IETF Logo Mail Archive

Re: [Suit] manifest18 review

Brendan Moran <brendan.moran.ietf@gmail.com> Thu, 11 August 2022 21:24 UTC

Return-Path: <brendan.moran.ietf@gmail.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 477D8C15C535 for <suit@ietfa.amsl.com>; Thu, 11 Aug 2022 14:24:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CQsKWwkX1O1O for <suit@ietfa.amsl.com>; Thu, 11 Aug 2022 14:24:17 -0700 (PDT)
Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C60AC14F607 for <suit@ietf.org>; Thu, 11 Aug 2022 14:24:17 -0700 (PDT)
Received: by mail-ot1-x32f.google.com with SMTP id br15-20020a056830390f00b0061c9d73b8bdso13546086otb.6 for <suit@ietf.org>; Thu, 11 Aug 2022 14:24:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=nDIFFTJkeTDVPR3Yzl690S4GD3aVI3kCx6+sCJREEeE=; b=TiJf1CeSfS/JK2Zm16f5UcAzP7j/BkTY8m7TmHLs+3yaRnNif1QMZ7zg3ZA7wb/6dJ mzoMe6vL4MgSpob08RApF9pAlqskX9etOFKUMRx1QThpyUJN7eF6gxS/FV9iy30nwIyS GWxlNNFQtDgVV1DDV5cMzpehIuwO1R5bf1mgqfRadc6yTjW/WBfr8bqxtKacHWUvD5fv hGgIR6+qvJc+8WWFDMtTB/8wWbF8h1ycw23E85+d0HP8uaZDBJuFFwqBC5Zd/0d4sCpe GkTu9fv5n4UI693xsucTP6TJYXe6ItFqms+c0BYLyfXMaFynIB1qUhaLORpQn2JjvJYg BqfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=nDIFFTJkeTDVPR3Yzl690S4GD3aVI3kCx6+sCJREEeE=; b=vvGJvYK5SHaOeCnz/IZD/jxeSFZseuoSKs3xY2aSwBiP6x1op3ZTILHVwikjsNO7NQ EzpqD7h6n/rAgNKoVF6ingLu6mhhzbaU3dtOSPeqRARmgWz9gJSVK5hc7Bt+iUtIrSK7 EXTAjW7Cq9xEnpbOV1TjzUYicO/VjfMVLgp9Vj6XxzLt3kz1xL8/RMMje4TPJuUwbB/m yVr1Z41vOaCVSMbNtF5J2EBhwB93j2GYtvYkpM7hJxbccf2EFGIgy+ZWEouVYgBXw4ce rDHjo4zm2ZArUfd500a0K5owXs8olAvPdGUoI5CJRqGhsBOfd38NkfyXIa206k38k9Xb y4Ng==
X-Gm-Message-State: ACgBeo3nn9idS9sgQ/cZRe3YkvVPplUheUAnzpbv6jXULWPW/BW5eZi5 rWnw/ad8IPr86mpSmJHWNoYE6MpkW1PB+BP9CdC0LbIF4LAQlg==
X-Google-Smtp-Source: AA6agR6YYcwjOvdBv1ck+I07uGthUDvRrfPauV8ib+tH+ukb+QNKvwdde9jRzP8O+kJxYTTZEiHRmbY0ZOC9GWGCi9I=
X-Received: by 2002:a05:6830:2783:b0:60c:1052:b67d with SMTP id x3-20020a056830278300b0060c1052b67dmr338080otu.313.1660253056417; Thu, 11 Aug 2022 14:24:16 -0700 (PDT)
MIME-Version: 1.0
References: <AM9PR05MB7668A62C66CC7A2F2F86125E88639@AM9PR05MB7668.eurprd05.prod.outlook.com>
In-Reply-To: <AM9PR05MB7668A62C66CC7A2F2F86125E88639@AM9PR05MB7668.eurprd05.prod.outlook.com>
From: Brendan Moran <brendan.moran.ietf@gmail.com>
Date: Thu, 11 Aug 2022 22:24:05 +0100
Message-ID: <CAPmVn1M_2REwWkkmYnHcUhViDhryBrL5E9Fy7mGLSb2KAAdsxg@mail.gmail.com>
To: "Rønningstad, Øyvind" <Oyvind.Ronningstad=40nordicsemi.no@dmarc.ietf.org>
Cc: "suit@ietf.org" <suit@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000aa44a005e5fdc9d9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/bzX9GNKYgv9umSD1P6mnSE7-_9I>
Subject: Re: [Suit] manifest18 review
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2022 21:24:21 -0000

Hi Øyvind,

Thank you for your review. I have started working on making some of the
changes you've suggested. I do have a few questions:

1. The write directive. I'm not fundamentally opposed to this directive,
but I do have some questions about the intended behaviour. Primarily, I'm
concerned about the verification of data written in this way.

- When a component is written with the write directive, how is the write
checked to ensure that it was completed correctly?
- When using a SUIT manifest for secure boot, how is the component verified
an expected value?

Obviously when a component is smaller than a digest, a direct comparison is
a good option, but this is not a feature of the SUIT manifest. So then, how
should we proceed? Do we need a new command for verifying small
components against raw data that's present in the manifest?

What happens if the component is written in a severable section? Then the
data is lost when that section is severed. Do we need a rule that raw data
must not be placed in a severable section because it then becomes
unverifiable?

2. The problem with an envelope version is that it can't be trusted because
it is not part of the signed container. I'm not sure how much of a problem
this is. We could add a version but I'm not sure what it would tell you
that the tag doesn't. The only time that the tag would need to be changed
is if we change the delegation mechanism, the authorisation object or the
manifest *before* the version number (which is element 1). In other words,
as long as we don't change the delegation or authentication block (which is
just a digest followed by a list of COSE objects anyway) we should be fine?
Is there a scenario I haven't considered?

3. You're right that the two meanings of run have a namespace collision. We
have a few words to choose from: run, execute, invoke. We use "invoke" as a
catch-all for secure boot and secure program launch already. What would you
think of replacing run(current) with invoke(current)?

4. I'm fine, conceptually, with renaming "common sequence" to "shared
sequence," but this does come with the side-effect that the common block
will now contain a shared command sequence instead of a common command
sequence. I don't think that this is an issue and I do see the problem with
lexical scanning of "common sequence" versus "command sequence."

5. false is not a valid value for IndexArg in the CDDL. Internally, a
parser may use false for the Component Index when a Dependency Index is
set, but this has no effect on the CDDL. You're right, this should be
uint/[+uint]/true

6. I think that the restriction in 6.7 it only applies when Strict Order =
false.

7. Try Each was intended as "try each until success or options exhausted"
Do you think this needs a different name?

Best Regards,
Brendan


On Mon, Aug 8, 2022 at 1:23 PM Rønningstad, Øyvind <Oyvind.Ronningstad=
40nordicsemi.no@dmarc.ietf.org> wrote:

> Hi everyone, here is another list of questions, suggestions, and
> clarifications for the manifest.
>
>
>
>    - (I've mentioned this before, but can't recall that we have properly
>    discussed it) I feel the spec is missing a "write" directive for writing
>    very small values (e.g. 32-bit configuration values). The only way to do
>    this now would be to add the 4 bytes as a payload (possibly integrated),
>    and have a digest check in the manifest followed by a copy. This is
>    obviously a lot of wasted bytes and cycles. Can we add a
>    suit-directive-write directive with a bstr argument that will be written
>    directly to the current component?
>    - I think the envelope should have a suit-envelope-version analogous
>    to suit-manifest-version, since it is the top-level type, and therefore
>    needs to be correctly decoded before the suit-manifest-version can be
>    checked.
>    - In Table 1 "run" is described as "run(current)" and "run sequence"
>    is described as "exec(arg)". I suggest renaming "run sequence" to "execute
>    sequence" in the whole document to avoid confusing the two concepts (which
>    are quite different). Another source of confusion is that "the run
>    sequence" can apply to the "run" command sequence in the manifest.
>    - I suggest renaming "common sequence" to "shared sequence" since it
>    is less similar-sounding to "command sequence", and arguably slightly more
>    descriptive.
>    - Is "false" a valid value for IndexArg (6.5 seems to imply no)? If
>    not, the CDDL should be changed from "IndexArg /= bool" to "IndexArg /=
>    true".
>    - 6.7 (The section on parallell processing) states "To isolate each
>    sequence from each other sequence, each sequence MUST begin with a Set
>    Component Index directive with the following exception: when the index is
>    either True or an array of indices, the Set Component Index is implied. Any
>    further Set Component Index directives MUST cause an Abort". Does this
>    restriction on Set Component Index inside Run Sequence always apply, or
>    only when Strict Order is False in the surrounding context?
>    - In directive-try-each, if one sequence succeeds, should the try-each
>    end, or should all sequences in the try-each be executed regardless?
>
>
>
> BR, Øyvind
> _______________________________________________
> Suit mailing list
> Suit@ietf.org
> https://www.ietf.org/mailman/listinfo/suit
>

v2.23.0 | Report a Bug | By Email