IETF Logo Mail Archive

Re: [Suit] Introducing draft-moran-suit-manifest-04

Brendan Moran <Brendan.Moran@arm.com> Thu, 21 March 2019 16:31 UTC

Return-Path: <Brendan.Moran@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A7DE1313D5 for <suit@ietfa.amsl.com>; Thu, 21 Mar 2019 09:31:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IYFVpKdC7ULM for <suit@ietfa.amsl.com>; Thu, 21 Mar 2019 09:30:57 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40046.outbound.protection.outlook.com [40.107.4.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3F0D131403 for <suit@ietf.org>; Thu, 21 Mar 2019 09:30:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=T3BGzkb0rzGIpiC1Qh92wNDNwOiFIUMEg9hbCB5SJe4=; b=q2uaJsZmBn1iqs8x/Y5eKzx5iqXh4I5/qMbe09+AdPS9vy0zaJ5vCu/VJknpA8IxsJlmItDRIZymrzSh3RJspr2QKYjmGB/DPHNP0wldnmlI1+ToRDhU3XnFTncbTirPZZZgssTF7rH05gyqZmduXrGfIoiw65eSAQCQGYdDRCk=
Received: from DB6PR0801MB1879.eurprd08.prod.outlook.com (10.168.84.137) by DB6PR0801MB2119.eurprd08.prod.outlook.com (10.169.223.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1730.16; Thu, 21 Mar 2019 16:30:54 +0000
Received: from DB6PR0801MB1879.eurprd08.prod.outlook.com ([fe80::180:d5be:c56c:c222]) by DB6PR0801MB1879.eurprd08.prod.outlook.com ([fe80::180:d5be:c56c:c222%4]) with mapi id 15.20.1730.013; Thu, 21 Mar 2019 16:30:54 +0000
From: Brendan Moran <Brendan.Moran@arm.com>
To: David Brown <david.brown@linaro.org>
CC: "suit@ietf.org" <suit@ietf.org>
Thread-Topic: [Suit] Introducing draft-moran-suit-manifest-04
Thread-Index: AQHU2L81a2mzuoq9DkiQC46t4fwGyKYM6E0AgAltG4A=
Date: Thu, 21 Mar 2019 16:30:53 +0000
Message-ID: <59F62162-578C-4975-A25B-EC261A7F4F7D@arm.com>
References: <16EC7DB9-1649-4A86-A370-F77CB03305AC@arm.com> <20190315163402.GA25574@davidb.org>
In-Reply-To: <20190315163402.GA25574@davidb.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.102.3)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Brendan.Moran@arm.com;
x-originating-ip: [217.140.106.55]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9283eaaf-978e-4b40-50d3-08d6ae1a96ba
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:DB6PR0801MB2119;
x-ms-traffictypediagnostic: DB6PR0801MB2119:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DB6PR0801MB21194BF2CC77010A5F641CB2EA420@DB6PR0801MB2119.eurprd08.prod.outlook.com>
x-forefront-prvs: 0983EAD6B2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(136003)(396003)(346002)(366004)(376002)(40434004)(189003)(199004)(256004)(2616005)(14444005)(5024004)(476003)(229853002)(105586002)(6486002)(6436002)(50226002)(106356001)(71190400001)(83716004)(71200400001)(57306001)(66066001)(6116002)(97736004)(3846002)(446003)(11346002)(486006)(186003)(5660300002)(102836004)(76176011)(53546011)(86362001)(6506007)(26005)(14454004)(305945005)(2906002)(99286004)(316002)(25786009)(36756003)(6306002)(6512007)(7736002)(53936002)(478600001)(8936002)(72206003)(966005)(33656002)(8676002)(81156014)(4326008)(68736007)(82746002)(6916009)(6246003)(81166006); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0801MB2119; H:DB6PR0801MB1879.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: K1GSFKpjtQ3IaqLC37ilM6PNLJ0z5sfK0fuoemhH3sHGPQyVIPQdLmte/BSx1RlMr5q5mylbrKDJFzgg093Yz7luyRZhcCEEJgwUMtpx6aak8RtTSUaClIUHHk7o0ek4dzw+lOsWkzz01fV9yyEqDJNvscUqYnFmCU+z4jzktpi25a3wiI4oMJrPsYVooHzAGdlavCZgOPmcEpR7nuooND++54Mjk98k9eDqr9XYkqARu33lU+F02Bhc6Weo2b80fCF/5tRx7dE/liBWn+BfO1LJUcGR70j/lrhRL3H1xqXRs0I3PyVCWYUEIGelHhGI/udj+LUA/J3sEn11AUSsdJOiuJnAMxcT5CEtrcjhvlGAsvDuUT/s8ctWhUZjOLeefYsPnI/ItM/ZpYTH+bAOdaVhY0AB/NUbXNLTqpZ+fqk=
Content-Type: text/plain; charset="utf-8"
Content-ID: <D63E6F6E114DF04C834294A0D2D287C1@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9283eaaf-978e-4b40-50d3-08d6ae1a96ba
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Mar 2019 16:30:53.9708 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB2119
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/hWRnNTcchlWi_0VILHU2_qG6HHE>
Subject: Re: [Suit] Introducing draft-moran-suit-manifest-04
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2019 16:31:01 -0000

Hi David,
I believe that the current draft should be able to accommodate this use-case. A similar use-case was called out in the behavioural manifests draft that is referenced in draft-moran-suit-manifest-04: https://tools.ietf.org/html/draft-moran-suit-behavioural-manifest-01#page-20

The syntax is not identical to draft-moran-suit-manifest-04, since it was intended to describe the techniques, not the explicit encoding, but it should give an idea of how this would work. It may be that we are missing one command: swap. I’d be interested to hear if there is more desire to add “swap” as a solution to this problem.

Reboot resilience for “swap” is probably outside the scope of this draft.
Adding a condition to check the success marker might be useful.

Best Regards,
Brendan

> On 15 Mar 2019, at 16:34, David Brown <david.brown@linaro.org> wrote:
>
> On Tue, Mar 12, 2019 at 10:34:44AM +0000, Brendan Moran wrote:
>> draft-moran-suit-manifest-04 has now been published.
>>
>> https://tools.ietf.org/html/draft-moran-suit-manifest-04
>
> One point I wanted to bring up on-list was that this draft seems to
> have a bit of a bias toward devices that execute programs by copying
> them from flash to RAM and executing them out of RAM.
>
> Given the class of devices that we are targeting, I would suggest that
> this is actually fairly uncommon, and most of these types of devices
> will generally be set up to execute directly out of flash, so called
> XIP or eXecute In Place.  For these kinds of devices, the directives
> in the draft are a little bit of a mismatch with how upgrades happen
> on these kinds of devices.
>
> To clarify, I will explain how upgrades currently work for devices
> targeted by MCUboot (and by extension TF-M):
>
> - The flash is divided into a series of slots.  For a device with a
>   single process and image, it will be something like:
>
>   +------------+
>   | bootloader |
>   +------------+
>   | Primary    |
>   +------------+
>   | Secondary  |
>   +------------+
>   | Scratch    |
>   +------------+
>   | Storage    |
>   +------------+
>
>   For a multi-CPU/image device, there will be a pair of primary and
>   secondary slots.  To simplify, I will make this example just for a
>   single-image device.
>
> - For normal execution, the bootloader validates the image in the
>   "primary" slot, and if it is valid, jumps directly to its start
>   address within flash.
>
> - The download part of an upgrade happens while the application is
>   running, and this code is contained within the code currently
>   running in the primary image.  It downloads the upgrade into the
>   "secondary" slot.  This new code cannot execute at this address,
>   but is placed here as the image is downloaded.  The assumption is
>   that their isn't sufficient RAM to hold the entire image, and that
>   a download may be interrupted.
>
> - Once the application has finished downloading the new image, it
>   writes a special marker to the end of the "secondary" slot and
>   causes a reboot.
>
> - The bootloader detects this upgrade request in the secondary slot
>   and begins a series of steps:
>
>   - Verify the image in the secondary slot.
>
>   - Using the scratch area exchange the images in the primary and
>     secondary slot
>
>   - Verify the new primary slot.
>
>   - Jump to the new primary image
>
>   This is designed in such a way that it can resume after any
>   untimely interruption.
>
> - If the new image boots successfully, it writes a marker at the end
>   of the "primary" slot to indicate that the image is correct.
>   Otherwise, if the bootloader boots without seeing this marker, it
>   will exchange the primary and secondary images again to undo the
>   upgrade.
>
> Within either the primary or secondary slot, the image has a format
> similar to:
>
>   +------------+
>   | Header     |
>   +------------+
>   | Executable |
>   +------------+
>   | Manifest   |
>   +------------+
>
> there is no real separate place to store the manifest.  This does mean
> that during an upgrade the manifest for both the old and the new image
> are present in flash.
>
> I'm curious what thoughts people have on how to apply the draft 4
> manifest to the above scenario.  Operations such as "load" aren't
> really meaningful, but apply-image would certainly make sense.
> However, the installation of a new image is partially initiated by a
> different piece of code than the bootloader which is responsible for
> actually installing the image.  This state has to be managed carefully
> in a way that works with NOR flash, and therefore will probably live
> outside of the manifest.
>
> Thanks,
> David

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email