IETF Logo Mail Archive

Re: [Suit] Improvements to draft-moran-suit-manifest-03

Amyas Phillips <amyas@ambotec.org> Mon, 11 February 2019 13:12 UTC

Return-Path: <amyas.phillips@gmail.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8574C130E8A for <suit@ietfa.amsl.com>; Mon, 11 Feb 2019 05:12:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.879
X-Spam-Level:
X-Spam-Status: No, score=-1.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.018, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X6g1wSz9XZer for <suit@ietfa.amsl.com>; Mon, 11 Feb 2019 05:12:13 -0800 (PST)
Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com [209.85.208.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 761F712E7C1 for <suit@ietf.org>; Mon, 11 Feb 2019 05:12:13 -0800 (PST)
Received: by mail-ed1-f45.google.com with SMTP id f2so717754edy.13 for <suit@ietf.org>; Mon, 11 Feb 2019 05:12:13 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lMkvOB6poykAiFiQrDFFu2c+Pl/BapY7hlmu5Bqn1vI=; b=X3MO3uBKYrpm1Z9PMGJb7Youz9MS0IobDgBX5C4Ivfkcy+aOX4Yg2Rp+P+3horUrRk sx4tWO5x0ZuX6rTrOxTDVNLzkP0O6y0rzUtUaAx76oHYpg5jLs7UvcvhGX8OmnLLvHhT 98WT9TL+qFVx+dJrp9htGKQ7MpAYrVncENq0fi9FiJ9DGKq720cffzbEcWB6H3IRp/Ot Z+rCpMTz+hCwGGj5perItXljypA6Qo32XvlwgA4oGCTL8RQW0Uys2CHpSecLmFXzxh8P 5O+cA20X4gai6nl/9bJGoF2l446DzQblCV1tKRcu+/c4zsdKKm7YiELsq7txyosaxtV9 WdsQ==
X-Gm-Message-State: AHQUAub0ezsiuw4QeUSGK0YJX47mt94WEQC73NHRLWEZx8W2ePneZqo4 B+AH0uGLSifRyVGHYfXjzpd+bD7UT9Y=
X-Google-Smtp-Source: AHgI3IYisczX+Xu7zkzS1XsnYaKadL27z1cFq5Mr2aJZO2+iUmq814CquH0AenbWzOdDALWGmKdG+Q==
X-Received: by 2002:a17:906:34c2:: with SMTP id h2mr7145128ejb.234.1549890731424; Mon, 11 Feb 2019 05:12:11 -0800 (PST)
Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com. [209.85.221.42]) by smtp.gmail.com with ESMTPSA id m3sm4811eja.11.2019.02.11.05.12.10 for <suit@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Feb 2019 05:12:10 -0800 (PST)
Received: by mail-wr1-f42.google.com with SMTP id q1so4646669wrp.7 for <suit@ietf.org>; Mon, 11 Feb 2019 05:12:10 -0800 (PST)
X-Received: by 2002:adf:fbc8:: with SMTP id d8mr26687536wrs.318.1549890730399; Mon, 11 Feb 2019 05:12:10 -0800 (PST)
MIME-Version: 1.0
References: <78FF2A20-1AF3-425F-B4BB-6F520E85DE46@arm.com>
In-Reply-To: <78FF2A20-1AF3-425F-B4BB-6F520E85DE46@arm.com>
From: Amyas Phillips <amyas@ambotec.org>
Date: Mon, 11 Feb 2019 13:11:58 +0000
X-Gmail-Original-Message-ID: <CAO6t1cj7qDNA3VnkbxiPQEm6P+o=mQALYVr+JMTvVXnvV_4vNQ@mail.gmail.com>
Message-ID: <CAO6t1cj7qDNA3VnkbxiPQEm6P+o=mQALYVr+JMTvVXnvV_4vNQ@mail.gmail.com>
To: Brendan Moran <Brendan.Moran@arm.com>
Cc: "suit@ietf.org" <suit@ietf.org>, "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Content-Type: multipart/alternative; boundary="0000000000006d203b05819e0ed0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/cdNfP2VYH6pc6DInoDf3OwAWsOI>
Subject: Re: [Suit] Improvements to draft-moran-suit-manifest-03
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Feb 2019 13:12:17 -0000

I have another use case for you Brendan:

A project wants to send its firmware images encrypted, and wants a trusted
boot process.

Faced with this, my first thought might be that I'm going to have the
bootloader validate the manifest.

What should we recommend?

I can see lots of ways of doing it:
1. Encrypt the firmware image, then create the manifest. Store the
encrypted firmware on the target device and on each start have the
bootloader validate the manifest and encrypted firmware, before decrypting
the firmware into a location from where it can be run. This is the model
more-or-less implied in the manifest specification. It works for devices
that can afford to decrypt the image to an executable location on each
start, e.g. execute-from-RAM devices.
2. Reverse the order of signing and encryption: first create the manifest,
then encrypt the firmware image. Have the receiving process on the device
decrypt the image and store the decrypt and the manifest in NVRAM for the
bootloader to validate. This saves devices from having to decrypt and
install the firmware image on each start. Receiving processes can
potentially also decrypt images into storage as they arrive, saving on
NVRAM. This approach is in effect a wrapper around SUIT.
3. Create a manifest for the bootloader's use and package it up with the
firmware. Encrypt this package as a new payload and mint another manifest
for the use of the retrieving process.  Have the retrieving process
assemble the package, validate it and then decrypt it into the appropriate
location for the bootloader.
4. Create a manifest for the bootloader's use. Encrypt the firmware image
and create a second manifest for the retrieving process's use, this time
including a dependency on the first manifest. Have the retrieving process
retrieve, validate, decrypt and install the firmware image. Have it also
retrieve and install the first manifest.
5. Relax the requirement for the bootloader to validate a manifest. Maybe
it doesn't really need to. I can't see any benefits to having a bootloader
validate manifests except that it seems tidier to use manifests for all our
validation needs. Instead of that simply sign the firmware image, in
whatever way the bootloader expects. Then encrypt the signed object and
ship it under a manifest. Have the receiving process validate it and
decrypt it into the appropriate location for the bootloader.
6. Rely on channel security for confidentiality. Relying on encrypted
channels nets you confidentiality without having to leave space on each
device to store encrypted images for validation. This may often be
acceptable but is against one of the SUIT design principles as I understand
them: channel-independence.   I think SUIT can recognise it as an option
but not rely on it for in-scope usecases.

My vote is for option 5.

Many thanks
Amyas Phillips







On Thu, 31 Jan 2019 at 13:27, Brendan Moran <Brendan.Moran@arm.com> wrote:

> Following IETF103, I have been collecting more use cases and user stories
> to influence the development of the manifest.
>
> Three points have become very clear:
>
> First, the processing tree is too complicated. There are many possible
> configurations that would never be used. There is plenty of room for error.
> In reality, the configurations that seem to be usable are all the
> combinations of these three operations:
> * decrypt
> * decompress
> * unpack (delta, relocate, hex, etc.)
>
> I have yet to find a use-case where these operations do not appear in this
> order, or where there is another operation that is missing from this list.
>
> That being the case, a processing tree, while very general-purpose is
> extra overhead that is not needed. With that in mind, I would like to
> propose changing the payload model back to something more conventional.
>
> The payload-installation-info structure contains information about
> * where to store the firmware image (install-component),
> * where to retrieve it (uris),
> * whether the firmware image is encrypted and with what algorithm
> (encrypt-info),
> * whether a compression algorithm has been applied to the firmware image
> and what algorithm has been used (compression-algorithm),
> * whether the image is a binary diff or requires relocation (unpack), and
> * an indication whether these fields may be overridden by an authorized
> party (allow-override).
>
> Here is a proposed CDDL snippet for draft-moran-suit-manifest-04:
>
> payload-installation-info = {
>    install-component => component-identifier,
>    ? allow-override => bool,
>    ? uris => uri-list,
>    ? encrypt-info => COSE_Encrypt0 / COSE_Encrypt,
>    ? compression-algorithm => compression-algorithm-ids,
>    ? unpack => [
>        unpack-algorithm : unpack-algorithm-ids, ; binary diff, or
> relocation, or binary-to-text algorithm identifier
>        ? unpack-arguments : bytes                 ; private config for the
> unpack algorithm selected
>    ]
> }
>
> This should be much easier to understand and implement.
>
>
> The second point is that regen-info is frequently misunderstood and
> misused. After some discussion with suit participants, it’s become clear
> that the regen-info block should be represented as a dedicated “digest
> algorithm” which solves the same problem as the regen-info block currently
> does. When incorporated with the changes recommended by Jim Schaad, the
> result is that we replace COSE_Digest with SUIT_Digest and we remove
> regen-info. Here is a CDDL snippet that represents SUIT_Digest:
>
> SUIT_Digest = [
>    digest-algorithm-id: int,
>    digest: bytes,
>    ? digest-extra-info: bytes
> ]
>
> Any needed regen-info can then be contained in the digest-extra-info
> section with an appropriate algorithm identifier.
>
>
> The third point of clarity is that we need to do some work in making the
> manifest easier to parse and process in a constrained environment. I don’t
> have a simple change to enable that, but we’re working on it.
>
> Best Regards,
> Brendan
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
> _______________________________________________
> Suit mailing list
> Suit@ietf.org
> https://www.ietf.org/mailman/listinfo/suit
>

v2.23.0 | Report a Bug | By Email