Re: [Suit] draft-moran-suit-manifest-04 - prescriptive

Martin Pagel <Martin.Pagel@microsoft.com> Thu, 28 March 2019 03:14 UTC

Return-Path: <Martin.Pagel@microsoft.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 575921201A3 for <suit@ietfa.amsl.com>; Wed, 27 Mar 2019 20:14:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G1TBbfs0d1tl for <suit@ietfa.amsl.com>; Wed, 27 Mar 2019 20:14:01 -0700 (PDT)
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (mail-eopbgr730099.outbound.protection.outlook.com [40.107.73.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 371BC1201A7 for <suit@ietf.org>; Wed, 27 Mar 2019 20:14:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=naUGzk07O+LRuQ3QhQPTKr2d+06k25HBqSOocss3oec=; b=RyGhgCLreoX6HGY2jey7ElwjcQtNfKsLV/zgtnndCDHApUOPMO4Py50EUN6qErkmlFXtzvm4OCHi+mgY+BPe9n9YtNQUIz92DZmN06Yu89EmyD9Z53lKk4WDT/LzB1T+8aUuG9KSNmHjTqBI6xEkbNBnhFQdt8bb7n4YzPBu4C8=
ARC-Seal: i=1; a=rsa-sha256; s=testarcselector01; d=microsoft.com; cv=none; b=xUuxK6eX5djfktGKNVPxCe9V8NHSFJ/dSC9GIbCAHBHJuBLxsY0EaBWa7XQK6YtmDcFB8PqPTAzhSthY4zNm97wgUMCs4Vnl7HO01KGtemnFw8tFS7MVvsvMV8BywORamH3H7i2sCVmJDJOdD/pPi1EJbYvJH3udCMy+Odz/Fk4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=testarcselector01; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=naUGzk07O+LRuQ3QhQPTKr2d+06k25HBqSOocss3oec=; b=xZcBCjiuA+ea78z+XgvCEK4X6IOvMsd7v88faewJb7Oi//Tz5eUnzWL+IE3U6z1TmglKf8WbSPeUDhU38p0iliqBdCNQsnxT2tZuWUSO/ImlVbWD+EhHvwopWgzj62oA/afPakLVk0hMojEr41djXLdrexRyloqbBKVXjBAx7u4=
ARC-Authentication-Results: =?utf-8?B?aT0xOyB0ZXN0Lm9mZmljZTM2NS5jb20gMTsNCgkJZG1hcmM9bm9uZSBhY3Rp?= =?utf-8?B?b249bm9uZSBoZWFkZXIuZnJvbT1taWNyb3NvZnQuY29tOw0KCQlhcmM9bm9u?= =?utf-8?Q?e?=
Received: from BYAPR21MB1317.namprd21.prod.outlook.com (20.179.60.199) by BYAPR21MB1254.namprd21.prod.outlook.com (20.179.57.158) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.3; Thu, 28 Mar 2019 03:13:58 +0000
Received: from BYAPR21MB1317.namprd21.prod.outlook.com ([fe80::a89a:5b8a:e27c:ec15]) by BYAPR21MB1317.namprd21.prod.outlook.com ([fe80::a89a:5b8a:e27c:ec15%8]) with mapi id 15.20.1750.006; Thu, 28 Mar 2019 03:13:58 +0000
From: Martin Pagel <Martin.Pagel@microsoft.com>
To: Brendan Moran <Brendan.Moran@arm.com>, "suit@ietf.org" <suit@ietf.org>
Thread-Topic: draft-moran-suit-manifest-04 - prescriptive
Thread-Index: AdTbfYV7dO45RdMkQRKtZzBYR1IzsAEhD4AAAOFr4uAAYjhKQA==
Date: Thu, 28 Mar 2019 03:13:58 +0000
Message-ID: <BYAPR21MB1317944DCEC63BF8234CBA8F9D590@BYAPR21MB1317.namprd21.prod.outlook.com>
References: <BYAPR21MB1317CA992FE49959A00AB19E9D440@BYAPR21MB1317.namprd21.prod.outlook.com> <ED57D130-8835-4069-AF77-B0D3EAF43FF2@arm.com> <BYAPR21MB13176E50E6EA1150411018689D5F0@BYAPR21MB1317.namprd21.prod.outlook.com>
In-Reply-To: <BYAPR21MB13176E50E6EA1150411018689D5F0@BYAPR21MB1317.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mapagel@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-03-26T04:04:46.8267661Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=5c2d5a37-b73e-42ad-8fd4-086316b147ad; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic
x-originating-ip: [97.113.153.108]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e5bc1ae8-81ac-4c37-13db-08d6b32b6b54
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:BYAPR21MB1254;
x-ms-traffictypediagnostic: BYAPR21MB1254:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BYAPR21MB12541252E9F7D1C71EB4C41D9D590@BYAPR21MB1254.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0990C54589
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(346002)(39860400002)(396003)(376002)(366004)(51444003)(51914003)(13464003)(189003)(199004)(40434004)(7696005)(446003)(10090500001)(229853002)(52536014)(11346002)(316002)(76176011)(97736004)(53546011)(6506007)(110136005)(478600001)(53936002)(6436002)(6246003)(305945005)(68736007)(74316002)(22452003)(3846002)(6116002)(8936002)(71200400001)(71190400001)(99286004)(7736002)(33656002)(186003)(9686003)(86362001)(486006)(10290500003)(26005)(66066001)(25786009)(86612001)(106356001)(256004)(2501003)(2906002)(72206003)(14454004)(55016002)(14444005)(5024004)(6306002)(8990500004)(81156014)(81166006)(476003)(105586002)(966005)(8676002)(102836004)(6346003)(5660300002)(8770500001); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR21MB1254; H:BYAPR21MB1317.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Martin.Pagel@microsoft.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 5DjdbvKpq/Ut4tuN/MGig0bKYcO0nUXhR8uzuNIIJ4ThB/4PQEIkP5+JlqezDjZrfGhB5gX32/Ll1tmN9r7ycHjOr+AP3CX+pwUrq6NP/aTmh0ifdtpwns2fzJmrkuR8BEBNvx30xIGq3VUM3tmp5zd9eN+fyGEbd2FDB1iqkBnkBhtdyMrV9ndaQr2/XN4eItWRabgEooPkUoqor1WGgtgpjiTJlhZIAOZo1EWGwavXP/YDUpz8600OeuHWo5DhxIwqyp82Y/2df2KAzN5apSPoyFpWvO+fcxPLCqiOTbvrd1KGpRCAfG4DPKkrlB5nNIfxOnjaDHqsTz2i+mcExaFd2BDkM1P9z8kxy6b9kwS9jiE9CKDD35goY08+aBNnBMC5RQqk3hiyYFHQ53n5O4O6J2rAyodgAb/zVzpkU3I=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e5bc1ae8-81ac-4c37-13db-08d6b32b6b54
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2019 03:13:58.3269 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR21MB1254
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/YpUZS1IOQ4p0GVXf7CkGjWtTWFQ>
Subject: Re: [Suit] draft-moran-suit-manifest-04 - prescriptive
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2019 03:14:05 -0000

Hi Brendan, 
Thanks for your background info in your presentation yesterday...

I thought some more about the "no script option". You're right, that we would need to keep the hashes separate then. We still need the download URI list, therefore it would be almost no command list rather than a no command list option. 

In my Feb 13 email (see snippet below), I had also proposed to consider a cloud service enforcing the dependencies rather than to broadcast all manifests and have each device check for applicability based on dependency enforcement commands. Then those dependency commands could be eliminated and it would reduce parsing and processing on the device. For constrained devices this might be another option to consider (kind of a hybrid of the full and the almost no command list option).

I also thought about URIs again and for long URIs compression might result in a smaller manifest, so either relative paths or compression would reduce the manifest size. Any strong opinions from the group?
Best
Martin


From: Martin Pagel 
Sent: Wednesday, February 13, 2019 2:58 PM
...
Cloud vs Broadcast
I believe the current draft is optimized towards the broadcast of many manifests and the device may have to check many manifests in order to determine whether it needs to apply an update while a lot of the manifests would be irrelevant to the device. If however the device could provide its configuration information (vendor and class and version for each of its components) to an Update Server cloud service, the cloud service could just respond with a confirmation that the device is running the proper software or provide a new manifest of the software it should be running. That way the cloud would have the burden of selecting the correct manifest rather than the device. The service may even provide the payload, too, and use channel encryption for privacy. I think it would be beneficial to define a subset which would be simpler and optimized for this scenario, I have no problem if the extra fields (like PreInstallationInfo, DependencyInfo...) would be included for the broadcast scenario.


-----Original Message-----
From: Martin Pagel 
Sent: Monday, March 25, 2019 9:05 PM
To: 'Brendan Moran' <Brendan.Moran@arm.com>
Cc: suit@ietf.org
Subject: RE: draft-moran-suit-manifest-04 - prescriptive

Hi Brendan, 
A quick reply:
- no script option: Even if that's not your intention, why not leave it as an option for constrained devices which rather hardcode the installation process (based on component id for example) rather than implementing an interpreter?
- component id: thanks for the explanation, your proposals is very flexible.
- URIs: The full (prioritized) list would need to list relative instead of full paths. I bet that's better than compression.
Looking forward to further discussions tomorrow.
Martin

-----Original Message-----
From: Brendan Moran <Brendan.Moran@arm.com> 
Sent: Thursday, March 21, 2019 9:19 AM
To: Martin Pagel <Martin.Pagel@microsoft.com>
Cc: suit@ietf.org
Subject: Re: draft-moran-suit-manifest-04 - prescriptive

Hi Martin,

My intent is to produce a generic interpreter. My hope is to make it small enough that it is reasonable to include on very constrained platforms. It’s not really intended for use with none of the scripts populated.


Component IDs:
I don’t think I’ve explained component ID well enough. It’s supposed to be a machine-readable path. To that end, it’s an array of binary strings, which makes it simple for devices to parse. The example I gave was human readable to make it easier to illustrate the point. However, when a device has two places that it can store a payload, it would be possible to use component IDs [h’00’] and [h’01]. If you want a component ID that lets you use an arbitrary offset into flash, then you could have a system as follows:
1. The first element of the Component ID indicates which storage subsystem to use (internal flash, or external SPI flash, for example) 2. For internal flash, the second element could represent an offset.
3. For external SPI flash, the second element could indicate the file name or directory to use.

If internal flash is represented as h’00’ then the component ID for an internal flash target with offset 0 would be: [h’00’,h’00’] With an offset of 0x400, the component ID would be: [h’00’,h’0400’] (in big-endian notation) If external flash is represented as h’01’ then the component ID for a temp file on external flash with path “/tmp/example” could be represented as either:

[h’01’, "/tmp/example”]
Or
[h’01’, “tmp”, “example”]

Because “paths” are extremely application dependent, we have tried to avoid specifying this behaviour much. Perhaps it would be helpful to add a few more examples.

URIs:
Using a mechanism to specify a URI relative path is interesting. How do you see that interacting with the prioritised list of URIs? Another option would be to simply compress the manifest. This is not an option on small devices, but a device that can accept 10 images is not a small device, so a minimal compression library may be a viable option.

I think we should consider adding in some mechanism to deal with this, but I think we should first study whether compression is the right answer.

Dependencies, Unpacking:
You’re right, there aren’t examples of all features. That’s certainly something we want to work towards!

Best Regards,
Brendan

> On 15 Mar 2019, at 23:20, Martin Pagel <Martin.Pagel@microsoft.com> wrote:
>
> Hi Brendan,
> This an impressive re-draft, it's almost a new/separate manifest approach all together. I like the switch from a descriptive approach to a prescriptive one and the fact that the manifest is quite small for the basic cases.
>
> Is your goal to develop a generic installer which could interpret the "script" (apply-image and run-image sections) and apply any number of images on a fairly complicated MCU configuration? (It reminds me a bit of the setup.inf scripting capabilities I added in Windows 2.0) I think that would be quite intriguing for more sophisticated MCUs, but I would expect very constrained MCUs (like the one targeted by MCUBoot) to use a special purpose installer. But because the "script" portions of the manifest are optional, none would need to be present for those cases, correct?
>
> Here are a few specific comments and questions:
>
> * Component Id
> I understand the first parameter is a bstr for name, but what's the second (numeric) parameter? Is that some type of offset? Did I miss the explanation for this parameter?
>
> * URIs
> If you need to install 10 images, the URIs take up a lot of space and there is a good chance they all have the same base URL. How about allowing to specify the base URL and append the component name to that URL?
>
> * Dependency, Unpacking...
> The examples are very useful, but only cover a few manifest options. Can you provide some more examples to cover dependency blocks, unpacking, run_sequence etc?
>
> Thanks
> Martin
>
>
> -----Original Message-----
> From: Suit <suit-bounces@ietf.org> On Behalf Of Brendan Moran
> Sent: Tuesday, March 12, 2019 3:35 AM
> To: suit@ietf.org
> Subject: [Suit] Introducing draft-moran-suit-manifest-04
>
> draft-moran-suit-manifest-04 has now been published.
>
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftool
> s.ietf.org%2Fhtml%2Fdraft-moran-suit-manifest-04&amp;data=02%7C01%7CMa
> rtin.Pagel%40microsoft.com%7Cb7d6c8c8dc1741cca1ba08d6ae18e79b%7C72f988
> bf86f141af91ab2d7cd011db47%7C1%7C0%7C636887819324535098&amp;sdata=tMjo
> 5LUmW7WDoK%2BxK0XeiYNA4v5AR0QREOc95SzfZUE%3D&amp;reserved=0
>
> This draft is the result of combining the information model in draft-moran-suit-behavioural-manifests-00 (the 01 version fixes example formatting only) with that in draft-ietf-suit-information-model, then serialising the result in CBOR. This is a significant departure from previous drafts. It attempts to preserve flexibility, fully define the behaviour of recipient, simplify the manifest structure, reduce code-size of the recipient, and reduce the size of the manifest. This ambitious set of goals required a significant change in approach as compared to draft-moran-suit-manifest-03 and before. In order to outline the approach clearly, we have separately published draft-moran-suit-behavioural-manifests-00. draft-moran-suit-manifest-04 focuses more on the serialisation of the manifest.
>
> I look forward to discussing this draft in more detail.
>
> Best Regards,
> Brendan
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>
> _______________________________________________
> Suit mailing list
> Suit@ietf.org
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> ietf.org%2Fmailman%2Flistinfo%2Fsuit&amp;data=02%7C01%7CMartin.Pagel%4
> 0microsoft.com%7Cb7d6c8c8dc1741cca1ba08d6ae18e79b%7C72f988bf86f141af91
> ab2d7cd011db47%7C1%7C0%7C636887819324535098&amp;sdata=gYTNV%2F5csvYdPf
> OYcaco4G5AUL2SyZVaSRataXxQ960%3D&amp;reserved=0

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.