IETF Logo Mail Archive

Re: [Suit] Transactional updates

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 24 October 2017 14:44 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83DC313F800 for <suit@ietfa.amsl.com>; Tue, 24 Oct 2017 07:44:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yQ6JHYna3PPR for <suit@ietfa.amsl.com>; Tue, 24 Oct 2017 07:44:17 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0073.outbound.protection.outlook.com [104.47.0.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF562138BDB for <suit@ietf.org>; Tue, 24 Oct 2017 07:44:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=E2fwEd6TX0W0EORrnCNeXv0TL7AB0wIRefsfFsqF8gE=; b=HutO4mD1Ag++XKkz+mrdoCO8vWb62HbUKwQE00rMDHKkdKojzEZaWeAAxMoT6BDrltw8NgU06IzX2prIXv8R7fCQ1pNouNOtxY0/ntudyESrEv0a3Y5i44E8t4c1oQmydad/nE036SJUY2sUCPnthm7oJqUxmBxj4LY1F2xD/mE=
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com (10.167.90.148) by AM4PR0801MB2706.eurprd08.prod.outlook.com (10.167.90.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.178.6; Tue, 24 Oct 2017 14:44:13 +0000
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::403b:850e:c32c:fad6]) by AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::403b:850e:c32c:fad6%13]) with mapi id 15.20.0178.004; Tue, 24 Oct 2017 14:44:13 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>, "suit@ietf.org" <suit@ietf.org>
Thread-Topic: [Suit] Transactional updates
Thread-Index: AQHTTMxm72VqV5kScUuMbo0PhTEypqLzB3cQ
Date: Tue, 24 Oct 2017 14:44:13 +0000
Message-ID: <AM4PR0801MB2706F9611D2F99A89168AD36FA470@AM4PR0801MB2706.eurprd08.prod.outlook.com>
References: <CAMm+Lwiik1m+rLVd6mvf5LgSxFO34fsGUZ0+gz6m6bj8kpNYuQ@mail.gmail.com>
In-Reply-To: <CAMm+Lwiik1m+rLVd6mvf5LgSxFO34fsGUZ0+gz6m6bj8kpNYuQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.116.6]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0801MB2706; 6:MjVrxbRAjSTCOMfi/FBinp8rOA/hZbZVeJqyJjCT4YR8yM/8yv2jar3oUa3kRoxfsLpdcKhR+8Ic/0aKO1O01nXPVnunj9aounMjh0oGKpUE35+SFlqE1b/phzUQ+9Y6sBGh9UC/CTITBFo0mpmHh0L6fOxg2XgzT2yt//d/gMC0XZbyhXHRCRsnjwloJ133T91o1nFPtanNmnk1QxDAI2UUBFVbFjoGoSiMzrMu/trXuz+yTvr7Pk+m3K2ahS3cCU0ArjpfcMwFsWgF1Ezz8NgCqLk5DZZAL9kJHPcQ4cXnkkORjNUq1lVTK+9y3RfEZ4pRr6K95q02Qi87/LcEFMpJo0twyc04QBNeUQZP1Wc=; 5:NqdC/dVNXxLKsjlFJOhzOnZDXC5GBtEva5Y+02Uu4z/+NeHgQuvDWEFWJtDlEEzfrQe6dn5nNH0PPVMlqSVZZ5Pd6Xji+aSn/aMa4DJAVz6ClSHoAVgoy3OXK8XKg5k/irU97Oxe2RCZQbJcoN7RCjPvJPj1HCoGHT1A+MOKZ7o=; 24:R5iDfSd9FrbSyefYgGOMMWZqfNRKcyNZx1S9tA909cpYytwyJVJEfx90KX8FiV1vKVPrGuByazsuus1XevUY6mzj/euI3vyX2bPAT1YFFlc=; 7:uu3HANbj/ZGbvZ09y8DxLmaEAjisrMYOhK2e4hc1PL3OAH9IM+wWhP9oqk8GZkPNL0CMWz+631DGllS3O0vQVBrpDf6U5Um3TQ6++CDk1AfA7MQgrnmLY7tYaIFWO5hFl2hutZOAOips/T/Azjv3eOMOOH78io80frBfAnNoln53F8iCzeWCkpuaQCDZRY0u3mYW+EXwIvSxVUOzXEIEAm1w78Z6CqXP6ERFZeWR/WgM1Jeus6CgGrQCeTZ8EY/K
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: b12ce7ff-2f2c-438d-4133-08d51aedb20e
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603199); SRVR:AM4PR0801MB2706;
x-ms-traffictypediagnostic: AM4PR0801MB2706:
x-exchange-antispam-report-test: UriScan:(158342451672863)(278428928389397)(275809806118684);
x-microsoft-antispam-prvs: <AM4PR0801MB27065E18121044B21AD7C67CFA470@AM4PR0801MB2706.eurprd08.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(10201501046)(3002001)(3231020)(100000703101)(100105400095)(93006095)(93001095)(6055026)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123560025)(20161123558100)(20161123564025)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:AM4PR0801MB2706; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:AM4PR0801MB2706;
x-forefront-prvs: 047001DADA
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(39860400002)(376002)(346002)(13464003)(199003)(51914003)(189002)(40434004)(8676002)(101416001)(86362001)(7736002)(305945005)(97736004)(478600001)(25786009)(81166006)(81156014)(15650500001)(8936002)(68736007)(54356999)(76176999)(106356001)(50986999)(14454004)(105586002)(189998001)(6116002)(6246003)(7110500001)(7696004)(102836003)(55016002)(5660300001)(3846002)(99286003)(53376002)(33656002)(66066001)(2420400007)(6436002)(316002)(110136005)(53546010)(6306002)(2900100001)(9686003)(53936002)(3660700001)(3280700002)(229853002)(10710500007)(966005)(2950100002)(2906002)(72206003)(5890100001)(74316002)(2501003)(5250100002)(6506006); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0801MB2706; H:AM4PR0801MB2706.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b12ce7ff-2f2c-438d-4133-08d51aedb20e
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2017 14:44:13.8705 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0801MB2706
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/eEGrgX062SLEGixC5FwgsW-ThYY>
Subject: Re: [Suit] Transactional updates
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2017 14:44:21 -0000

Hi PHP

Thanks for the contribution.

I am trying to find out what problem you are primarily trying to solve.  You list lots of topics below. Let me start with one item where you write:

"I am fed up of the time it takes for software updates on my desktop. First the update has to be downloaded and then it has to be installed. Why can't this be instantaneous?"

Clearly, you cannot install software / firmware that has not been downloaded yet. You are not complaining about the slow transfer rate (although this might be a serious issue with many low power radio technologies). You aren't talking about differential updates or updates of individual libraries. Finally, you are not asking for a hitless update either.

I feel like I am reading that you want to write the downloaded code directly over the code that is being executed. That cannot be true either.

So, could you explain your first point in more detail?

Ciao
Hannes

-----Original Message-----
From: Suit [mailto:suit-bounces@ietf.org] On Behalf Of Phillip Hallam-Baker
Sent: 24 October 2017 15:31
To: suit@ietf.org
Subject: [Suit] Transactional updates

I don't know about you, but I am fed up of the time it takes for software updates on my desktop. First the update has to be downloaded and then it has to be installed. Why can't this be instantaneous?

What I would like is to download the software update and then tell the O/S to simply overlay the update on top of the file system as an atomic operation. So installing a software update takes a millisecond, no more.

Rolling back a software update is just a matter of telling the O/S to stop applying the overlay.

It seems to me that this sort of capability would be very useful at the device level as well. Even more so as the chief concern in any software update scheme is that you end up bricking a device. Building the ability to roll updates forwards and backwards is powerful.

I would also like this to be integrated into software signing and in an intelligent fashion so that the signature encompasses both the code and the data and it is possible to validate components independently.


There is of course going to be a cost and it is the need for storage.
The traditional file system organization is a response to highly constrained storage. I have not yet fully considered space optimizations because I have been thinking about the constrained device but I think my approach could be modified for a fairly constrained device. My approach is not going to be appropriate for your PIC controllers but it is definitely feasible at the Arduino level and above.

My approach is based on a Merkle Tree based container format. This may sound intimidating but it shouldn't be. I designed, documented and implemented the scheme in under a week:

https://tools.ietf.org/html/draft-hallambaker-jbcd-container-00

or in HTML with diagrams at

http://prismproof.org/Documents/draft-hallambaker-jbcd-container.html


The draft describes a container format that consists of a sequence of variable length chunks that has the property that the sequence can be traversed with equal efficiency in the forward and reverse directions.
This can optionally be indexed via a binary tree to allow random access to any frame in log(n) time. Chain and (Merkle) tree digests may be constructed which may be signed.

Each frame consists of a header and an optional payload. The payload may be encrypted and/or signed using JOSE. The only fixed requirement for the header encoding is that frame 0 has to have a header encoded in JSON (for interop). The code supports use of JSON, JSON-B, JSON-C and ASN.1 for header encoding, the container uses JSON-B frame encoding because it has to support the read in either direction property.

The original concept here was to provide an append only container format that could be used as the basis for synchronizing Mesh portal logs between nodes and also as an encryption format for end-to-end encrypted Web sites. Static content is straightforward, but people expect to be able to support applications like Web forums. The idea was to see if we could support a Web forum run on a cloud server that does not have the ability to read any of the content (yes).

The authentication scope is intentionally limited to the payloads, and the signature parameters. The headers are not authenticated which allows them to be mutable. A device may store the whole update as a single file or break it apart into attachments. The latter approach making garbage collection of unused attachments possible without a separate sweep/collect cycle.


I am not sure that the encryption capability is needed for software update but it might turn out to be useful allowing devices to be shipped with code for a wide range of applications and only enabling the specific modules required. I do not like devices to have more code than is necessary for their purpose. Authentication is obviously necessary.

The way I would see this applied to software update is that the device/desktop would download and verify the incremental updates as a background task (when bandwidth permits). It would then request user permission to apply the update (if required) and set a flag internally telling the loader to use the new version in place of the old. Any processes that needed to be restarted would be restarted.

This could be used to effect updates across multiple devices at the same time. It could also allow support for features such as testing the configuration and performing an automatic rollback if the test failed.


Besides providing a more secure process, this provides a better user experience.

The code required to support the container format is comparable to that required to implement a SHA-2 or the like. implementation in a TPM or such would be entirely feasible.

_______________________________________________
Suit mailing list
Suit@ietf.org
https://www.ietf.org/mailman/listinfo/suit
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email