Re: [Suit] [SUIT] [dev-mcuboot] IoT firmware update standardization efforts @ IETF
Brendan Moran <Brendan.Moran@arm.com> Tue, 31 October 2017 10:34 UTC
Return-Path: <Brendan.Moran@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BC71139507 for <suit@ietfa.amsl.com>; Tue, 31 Oct 2017 03:34:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fg37ThpNuY8o for <suit@ietfa.amsl.com>; Tue, 31 Oct 2017 03:34:15 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00080.outbound.protection.outlook.com [40.107.0.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FD05139976 for <suit@ietf.org>; Tue, 31 Oct 2017 03:34:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=WLjt6sQ97cO6GbXxD15ZFrS1CrhG2HfLOnneQf4mcsw=; b=VoX1Jb7EMZouKOHi6oVTvfPKQNfOcnV6FCQEbMKZt5xDpzxBfNGyMHiHzyiBU1leLrjxdC1rS1XFI/VlWx0vE/mu83jeRlZwdvTV01lyJhTydjgyRTSWyPBWp1UK5NZxJYoK0eUdeC8eJ+a6zMZTvA1EWvAniUODi5FoCBsdR9U=
Received: from DB5PR08MB0615.eurprd08.prod.outlook.com (10.169.32.149) by DB5PR0801MB2711.eurprd08.prod.outlook.com (10.166.170.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.178.6; Tue, 31 Oct 2017 10:34:11 +0000
Received: from DB5PR08MB0615.eurprd08.prod.outlook.com ([fe80::b123:af71:1ed2:1057]) by DB5PR08MB0615.eurprd08.prod.outlook.com ([fe80::b123:af71:1ed2:1057%14]) with mapi id 15.20.0178.012; Tue, 31 Oct 2017 10:34:11 +0000
From: Brendan Moran <Brendan.Moran@arm.com>
To: David Brown <david.brown@linaro.org>
CC: "suit@ietf.org" <suit@ietf.org>, Emmanuel Baccelli <Emmanuel.Baccelli@inria.fr>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "housley@vigilsec.com" <housley@vigilsec.com>, "david.waltermire@nist.gov" <david.waltermire@nist.gov>, "dev-mcuboot@lists.runtime.co" <dev-mcuboot@lists.runtime.co>
Thread-Topic: [SUIT] [dev-mcuboot] IoT firmware update standardization efforts @ IETF
Thread-Index: AQHTUjPK41PRzYSFs0yOqtFQNH4bLA==
Date: Tue, 31 Oct 2017 10:34:11 +0000
Message-ID: <926C1018-1AF4-4757-AC09-03ABDEE42D37@arm.com>
References: <CANK0pbaZuh1kHc6CA=B_3Mr3i9vxeqf+UGtD9wGpZs9=OFAxaw@mail.gmail.com> <20171004173822.hqin7lrbjyhuwvc3@davidb.org>
In-Reply-To: <20171004173822.hqin7lrbjyhuwvc3@davidb.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3273)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Brendan.Moran@arm.com;
x-originating-ip: [217.140.96.140]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB5PR0801MB2711; 6:Cr4jv96ZnNiZH/Hk3VvYEhN9OJp8fipfdVRCQJ7PprZcMzuvRP1v36/8RWSK8QbtbigIWiBmH2938j6aX3ZA/jmNc6reDlJcuh/+ZqhwI2/tDK6sqUilduPsItIEfT6qRppMIEpEboB3co8S9dJ9PIkpEO5Z977Fn+fOJsH518e/Vd/OA5+f0mR8+OU5/9ok3M+7axWVs8M9oKySWFbk3xwhOHdyVxKc0/Jwb8c9BnHxFX2G6h7Xw50TJu+DfJx8hIidlYDVf94EpVzNnjh+CazjuSo60hD2D9sRcwTAq/1v9bhX9x7BoFDvWjPg3rGICWn4fbVmpzhVQnhr109MVQ6NTWFvidbTq97MMiuxreU=; 5:iTkEbhx+Fr8F+P6JkS7RiLpW14IAne+C1Hp++19yCtCoOdxM3jD+F6h8kjz3XMB/UXnoUM4OiyXn/gkYG25yq6uMS5XoGGzPqVypQVv8X7UoD5c2vDiaQj8gGmt8ZS6W99CtHHlqK6DYIhaHSEgLynrunsMD4Ppoi6hfoJiPSUA=; 24:iU8jxgN6Hm6PaidDdebu282tAsF8RqR/3SJVH85PMGEvDAU/FBxQXjwbeT/4PnndgMRGy6R/ZiKXXKd2dk4ctX7egwjs6/G/0/A69HBV5sA=; 7:Vg1ePXy8191gGEuufX4yXoSaamUCvKe6ph5tI1rbDrfRRP8U22N3hO204QUNsvSIAyJMJmmrWtdbsjCaTZ/6Ng/jXTgAZhx5KZtVsSkVCcBElGQ6U5y3gDBT7wFNbFR/UuC0pFu4bZQhST3md6L4JpV9qWuDy5enpWIOZrHcTVadHRO4NiyBtqdBG89fW3vurMB6WGj/EegHOf2MTm718oVKGsjZqsR5p7bRu2UN0jgZJa4TMn835W0YewD8r7Z4
x-ms-exchange-antispam-srfa-diagnostics: SSOS;SSOR;
x-ms-office365-filtering-correlation-id: c7cbea3e-02f5-491d-20ef-08d5204aece3
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081)(4534020)(4602075)(2017052603199); SRVR:DB5PR0801MB2711;
x-ms-traffictypediagnostic: DB5PR0801MB2711:
x-exchange-antispam-report-test: UriScan:(192374486261705)(17755550239193);
x-microsoft-antispam-prvs: <DB5PR0801MB2711BC11007A688A4ACD1B61EA5E0@DB5PR0801MB2711.eurprd08.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(93006095)(93001095)(3231020)(10201501046)(3002001)(6055026)(6041248)(20161123555025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123564025)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DB5PR0801MB2711; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DB5PR0801MB2711;
x-forefront-prvs: 04772EA191
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(376002)(346002)(69234005)(189002)(40434004)(199003)(51914003)(24454002)(189998001)(8936002)(82746002)(86362001)(478600001)(8656006)(53546010)(36756003)(72206003)(97736004)(57306001)(8676002)(3660700001)(81156014)(966005)(3280700002)(4326008)(81166006)(305945005)(76176999)(2906002)(6436002)(83716003)(50226002)(105586002)(25786009)(7736002)(106356001)(14454004)(68736007)(6306002)(15650500001)(6486002)(345774005)(6246003)(53936002)(229853002)(99286003)(2950100002)(6512007)(316002)(33656002)(66066001)(54906003)(6506006)(6916009)(50986999)(5250100002)(5890100001)(101416001)(3846002)(5660300001)(6116002)(2900100001)(102836003); DIR:OUT; SFP:1101; SCL:1; SRVR:DB5PR0801MB2711; H:DB5PR08MB0615.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <412324583A0EF742AE61024C316CE3EA@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c7cbea3e-02f5-491d-20ef-08d5204aece3
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Oct 2017 10:34:11.5988 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR0801MB2711
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/iA34Ef-zMzqvtXV9cK5anvf_bwE>
Subject: Re: [Suit] [SUIT] [dev-mcuboot] IoT firmware update standardization efforts @ IETF
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Oct 2017 10:34:18 -0000
Thank you for your comments. I think there are a few things that I can clear up. I don’t expect that much change is necessary to MCUboot in order to support the SUIT manifest & architecture. It looks like it’s already pretty much compatible. See below for more comments. Thanks, Brendan Moran > On 4 Oct 2017, at 18:38, David Brown <david.brown@linaro.org> wrote: > > On Fri, Sep 22, 2017 at 10:01:18AM +0200, Emmanuel Baccelli wrote: >> Dear MCUbooters >> >> I wanted to bring your attention to an effort starting at IETF to standardize >> some aspects fo firmware updates. >> >> I think it would be useful if some MCUboot/Zephyr/MyNewt could participate. >> >> The working group about to be created is called FUD [1]. >> There are a couple of initial drafts [2] and a mailing list [3] through which >> discussion happens, as usual for such efforts. >> >> FYI the next f2f meeting will be at IETF 100 [4]. > > Thanks for the information. I have joined the fud mailing list, and > intend to become involved. > > I work on MCUboot as well as on the Zephyr project. MCUboot address a > small part of the firmware update process, namely performing the > atomic operation of the actual final firmware upgrade. It also > supports additional features such as revert when an image is > determined to be nonfunctional. > > MCUboot original came from the Mynewt project, and is a part of their > update solution. The Zephyr project has not defined firmware update > beyond porting MCUboot to Zephyr. As such, what is being discussed at > FUD is very applicable. > > I'd also like to give a very short overview of MCUboot, since its > existing image formats may need to change to accomodate a CMS > formatted firmware package. I should clarify one element of the SUIT draft: SUIT comes in two parts: 1) a firmware update architecture, 2) a manifest format. The manifest format is for security in transport and at rest, and it provides the metadata that a target device needs in order to determine applicability and installation instructions. This does NOT mean that the manifest is necessarily what the boot loader should understand. We have been using HMAC to authenticate a much simpler metadata block for the boot loader to consume. This does not support a trusted boot story, since the boot loader must trust the update client. So, there are certain benefits to having the boot loader understand the manifest format, however it is not strictly necessary. > The primary design constraint behind MCUboot's image format is the > support for execute in place (XIP) MCU devices. Typically, these > devices begin executing from an address at a vector near the beginning > of flash. MCUboot is itself installed at the beginning of flash, and > expects both the runnable image and the upgrade image to occupy > partitions following this. > > The runnable application is modified from a standalone MCU application > in several ways: > > - It is linked at an address for the runnable partition (referred to > as Slot 0 in the MCUboot design documentation). > > - There is a small header at the beginning, with flags, a header > size field, and an image size field. This can be used to compute > the address of the end of the image. > > - After the image is a simple TLV-formatted encoding of a signature > over the header and the image. This is almost the same as the format that we have been using. The exception is the signature. We place the signature at the end of the metadata header, and include a hash of the firmware in the metadata header. This allows the boot loader to verify authenticity prior to validating integrity. In practice, I doubt there is significant behavioural difference between these two solutions. > In order to support a CMS formatted firmware image, MCUboot will need > to take one of several approaches. > > - The firmware package will be unwrapped outside of the context of > the bootloader. The content of the CMS payload would have the > header and TLV signature already on it. This would require no > modification to MCUboot, but may be difficult to implement in a > RAM-constrained device that does not have sufficient RAM to hold > the entire firmware package. > > - MCUboot could be modified to unpack the firmware package from the > upgrade partition when copying it to the runnable partition. This > would add complexity, as well as make MCUboot's current rollback > mechanisms more complex. Where encrypted images are used, we typically decrypt the image straight into the upgrade partition on the fly, so that the boot loader can be as simple as possible. That might make MCUboot’s rollback mechanism manageable in this scheme. > - The content inside of the firmware package could be designed to be > executable directly out of the firmware package. With DER > encoding, this will be somewhat complicated, as the length of the > preceding data in the firmware package contains encoded values > that depend on the length of the firmware package itself. There > are possible implementations, such as repeating the link and > package operation until a fixed point is reached. This last option is much less complex than it looks. Firmware is contained in the manifest by reference (hash and URI). This means that there is no requirement for the firmware to be related to the manifest in memory, so you can place the firmware wherever you want. We typically reserve a block at the beginning of an erase sector for metadata, followed by the firmware image, starting at the next vector-table aligned address. > I hope to be able to bring useful feedback based on our experience > with MCUboot and performing updates of this class of devices. > > Thanks, > David Brown > > _______________________________________________ > Fud mailing list > Fud@ietf.org > https://www.ietf.org/mailman/listinfo/fud IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- Re: [Fud] [dev-mcuboot] IoT firmware update stand… David Brown
- Re: [Suit] [SUIT] [dev-mcuboot] IoT firmware upda… Brendan Moran