeDlR52tzQk4d9qQMg80Wes+QDDGwc9Ndx0DzpsGQQ2ttg7jQJu+yBsZYqSPCX4ykvArjvyW10geyvl71deRLjIOPOsRzcilMZIX+FQVs/9yq7FKFb2hWY95ffTwvavZDBN+DzuoKXk6HPnojGgHw17U5FE8eeX3+V0jWD6B2KdBRSYsDhUU2P/aEMtadycxfYPxz9MEpgHdCxrTa55+ns=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: a3c2a245-4ff1-4967-699f-08d4ef9af185
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:AM4PR08MB2674;
x-ms-traffictypediagnostic: AM4PR08MB2674:
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-microsoft-antispam-prvs: <AM4PR08MB2674CA297014A27EA1CAE360EA9C0@AM4PR08MB2674.eurprd08.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(100000703101)(100105400095)(3002001)(10201501046)(93006095)(93001095)(6055026)(6041248)(20161123560025)(20161123555025)(20161123564025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:AM4PR08MB2674; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:AM4PR08MB2674;
x-forefront-prvs: 041517DFAB
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(39860400002)(40434004)(24454002)(199003)(189002)(97736004)(53936002)(6512007)(99286003)(106356001)(478600001)(68736007)(2906002)(83716003)(86362001)(6246003)(5250100002)(230783001)(5640700003)(6506006)(189998001)(2501003)(105586002)(6916009)(110136004)(2351001)(5890100001)(66066001)(1730700003)(50226002)(33656002)(36756003)(229853002)(101416001)(14454004)(3846002)(81156014)(5660300001)(6116002)(8676002)(102836003)(81166006)(3280700002)(4326008)(57306001)(25786009)(50986999)(7736002)(72206003)(6436002)(305945005)(82746002)(8936002)(6486002)(3660700001)(2900100001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR08MB2674; H:AM4PR08MB2836.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <9C181023FCFF0249B24D34EECEA260CD@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Aug 2017 11:33:32.1199 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR08MB2674
Archived-At: <https://mailarchive.ietf.org/arch/msg/fud/oY-AUNMAkqYxX569gzNxhktEB68>
Subject: Re: [Fud] initial comments on draft-moran-fud-manifest-00
X-BeenThere: fud@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: FUD - Firmware Updating Description <fud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/fud>, <mailto:fud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/fud/>
List-Post: <mailto:fud@ietf.org>
List-Help: <mailto:fud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/fud>, <mailto:fud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Aug 2017 11:33:38 -0000
Hi Emmanuel,
I have placed comments in-line.
Best Regards,
Brendan
On Wed, 19 July 2017 18:37 UTC, Emmanuel Baccelli wrote:
> =====
> General comments:
> =====
>
> Let's make sure that a minimalistic version of the manifest format is
> applicable
> easily to low-end IoT devices:
> - class 1 devices (RFC7228) with a single MCU,
> - very low bandwidth network connection,
> - may not have an "interoperable" notion of absolute time,
> - …
Agreed. The drafted manifest format should be compatible with this, however there may be compromises, e.g. in terms of the type of cryptography used for signing.
> As additional reference points, let's also look out the (work-in-progress)
> metadata format
> of RIOT images [1], and of MCUBoot images [2] which
> In particular, the whole metadata of a RIOT image fits in less than 200
> bytes.
> A nice goal could thus be that we aim to fit a minimal (but compliant)
> format
> of the manifest within 256bytes.
The default size of the manifest is < 512 bytes, however it is a bit different than the RIOT metadata header. In addition to the contents of the RIOT header, the manifest includes:
- vendor and model identifiers to prevent installation of firmware on the wrong device. These are also used to allow a device manager to identify the provenance of an update.
- a digest identifier to allow for flexibility in digest algorithm
- a URI to allow for flexibility in the distribution of the firmware itself (see comments above)
- a nonce to protect the signature algorithm
- a storage identifier to allow the target device to decide where to store the payload in a system that uses more than one area of firmware (for example if the network stack is updated independent of other components). This is roughly equivalent to start_addr
- a format specifier to allow for more advanced update schemes such as compressed images
- a timestamp for rollback protection
In addition, it uses CMS for proving the authenticity and integrity of the manifest. In the mode we have selected, this includes several additional OIDs and an additional hash.
Manifests are approximately 420 bytes with these features, except using a trivial storage identifier and no reference URI.
If these values are not included in the manifest, the system must imply them in some way, either by being assumed or by being hard-coded. Therefore, I believe that these features are necessary for the manifest to apply broadly to IoT devices.
> # In section 3.1
>
> timestamp:
> If we want to cover the cases when the device has no notion of "now",
> (i.e. is not time-synchronized with the author/server/storage)
> the device will only be able to interpret this field as some kind of
> sequence number. This does not bringing much more information compared to
> the version number field.
> In particular, I'm wondering why the timestamp actually protects from
> downgrade attacks:
> I suppose we trust that newer software will have newer version numbers.
> Is it to cover the case when the version number "wraps around"?
The timestamp is effectively a sequence number for the manifest, however, it is intended to work with a minimum of chances of error. If several firmware authors take turns issuing new firmware for devices, there is a chance for errors when selecting the correct sequence number due to the coordination between different actors. This is even more problematic when a new manifest must be issued for an old firmware (the permitted form of rollback). Timestamps, however, are monotonically increasing and globally synchronized.
While this could be implemented another way, with user-defined sequence numbers, timestamps make it easy to get the sequence number right and hard to get it wrong. They also provide extra features in systems that do have a concept of local time.
> # In section 3.2
>
> I would suggest we add the format type "script".
> We have use cases where modules might be scripts.
I'm happy to add new format types, however "script" is not specific enough without additional information. I suggest that we amend the format as follows:
FormatIdentifier ::= SEQUENCE {
format CHOICE {
enum ENUMERATED {
rawBinary(1), hexLocationLengthData(2), elf(3), bsdiff(4)
},
objectId OBJECT IDENTIFIER
},
parameters ANY DEFINED BY format OPTIONAL
}
PayloadInfo ::= SEQUENCE {
formatId FormatIdentifier,
encryptionInfo EncryptionInfo OPTIONAL,
storageIdentifier OCTET STRING,
size INTEGER,
payload CHOICE {
reference ResourceReference,
integrated OCTET STRING
}
}
This would allow "script" to be descriptive by adding additional information in the parameters section.
> nonce:
> I'm not sure the case of "producing manifests too quickly" with the same
> time-stamp
> is realistic.
> Even if it was, since a nonce is random, the nonce would not help to decide
> which
> firmware is newer.
> However, we could assume that the version number would be lexicographically
> greater
> in the newest firmware.
> Hence, I am unsure what is the function of the nonce.
The purpose of the nonce is to ensure that the same data is never signed twice. This protects the signature algorithm from some classes of attack. On modern hardware, it's quite easy to generate many manifests in a second, so the timestamp is insufficient to guard against multiple signatures of the same data.
> storageIdentifier:
> as per my comments to the architecture draft, I suggest we focus first on
> the case
> where there is only one MCU.
> Should this field be optional?
The behaviour of storageIdentifier is application-specific. It can be used to designate: a firmware module in a multi-module system, for example a bootloader, vs. a main application. It can be used to designate a particular processor in a multi-processor application. The interpretation of the storage identifier is entirely up to the application. This means that it can even represent the start address if that is desired.
> # In section 3.3
>
> "Apply an update only to devices that match the vendorId, classId, deviceId
> attributes"
> is this condition not necessary in all cases?
This was a compound condition. There are situations where you may want to apply an update only with a matching deviceId, there are also situations where you might want to apply an update to a matching vendorId and classId, but to many devices. So, vendorId and classId might be considered to be always mandatory, however, deviceId is optional. However, I dislike giving vendorId and classId their own dedicated entries, because it makes the format more complex to parse and process. Having vendorId and classId in the conditions seems cleaner.
> Conditions on absolute time:
> see my above comments on absolute time, and time synchronization
> requirements that might
> not be met in low-end IoT devices.
Yes, this may be a problem. Presumably, such a device could report an "unimplemented feature" error, etc. Authors of updates need to be sure that they don't use features that aren't implemented on their targets. This will cause a failure, but this should be a graceful failure, since a device will continue to operate unhindered in the architecture described.
> # In section 3.4
>
> Here again I propose to focus on single MCU cases first.
Multiple firmware images does not necessarily imply multiple MCUs. There may be multiple firmware images on a single device. For example, a device with an integrated cryptographic accelerator may require a separate image to update that accelerator. Likewise, there are WiFi IoT devices that download a firmware image to the WiFi chip over SDIO on every boot. These could be distributed as separate images, despite being hosted on a single MCU.
> # In section 3.5.2
>
> make it optional?
This cannot be optional because it is used by devices to match incoming manifests to their hardware.
> # In section 4.
>
> Do you have an estimate as how many bytes this is over the air for the
> manifest?
The DER-encoded manifest is generally less than 512 bytes. This can vary, depending on content. If a certificate is included, that will increase the size. For secp256r1 curves, a certificate is approximately 650 bytes.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Fud] initial comments on draft-moran-fud-manifes… Emmanuel Baccelli
- Re: [Fud] initial comments on draft-moran-fud-man… Brendan Moran