Re: [Suit] Transactional updates
Phillip Hallam-Baker <phill@hallambaker.com> Tue, 24 October 2017 15:16 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A77B9138C11 for <suit@ietfa.amsl.com>; Tue, 24 Oct 2017 08:16:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bG1OX_668W8s for <suit@ietfa.amsl.com>; Tue, 24 Oct 2017 08:16:28 -0700 (PDT)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7827E13D294 for <suit@ietf.org>; Tue, 24 Oct 2017 08:16:27 -0700 (PDT)
Received: by mail-oi0-x235.google.com with SMTP id a132so37479103oih.11 for <suit@ietf.org>; Tue, 24 Oct 2017 08:16:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=DyvK4zLurDTqHoUN2QmK1GSrsYiLHmav93+JTEkWUU8=; b=riYKiyACJJt/A63IfOxx5xPCyTHhZ4YmhuQmfbPI4oo07H4Hn+hSKPDaoj1mNy/Tit q7cuzrS4UJhVyREU4kklXcCOYcNcI7WyUkk6jUKfRYN0uV2fnqz6f542KaBEONi0680R vgQIQsjq3jQtW1IqvDMf5RpuuDmFDNLMcrfXpz59/9ZBpvIUHGuJHpkDZfoC70l42arQ eNLYV2Kke8Mb3sKjJlhn4lU45c+vTKQjU92mu9Mr+l4DLW8fXIo9/7QI07Tim/cAVkzC 0vn78rdF/nw2sNyd69m3WIUYHJryAylNVVM4F4INg1GsoGDyH7Cr4CE5O3H93q7TWNJx rRVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=DyvK4zLurDTqHoUN2QmK1GSrsYiLHmav93+JTEkWUU8=; b=OWVIcx2Hd/Pdug6sEzPvhM3H69tHuNQHP1pgsyWRRNdhT2rdVh8T0L86nKPKXRNHPZ 2c9qlEjItoHVboPsu8oji2na8MosFA6qnvZiZGa1EkXrQaEnROGf64weYS7x4BQllvEv ROM7BWyND7nheFLqWu1ccMkVVrsi17b+bh3Je7LucJ6nPXT9uenHGNTVL0b7wwC3kLvz v9xOtcFGM6uI6AMN++O7I0CaRl38N5gltqHJ2eHZnm4LDw1uT5HnmuDHDHDKmt2otvVB hI2B+6pWbjmU85NQqE8Caf7Xw0uDv00DHu/S7G2rtQVkr3TOVsKudLDaWm0bPvK88iOh zNqg==
X-Gm-Message-State: AMCzsaVU2Gu/gO6gDxi6GIh6p4jOP6/TtzcDrTl/WYjOnRz7cijJ0Bjr uXcbKH1bGr+Omwx2K+u6EPviiFtG0EW/YRghAeo=
X-Google-Smtp-Source: ABhQp+T8xPpMvFy23Gwt9YuISQu+V/43nATXWvOvw6PrQVS95SxpAD/NBaynD9kMPtvlIXGr5738IGWQ3t9FS1mVlpc=
X-Received: by 10.157.29.231 with SMTP id w36mr10382444otw.162.1508858186477; Tue, 24 Oct 2017 08:16:26 -0700 (PDT)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.157.80.42 with HTTP; Tue, 24 Oct 2017 08:16:25 -0700 (PDT)
In-Reply-To: <AM4PR0801MB2706F9611D2F99A89168AD36FA470@AM4PR0801MB2706.eurprd08.prod.outlook.com>
References: <CAMm+Lwiik1m+rLVd6mvf5LgSxFO34fsGUZ0+gz6m6bj8kpNYuQ@mail.gmail.com> <AM4PR0801MB2706F9611D2F99A89168AD36FA470@AM4PR0801MB2706.eurprd08.prod.outlook.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 24 Oct 2017 11:16:25 -0400
X-Google-Sender-Auth: GbVr7IqI-nd9uF8fp2s43ft5MsA
Message-ID: <CAMm+LwgiV6FtDv2z0MAPnwjkpfJ0X=FV1jKd+WvocFdz_T15KA@mail.gmail.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: "suit@ietf.org" <suit@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/cq4yHVEAsQH3AnHu6YlfYpFhcHE>
Subject: Re: [Suit] Transactional updates
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2017 15:16:30 -0000
On Tue, Oct 24, 2017 at 10:44 AM, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote: > Hi PHP > > Thanks for the contribution. > > I am trying to find out what problem you are primarily trying to solve. You list lots of topics below. Let me start with one item where you write: > > "I am fed up of the time it takes for software updates on my desktop. First the update has to be downloaded and then it has to be installed. Why can't this be instantaneous?" > > Clearly, you cannot install software / firmware that has not been downloaded yet. You are not complaining about the slow transfer rate (although this might be a serious issue with many low power radio technologies). You aren't talking about differential updates or updates of individual libraries. Finally, you are not asking for a hitless update either. Lets look at the sequence of events 1) Download the software update 2) Unpack and write files to directories 3) Stop and restart processes or reboot. Each of these need to occur obviously and in many cases user permission is required at at least one point in the process. But the user experience for the desktop right now is: 1) Informed there is an update 2) Pestered into downloading the update, promised it will be applied automatically 3) Open machine to discover that the update could not be applied because software I don't care about was running. 4) Apply the update manually 5) Wait 15 minutes 6) Use machine. Another vendor has a different approach. I turn the machine on first thing in the morning and it tells me it needs to start applying updates. Neither of these approaches is going to be remotely acceptable for IoT because the whole point is to save time and you can't save time if you are giving people systems administration tasks. IoT is the harder use case with lower capability devices. It has to be possible for the process to take place automatically and transparently with the only input from the user (if any) being to authorize roll forward to the new software or to force a rollback to the old. So my preferred implementation would be 1) Detect and download update. This is done under prior user permission. 1a) Authenticate and validate. 2) Request user permission (if required, may be granted remotely) 3) Apply update atomically (may be scheduled) 4) Test (optional) Rollback if failed. > I feel like I am reading that you want to write the downloaded code directly over the code that is being executed. That cannot be true either. No. What I am saying is that the device acquires the updates and stores them somewhere. Then it compiles whatever local index is required to access them and switches from one index to the other as an atomic operation. We seem to be fixed in the 1970s notion of files in directories. This is merely an abstraction what we have in storage is a sequence of bits. If all we require is read access, we can store data in a zip file and read it as efficiently as if it was a set of separate files broken out on disk. We have to run the reader code on the constrained device of course. But file creation can take place on a real machine with real resources. > So, could you explain your first point in more detail? > > Ciao > Hannes > > -----Original Message----- > From: Suit [mailto:suit-bounces@ietf.org] On Behalf Of Phillip Hallam-Baker > Sent: 24 October 2017 15:31 > To: suit@ietf.org > Subject: [Suit] Transactional updates > > I don't know about you, but I am fed up of the time it takes for software updates on my desktop. First the update has to be downloaded and then it has to be installed. Why can't this be instantaneous? > > What I would like is to download the software update and then tell the O/S to simply overlay the update on top of the file system as an atomic operation. So installing a software update takes a millisecond, no more. > > Rolling back a software update is just a matter of telling the O/S to stop applying the overlay. > > It seems to me that this sort of capability would be very useful at the device level as well. Even more so as the chief concern in any software update scheme is that you end up bricking a device. Building the ability to roll updates forwards and backwards is powerful. > > I would also like this to be integrated into software signing and in an intelligent fashion so that the signature encompasses both the code and the data and it is possible to validate components independently. > > > There is of course going to be a cost and it is the need for storage. > The traditional file system organization is a response to highly constrained storage. I have not yet fully considered space optimizations because I have been thinking about the constrained device but I think my approach could be modified for a fairly constrained device. My approach is not going to be appropriate for your PIC controllers but it is definitely feasible at the Arduino level and above. > > My approach is based on a Merkle Tree based container format. This may sound intimidating but it shouldn't be. I designed, documented and implemented the scheme in under a week: > > https://tools.ietf.org/html/draft-hallambaker-jbcd-container-00 > > or in HTML with diagrams at > > http://prismproof.org/Documents/draft-hallambaker-jbcd-container.html > > > The draft describes a container format that consists of a sequence of variable length chunks that has the property that the sequence can be traversed with equal efficiency in the forward and reverse directions. > This can optionally be indexed via a binary tree to allow random access to any frame in log(n) time. Chain and (Merkle) tree digests may be constructed which may be signed. > > Each frame consists of a header and an optional payload. The payload may be encrypted and/or signed using JOSE. The only fixed requirement for the header encoding is that frame 0 has to have a header encoded in JSON (for interop). The code supports use of JSON, JSON-B, JSON-C and ASN.1 for header encoding, the container uses JSON-B frame encoding because it has to support the read in either direction property. > > The original concept here was to provide an append only container format that could be used as the basis for synchronizing Mesh portal logs between nodes and also as an encryption format for end-to-end encrypted Web sites. Static content is straightforward, but people expect to be able to support applications like Web forums. The idea was to see if we could support a Web forum run on a cloud server that does not have the ability to read any of the content (yes). > > The authentication scope is intentionally limited to the payloads, and the signature parameters. The headers are not authenticated which allows them to be mutable. A device may store the whole update as a single file or break it apart into attachments. The latter approach making garbage collection of unused attachments possible without a separate sweep/collect cycle. > > > I am not sure that the encryption capability is needed for software update but it might turn out to be useful allowing devices to be shipped with code for a wide range of applications and only enabling the specific modules required. I do not like devices to have more code than is necessary for their purpose. Authentication is obviously necessary. > > The way I would see this applied to software update is that the device/desktop would download and verify the incremental updates as a background task (when bandwidth permits). It would then request user permission to apply the update (if required) and set a flag internally telling the loader to use the new version in place of the old. Any processes that needed to be restarted would be restarted. > > This could be used to effect updates across multiple devices at the same time. It could also allow support for features such as testing the configuration and performing an automatic rollback if the test failed. > > > Besides providing a more secure process, this provides a better user experience. > > The code required to support the container format is comparable to that required to implement a SHA-2 or the like. implementation in a TPM or such would be entirely feasible. > > _______________________________________________ > Suit mailing list > Suit@ietf.org > https://www.ietf.org/mailman/listinfo/suit > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Suit] Transactional updates Phillip Hallam-Baker
- Re: [Suit] Transactional updates Hannes Tschofenig
- Re: [Suit] Transactional updates Phillip Hallam-Baker
- Re: [Suit] Transactional updates Hannes Tschofenig