Re: [Suit] self-describing format vs fixed/binary manifest structure - boot vs update
Kvamtrø, Frank Audun <frank.kvamtro@nordicsemi.no> Fri, 21 December 2018 13:05 UTC
Return-Path: <frank.kvamtro@nordicsemi.no>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28335124BAA for <suit@ietfa.amsl.com>; Fri, 21 Dec 2018 05:05:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.923
X-Spam-Level:
X-Spam-Status: No, score=-0.923 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nordicsemi.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LucUNWPgDbwq for <suit@ietfa.amsl.com>; Fri, 21 Dec 2018 05:05:37 -0800 (PST)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10044.outbound.protection.outlook.com [40.107.1.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 195C412008A for <suit@ietf.org>; Fri, 21 Dec 2018 05:05:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nordicsemi.onmicrosoft.com; s=selector1-nordicsemi-no; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3nNPETmz6IwVzUVNitBVUQWgljQ/aBvhOMdZVmooLAU=; b=qRkUchLW6und/6Ro7a7XLg60orvYYEz7s4W3Q0ama291wJJiwf9+5S2s6TQD+d8fPo5ZkKYUes0M/QbusBao3iHiY2Fk/y86ivlmdWrF3fz+wX8o94mmSbAn6faIC/Am7fTYjU8dkv8dggDP1V9oH42i7LnAByd2Bj8PTCZUxOs=
Received: from AM6PR05MB5639.eurprd05.prod.outlook.com (20.178.86.88) by AM6PR05MB4933.eurprd05.prod.outlook.com (20.177.35.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1446.19; Fri, 21 Dec 2018 13:05:32 +0000
Received: from AM6PR05MB5639.eurprd05.prod.outlook.com ([fe80::2868:9ada:b4d2:ac9e]) by AM6PR05MB5639.eurprd05.prod.outlook.com ([fe80::2868:9ada:b4d2:ac9e%3]) with mapi id 15.20.1446.022; Fri, 21 Dec 2018 13:05:31 +0000
From: "Kvamtrø, Frank Audun" <frank.kvamtro@nordicsemi.no>
To: Martin Pagel <Martin.Pagel@microsoft.com>, Carsten Bormann <cabo@tzi.org>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "suit@ietf.org" <suit@ietf.org>, "dev-mcuboot@lists.runtime.co" <dev-mcuboot@lists.runtime.co>, "Rønningstad, Øyvind" <Oyvind.Ronningstad@nordicsemi.no>
Thread-Topic: [Suit] self-describing format vs fixed/binary manifest structure - boot vs update
Thread-Index: AdSYAVK0JYVOCwHMSVi0tSz1gOtoCQBFgcYw
Date: Fri, 21 Dec 2018 13:05:31 +0000
Message-ID: <AM6PR05MB5639DE78C0D2662201966FDFFCB80@AM6PR05MB5639.eurprd05.prod.outlook.com>
References: <DM5PR21MB069876E14E173559142747CF9DBF0@DM5PR21MB0698.namprd21.prod.outlook.com>
In-Reply-To: <DM5PR21MB069876E14E173559142747CF9DBF0@DM5PR21MB0698.namprd21.prod.outlook.com>
Accept-Language: nb-NO, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=frank.kvamtro@nordicsemi.no;
x-originating-ip: [194.19.86.146]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM6PR05MB4933; 6:PVRsIc9J08cYe4+79IP+aOq8wCCYk6xPzr97Y98GBAvzwehiBPkCGmfNxmgBIuR+JvCH8ZqoDcc6xnPYQcITqo2bl+W5D/Rn/pna3ciW147RTBVz3mGhbnF0fIuOuvSJUvQsS1s+PXo5CBZeMdlLNIe/n6sXnqnnkzGwqmRog+3m2aErxyVZAI7X0iQB+7UbhkkWcGjaajb5/ICRB8trWHKu/FaIGcWRKIKvqARDNTmfAvs59SUR3TE2efuHoAOHvaERdB7i+OIdlxkLfU+YZH0PjehrvmI/R4mypkLRDO62iJWJiHsrUnlmKmrnAvqtnO+Ca1p8YEtEqj4LiJ+ii0tpqOJwKxk9cf7MBa77ups1XUFGLJw8+71OkeoTOFIwTjHguXTuQKsRAQjO9inYqNNXYg5UNjhwSKJo9ak6ZPD1+5trHljv1WCsZvrqHS0TN7LYkZ/tKyiMEXO6dJdAgw==; 5:hw567AXF47c9+7p7CYLqyfsor3vQdsLTpuxlk/BIz6BJPpvoeKxZNkSgVTxnrzWrgiTM6gjbutjmqAOHMbW28sJ9LiJghsvQFkhp8xDWfXGdR2W1Zuwln1N3ZOmsQx5TECCZaAzUtFrGuj0v5BVO7S0D61av55+I/b3mSzTqyz8=; 7:7NbknnW9HEiAzucdv5FvWry8FCbMamdIVh0jrqu8KfP5fof094Ng363JhfJ/vXoKRl8+Ww1GqtJhdjjumu1pd/mNTC2Xn5Cb1THS1jiUXL+XG6ckhham8gURg9/iXTvAf7MeB7qS9nYeSwTAVm6tJw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR;
x-forefront-antispam-report: SFV:SKI; SCL:-1; SFV:NSPM; SFS:(10009020)(979002)(39850400004)(376002)(136003)(346002)(396003)(366004)(13464003)(199004)(189003)(85644002)(51444003)(81166006)(81156014)(68736007)(45080400002)(8676002)(11346002)(446003)(53936002)(86362001)(478600001)(575784001)(486006)(55016002)(476003)(105586002)(6306002)(106356001)(25786009)(14444005)(256004)(74482002)(85182001)(1511001)(966005)(8936002)(14454004)(15650500001)(6116002)(3846002)(54906003)(99286004)(229853002)(561944003)(110136005)(107886003)(6436002)(33656002)(6246003)(316002)(66066001)(186003)(71190400001)(4326008)(97736004)(76176011)(9686003)(5660300001)(26005)(4744004)(53546011)(2906002)(71200400001)(7696005)(7736002)(74316002)(6506007)(102836004)(305945005)(53946003)(777600001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR05MB4933; H:AM6PR05MB5639.eurprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-office365-filtering-correlation-id: d881f7f0-17f9-4f3d-ffeb-08d66744fcdb
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:AM6PR05MB4933;
x-ms-traffictypediagnostic: AM6PR05MB4933:
x-microsoft-antispam-prvs: <AM6PR05MB493316CC2A84693C7D84642FFCB80@AM6PR05MB4933.eurprd05.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(999002)(5005026)(6040522)(2401047)(8121501046)(3231475)(944501520)(52105112)(10201501046)(3002001)(93006095)(93001095)(149066)(150057)(6041310)(20161123560045)(20161123558120)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:AM6PR05MB4933; BCL:0; PCL:0; RULEID:; SRVR:AM6PR05MB4933;
x-forefront-prvs: 0893636978
received-spf: None (protection.outlook.com: nordicsemi.no does not designate permitted sender hosts)
x-microsoft-antispam-message-info: yefOJGKJJpUQ8AYpd7w5si/YC9MOiUz57Rt12qnS4n9qHqgkQPV+uWSouXnIlEHupkz05iDnFqHOTqWCVbbiKIyQ4374u7cZEtNI32iqyE5tue7c7UkAzTCFDvyMzduwtmn3ojerAuUmibPn3OYFoBORxoHtRrNUL8/yMBvEksJlrbEMA5wQJ27sWYN9HBliDqYfn1szJHXz77i6dlVJQ4LAYYEo3BkngEjcyloQ/SdGF0Kw+gjNuIsnIKLEzY3hy+vPLY4uOAfepPLWDAC7tM1nGu3jJsDDaP7mYI4/JN7oems1X5tTuUATKuYv4WKI
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nordicsemi.no
X-MS-Exchange-CrossTenant-Network-Message-Id: d881f7f0-17f9-4f3d-ffeb-08d66744fcdb
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Dec 2018 13:05:31.6026 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 28e5afa2-bf6f-419a-8cf6-b31c6e9e5e8d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR05MB4933
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/A-71rj7fnYY8TEbESmXbWobU95A>
Subject: Re: [Suit] self-describing format vs fixed/binary manifest structure - boot vs update
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Dec 2018 13:05:41 -0000
Some comments and clarifications. > -----Original Message----- > From: Martin Pagel <Martin.Pagel@microsoft.com> > Sent: 20. desember 2018 02:37 > To: Kvamtrø, Frank Audun <frank.kvamtro@nordicsemi.no>; Carsten Bormann > <cabo@tzi.org> > Cc: Michael Richardson <mcr+ietf@sandelman.ca>; suit@ietf.org; dev- > mcuboot@lists.runtime.co > Subject: RE: [Suit] self-describing format vs fixed/binary manifest > structure - boot vs update > > Frank, > If I understand you correctly, you do support a packed binary encoding to > keep boot process lean but not as an update manifest. I believe there is an > advantage in using the same structure for both processes, in particular > constrained devices with a hardware crypto accelerator. Both processes would > benefit from lean implementation and shared code would further reduce > implementation and testing efforts. > No, this is not at all what I was saying. I don't recommend a packed binary format. A packed binary format is a security risk in my opinion. Far outweighing the benefits. What I do argue is that in IETF SUIT manifests, binary encoding of data can be used to let IETF SUIT manifests be agnostic to some parts of the overall firmware upgrade process. IETF SUIT doesn't need to know *all* the details. There is ample room to use the IETF SUIT manifest format to handle any data you need during the firmware upgrade process in an agnostic way. You just need to utilize the payload concept to transmit the data to the device as if it is a binary blob. An example where this may be necessary if your secure boot ROM code requires a specialized format of the data to be parsed during the boot. Having multiple formats is not discouraged in the IETF SUIT manifest description. Some implementers might be required to use this approach. Especially if you need to couple multiple heterogenous Firmware upgrade mechanisms. There are Security chips available in the market today requires the use of ASN.1 encoded certificates, public keys, signatures etc. IETF SUIT can handle that. It only needs to pass the data forward as a binary blob and rely on external parsing. If you look at modern schemes of doing secure architecture design in the embedded domain, like the GlobalPlatform or ARM Platform Security Architecture (PSA), you will find that the ruleset of said standards will base the security on the chip on specific rules of how to deal with for instance secure boot. What you will find is that the security is based on setting up a root-of-trust by ab immutable first-stage bootloader. This immutable boot-stage is required to be simple and to not contain any errors. You can't fix any errors in it as it is intended to reside in e.g. OTP ROM or emulated OTP in FLASH. This process must set up the root-of-trust using a public key validation or MAC calculation. My interpretation of said standards is that the metadata needed to set up this root-of-trust should be done using a standardized, interchangeable format, if you have an intention of certifying your design and implementation according to secure engineering guidelines. If the immutable first-stage bootloader is intended to be simple, then it begs the question of how complex the parser can be. I argue that you don't need to support the whole IETF SUIT manifest format to facilitate the basic operations of setting up an initial root-of-trust. The parser specific to this operation can be quite limited. It doesn't need to support all the features made available in the IETF SUIT, as the use-case of this parser should be limited to basic operations needed for the boot. I think it is worthwhile to allow for a simplified IETF SUIT format to handle the requirements of having an immutable first-stage bootloader. This format could be a subset of the whole manifest, and should be designed with its own use-cases isolated from the complete set of use-cases in the information model in the IETF SUIT. I think it is a bad idea to change the encoding just because you think "this is too big". In my opinion this is due to not looking at the real problem. The natural resolve of supporting a standardized security architecture like GlobalPlatform or PSA requirements for an immutable first-stage bootloader is to have multiple parsers in your firmware upgrade mechanism. The size of the parser in the immutable bootloader can be scaled down quite extensively. I have also alluded to the special case when you can't use IETF SUIT manifest data, e.g. when you are using an external security chip expects something else for the initial root-of-trust. IMO the resolve still stays the same - use multiple parsers according to the specific use-case. The first stage bootloader should be designed to parse something simple, while the parser in subsequent boot stages (e.g. a background firmware upgrade mechanism in your main application) can be much more complex. This goes to the scalability of the IETF SUIT manifest format. We should be able to handle all potential requirements, even the very constrained limited on FLASH or RAM. On the most constrained devices there is a threshold between how much security and how many features you are able to support. The problem of immutable boot vs full featured IETF SUIT manifest is the same as the case of wanting to support a very constrained device. You have to cut features, which the CDDL allows you to do. An immutable boot is a tiny subsystem of the IETF manifest format. And for the record. I have worked on and am still working with constrained devices. I have personally been part of making bootloaders and firmware upgrade mechanisms for tiny MSP430s, Cortex-M0, and small footprint Cortex-M3 and Cortex-M4 devices. An ASN.1 parser can be extremely small. The same would go for a CBOR formatted parser. ASN.1 and CBOR have the benefit of standardization, something that is alpha-omega when it comes to third-party certification. Standardization normally means that your serialization format and the implementations used to encode or parse it has gone through the proper security reviews to ensure the transmitted data isn't an attack surface. With regards Frank Audun Kvamtrø > https://tools.ietf.org/html/draft-pagel-suit-manifest-00 proposes such > structure. Yes, it does provide versioning to allow for future > expandability. > > Again, I could see that a CBOR based manifest could be converted (and > resigned) by the Update Server to generate such lean format and then made > available for the device to update itself as well as for boot validation. > Martin > > -----Original Message----- > From: Kvamtrø, Frank Audun <frank.kvamtro@nordicsemi.no> > Sent: Tuesday, December 18, 2018 8:58 AM > To: Martin Pagel <Martin.Pagel@microsoft.com>; Carsten Bormann > <cabo@tzi.org> > Cc: Michael Richardson <mcr+ietf@sandelman.ca>; suit@ietf.org; dev- > mcuboot@lists.runtime.co > Subject: RE: [Suit] self-describing format vs fixed/binary manifest > structure > > I didn't have a specific e-mail to respond to with regards to the proposal > for using packed C structs, but the discussion has gone on for quite a while > and I don't believe it is very fruitful. I hear security experts have been > mentioned in previous threads, and I want to point out that this is a > logical fallacy called "argument from authority". If some security experts > want to comment on this, then please add them to this discussions so we can > discuss the issues first-hand. Or else the claims are difficult to argue > against. > The authors of this draft come from many different forums and I expect that > the IETF SUIT working group is packed with security experts. A base tenet of > this design process it to adhere to threat based analysis as well as using > sane standardized methods of cryptography and security. Packed C structs > raises a few flags for me, security wise. It is ad hoc, and I fail to see > that this approach can be certified to be secure. Especially since the > content will differ on many devices. > > Please note that I don’t intend to be unnecessarily negative. I've used > 18 of the 32 most known serialization formats (according to Wikipedia) > myself. > I've even done the error of writing two proprietary serialization formats. > The main reason for writing my own was either to be more efficient or to be > more secure. I now know that I was mostly succeeding with the efficiency > part. > For the most part I believe that we don't need another serialization format. > > I don't think that packed C structs is a valid approach in an IETF standard. > The formatting is not interoperable or interchangeable. I expect it to only > work on one device with one configuration, which is asking too little from a > firmware upgrade mechanism. I question the alleged security benefits that > has been alluded to in previous e-mails when using packed structs. Simpler > does not mean better, especially when you have to come up with a proprietary > system for versioning to handle interchangeability, and a custom > interoperability information format to ensure that the data isn't > misrepresented or misused. > > I want to note that I am not arguing against using multiple serialization > formats in context of a complex firmware upgrade mechanisms. This may be the > only way to support firmware upgrades for heterogenous systems that needs to > be upgraded in unison. We have discussed this in previous e-mail threads > covering payload encoding and NUMA/UMA architectures. I do take issue with > an intent to describe manifest data using a non-serializing serialization > format, without the exactness that I would expect when encoding and parsing > data sent over any medium. That includes support for versioning and optional > fields that can be skipped as well as a schema to understand how the data > should look to be valid. > > The method of having parts of the manifest data in a binary encoding instead > of using the full IETF SUIT manifest format may make sense in context of a > simplified boot validation. This is the case if you are reliant on an > external security chip that only supports one format of data (e.g. ASN.1). A > specialized boot validation process can even be encoded in a simpler > manifest format than the full IETF SUIT, to keep the boot validation parser > lean, and to ensure that there aren't any ways to hijack this sensible part > of the process > > > -----Original Message----- > > From: Suit <suit-bounces@ietf.org> On Behalf Of Martin Pagel > > Sent: 14. desember 2018 17:28 > > To: Carsten Bormann <cabo@tzi.org> > > Cc: Michael Richardson <mcr+ietf@sandelman.ca>; suit@ietf.org; dev- > > mcuboot@lists.runtime.co > > Subject: Re: [Suit] self-describing format vs fixed/binary manifest > > structure > > > > Different MCUs support and need different image formats, crypto > > algorithms, keys, software components etc. The Update Server already > > needs to understand the capabilities and needs of the MCU it wants to > > update, there is no generic way to update any type of MCU. The > > question is how to transfer that MCU specific data to the MCU. Two > approaches have been proposed: > > 1. The Update Server generates a CBOR representation to pack the data > > and the MCU applies some type of CBOR parser to unpack it. > > 2. The Update Server generates a packed C struct the MCU can just > > load/map into memory. > > First I want to understand what an update server means is in this context. I > don't see its role clearly stated in the draft documents. Maybe this is > something that we need to be more explicit about in the architecture or in > the information model. I feel you are mixing a concept of manifest data > generation (with signing) and the role of hosting a firmware upgrade on a > server. The key reason I believe this to be the case is that you state that > the CBOR/packed C struct is server-generated. I think that this is not > possible if you want to support the multiple signer requirements as > described the information model use-cases, as well as the broad description > inside the architecture draft. > > There is a similar concept described in the architecture draft that has some > clearer restrictions in usage. This is the "firmware server" concept, which > is described as a server that holds the generated firmware images and > manifests en route to the device where they are to be applied (either > through push or pull). > > The use of the term update server to describe encoding mechanisms begs the > question on how to allow the device operator and the network operator to > authorize a firmware upgrade in a combined signing operation. If support for > multiple signers is needed, I assume the full firmware upgrade instructions > is either a combination of multiple manifests that are individually signed > or a manifest that has multiple signers. The key here is that the signed > material can't be altered or else it loses the signers authorization. This > makes an "update server" with generation capabilities difficult. Changing > the content on an intermediate server breaks the concept of multiple > authorities. > Limiting the capabilities of the firmware server to pure device management > tasks ensures good end-to-end security in the firmware upgrade process. > > Using a well-defined serialization format is beneficial to a firmware > server. > The firmware server can authenticate the content, e.g. by looking at "best > before" combined with signature validation to ensure the addition is not > part of a denial-of-service attack. It is also possible for the firmware > server to decode information about the vendor, class and device ID to ensure > the correct device gets the update (in a push scenario). This is data that > is described in the IETF SUIT manifest format, and if this is serialized > using a standardized format it becomes much more available for any > intermediary actor in the overall firmware upgrade process. > > Using a well-defined serialization format is also beneficial to multiple > signers, as parts of the content of the full firmware upgrade can be dealt > with remotely, protecting each signers private keys. It also has clear > interoperability benefits, as you only need to follow the standard to create > your part of the combined firmware upgrade instruction. > > Using a packed C struct approach removes these flexibilities. In some cases > it even demands an additional device management information outside of the > scope of what is defined in the IETF SUIT to facilitate the firmware > upgrade. > This is a very bad thing for the standard. I don't think you can even call > it a standard in that case... > > > > > Yes, the first approach might be a bit easier for the Update Server as > > it doesn't have to worry about byte alignment etc, but I would rather > > put the burden on the server rather than the MCU in particular if the > > MCU needs this data to boot. As the Update Server already needs to > > understand the target MCU, it might as well understand how to pack the > > data in a way the MCU can easily digest. If I would have to develop a > > tight boot ROM, I would favor the second approach. > > I whole-heartedly don't favor the second approach. It has been mentioned > before that here be dragons. Let me try to exemplify some dragons: > > -What kind of endianness have you compiled your data to be in this build? > -What are the actual type sizes you are compiling with? Can they change? > -What about alignment issues on the packed types? Will you know when you got > that wrong in a graceful manner or will you just hard-fault on unaligned > access? > -How large are the enum types in your compilation? Should you disallow enums > outright due to potential interoperability issues? > -What happens when you need to amend this format to conform to an issue you > have discovered? > -Is there a schema to conform to and how will you deal with optional > features? > > If these issues aren't addressed in the format of the data then usage could > very easily lead to undefined behavior and potential crashes. There is a > real risk of bricking a lot of devices if you get this wrong. And it can > come with a change of the compiler/linker or by setting one faulty define in > your build system. I believe the minor convenience of a RAM loaded RPC > format is quite easily overshadowed by how restrictive you need to be to > ensure that it doesn't lead to failures without any warnings. > > All compatibility and interoperability issues can be avoided by using a real > serialization format. For a list of alternatives, please look at the > following link: > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikiped > ia.org%2Fwiki%2FComparison_of_data_serialization_formats&data=02%7C01%7C > Martin.Pagel%40microsoft.com%7Ced6b7c5a58b3435c261b08d6650a016c%7C72f988bf86 > f141af91ab2d7cd011db47%7C1%7C1%7C636807490989019277&sdata=qaBP7Rs3ky5I27 > UVV42xbYuoyaB9kCMgSa4ow0O45nQ%3D&reserved=0 > > IETF SUIT has picked CBOR as the standard and I have no problem with that > (TM). > Depending on the complexity of the manifest format, it is fairly easy to > create a parser generator that uses the CDDL schema as input. > > If you want a fast binary encoder then you could look at > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcapnproto. > org%2F&data=02%7C01%7CMartin.Pagel%40microsoft.com%7Ced6b7c5a58b3435c261 > b08d6650a016c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C63680749098901927 > 7&sdata=3kK467sWHhzm0sggw9M20gvAe7IjqcfTN7pspuK2AmA%3D&reserved=0 > It has all you need. Like many other binary formats, It has not gone through > a full security review. But at least it addresses the interoperability and > interchangeability aspects. It is eons better than a simple packed C struct. > It even conforms to a schema, which is apt in case of having multiple > versions or differences in supported features. > > The rest of the e-mail has been skipped as it has some invalid formatting > with regards to who says what. > > With regards > Frank Audun