[Suit] FW: Introducing draft-moran-suit-manifest-04

Rønningstad, Øyvind <Oyvind.Ronningstad@nordicsemi.no> Thu, 11 April 2019 15:03 UTC

Return-Path: <Oyvind.Ronningstad@nordicsemi.no>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 2C6C01203A8 for <suit@ietfa.amsl.com>; Thu, 11 Apr 2019 08:03:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nordicsemi.onmicrosoft.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id saDNKfHwbCUi for <suit@ietfa.amsl.com>; Thu, 11 Apr 2019 08:03:14 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30062.outbound.protection.outlook.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B44A412038D for <suit@ietf.org>; Thu, 11 Apr 2019 08:03:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nordicsemi.onmicrosoft.com; s=selector1-nordicsemi-no; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9h4DND+cCwJYHVTdGIkrUM+1jHWmy4GXVW71JxumvRw=; b=GzGBdR0/dzECEt2w/2zw9+r/ZU3uxBVmPZ7y9X+zvIsXU7v/EKSNzkinbyF+Yz9Y5eXl62cD1IBhokDAD3hclbsSF3u3BpE5qGdFyI7GEqZTx3GldcnzR2I3t/M7ttkxYA+nR/yM64pB2ZIkgDN31fuHrHGBuh70RqL/no8BVoU=
Received: from HE1PR05MB3228.eurprd05.prod.outlook.com ( by HE1PR05MB3131.eurprd05.prod.outlook.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.21; Thu, 11 Apr 2019 15:02:57 +0000
Received: from HE1PR05MB3228.eurprd05.prod.outlook.com ([fe80::d913:f7c4:f82:e58e]) by HE1PR05MB3228.eurprd05.prod.outlook.com ([fe80::d913:f7c4:f82:e58e%4]) with mapi id 15.20.1771.021; Thu, 11 Apr 2019 15:02:57 +0000
From: =?iso-8859-1?Q?R=F8nningstad=2C_=D8yvind?= <Oyvind.Ronningstad@nordicsemi.no>
To: Brendan Moran <Brendan.Moran@arm.com>, "suit@ietf.org" <suit@ietf.org>
CC: =?iso-8859-1?Q?Kvamtr=F8=2C_Frank_Audun?= <frank.kvamtro@nordicsemi.no>
Thread-Topic: Introducing draft-moran-suit-manifest-04
Thread-Index: AQHU2L81dzELNCQKcEaCHfQ8cPehA6Y2x2+wgABw2OA=
Date: Thu, 11 Apr 2019 15:02:57 +0000
Message-ID: <HE1PR05MB32285EE3C40D73345D217935882F0@HE1PR05MB3228.eurprd05.prod.outlook.com>
References: <16EC7DB9-1649-4A86-A370-F77CB03305AC@arm.com> <HE1PR05MB32285B66AB7015921D83F852882F0@HE1PR05MB3228.eurprd05.prod.outlook.com>
In-Reply-To: <HE1PR05MB32285B66AB7015921D83F852882F0@HE1PR05MB3228.eurprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Oyvind.Ronningstad@nordicsemi.no;
x-originating-ip: [2001:8c0:5140:12:b5e7:e1e6:a6e9:8320]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4eac77f4-ed4b-4556-9bf9-08d6be8ec889
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(2017052603328)(7193020); SRVR:HE1PR05MB3131;
x-ms-traffictypediagnostic: HE1PR05MB3131:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <HE1PR05MB3131A23BEC1A65781E745AFE882F0@HE1PR05MB3131.eurprd05.prod.outlook.com>
x-forefront-prvs: 00046D390F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(39850400004)(396003)(346002)(136003)(366004)(199004)(189003)(13464003)(40434004)(33656002)(966005)(106356001)(5024004)(229853002)(53546011)(305945005)(68736007)(186003)(8936002)(478600001)(6506007)(11346002)(25786009)(2940100002)(105586002)(446003)(256004)(107886003)(99286004)(14454004)(93156006)(2501003)(72206003)(476003)(14444005)(74482002)(46003)(8676002)(7696005)(9686003)(6436002)(52536014)(102836004)(7736002)(2473003)(76176011)(74316002)(110136005)(5660300002)(4326008)(71190400001)(2906002)(71200400001)(53936002)(486006)(97736004)(86362001)(81166006)(6116002)(81156014)(45776006)(316002)(55016002)(6306002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR05MB3131; H:HE1PR05MB3228.eurprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nordicsemi.no does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 02k6MljjUeN3X/O0Eunp945Y+qh63qZ121c5nigEErXBip/rYaXBh+PewUDuD1F8+aVU1Q47bxSoRYzHZ1K3cYgjbUk06pK057IM64D1x/IFQilP9iLaJrEFitxJ9Sx7t/quZy5YW0PMdXvsg8iPGMitr4dLnRGNk8fQGF4d5AOZ5/ta6LfUBd6M+Y1yNkd9QyaNSAodOcVZMBDHUzRi+1yGGrks46WFbS1gteEYQDW8bBfeV6sq62qE7MV/KHjkg/jNoAPxk5PL2LovzFF/Lqu1GRZy2Tlz3+svbfXtzs+nibRHY1vu7YtuZ6ukqXXDcSQw6MUKtFSAxeAl0Tfu6sGFZgp8Zdvx017YwWUtSEdSnCysi0QPcPDy3ZUMF2T/QEiW5qdfhJTcWUjBUwH33/caYY3OzC2V0RkG4zpxC/A=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nordicsemi.no
X-MS-Exchange-CrossTenant-Network-Message-Id: 4eac77f4-ed4b-4556-9bf9-08d6be8ec889
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Apr 2019 15:02:57.7548 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 28e5afa2-bf6f-419a-8cf6-b31c6e9e5e8d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR05MB3131
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/QUFySNeMO-Xcx4TzXiRFzT-rsrc>
Subject: [Suit] FW: Introducing draft-moran-suit-manifest-04
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2019 15:03:19 -0000

I did a full pass through the document today, and wrote down (quite a few) comments, see below. I think this document is very exciting!

- Øyvind

The digest-algorithm-ids list is missing the following SHA-2 family functions:
 - SHA224
 - SHA512/224
 - SHA512/256
Also, the functions that are truncated to 128 and fewer bits will not be secure against brute-force attacks, so I question their inclusion here.

The requirement that all manifests must have a sequence number higher than their dependencies might be inconvenient when dependencies are validated by version ranges, since a dependency might be updated to something that is created after the root manifest, but still fulfills the check. Comparing sequence number dependency<->dependent might be superfluous, since the dependency is already referenced quite specifically in other ways. Alternatively, the requirement can be valid only up to and including installation.
Also, the text should probably mention that if a manifest is replaced by an update, the new manifest must have a higher sequence number.

What directives/conditions can apply to components in suit-dependency-components? I don't quite understand the purpose of the suit-dependency-components list.

I read it many times now, but I don't really understand the last paragraph of "8.4.  SUIT_Component". Can you elaborate on the assumptions? How are the values dependent on installation offset? Who updates the parameters to match what? What does "defining a component" mean?

I might have missed something, but can you elaborate on how scoping of parameters work, specifically when are they unset? For example Encryption Info, does it become unset after being used once? Which parameters are inherited into a Run_Sequence or Process_Dependency? Does a Set_Component_Index/Set_Manifest_Index effectively unset all parameters that have scope "Component"/"Dependency". How does scoping affect parallell processing (how to keep track of the value of a parameter for a given Directive/Conditition if they are executed out of order)?	

SUIT_Unpack_Algorithm_Delta should be split into individual IDs for algorithms like SUIT_Unpack_Algorithm_VCDIFF.

I think there's a quirk with the versions where comparisons can be subverted. If you have a dependency on version 1.x of something, it's hard (impossible in the general sense) to express those bounds with the greater/lesser comparisons. This is because there is no well-defined highest or lowest version with a given prefix such as "1." (unless the version list has bounded length).  If you have a bound on the length of the version list, you could express the upper bound e.g. as "Lesser or equal than 1.INTMAX.INTMAX..." etc. which isn't very pretty. Can we find some better way? I'm assuming 1.1 is equivalent (equal) to 1.1.0 etc.

If SUIT_Directive_Set_Component_Index is set to ALL components, is the order in which it applies to the components well-defined? Same question for SUIT_Directive_Set_Manifest_Index. 

Can you give an example of providing an argument to SUIT_Directive_Fetch?

The CDDL for Condition, Directive and Parameters should have the name as part of the CDDL (i.e. as a label/type, not a comment) to make it more amenable to machine parsing.

*The rest is nitpicking*

The SUIT_Manifest CDDL references Digest instead of SUIT_Digest.

Should suit-install be MANDATORY if suit-payload-fetch is present?

I suggest being more specific about suit-validate. Something to the effect of: "suit-validate is a SUIT_Command_Sequence to execute in order to validate that the result of applying the update (i.e. the state of the device after suit-install) is correct."

When forwarding a dependency to a component that is capable of parsing its own manifests, the dependency manifest might not be SUIT-formatted, so it should not need to be interpreted. This could be elaborated on in the text.

This sentence should probably be fixed (typo etc.): "It consists of three elemnts: the component identifier that represents a component that will be affected by this manifest."

Can a SUIT_Component_Reference refer to a component in a dependency of a dependency?

For readability, I suggest placing the "name" column (of the manifest parameters table) further to the left.

Can you elaborate on the "Skip" flag for parameters? Even just mentioning that it is TBD.

This could be more specific: "This index is a numeric index into the component ID tables defined at the beginning of the document."

SUIT_Directive_Set_Parameter_State_Append is not mentioned in the table.

Should "dependent-components" be "dependency-components" instead?

For the sake of completeness: In "Access Control Lists" I envision another situation, where ACL is implemented as a function that e.g. takes the Component ID and returns the identities that can manipulate it. This is for when Component IDs can alias each other, or the component ID contains a flash address, so it doesn't make sense to store every conceivable component ID in a list.

The names in the example in "Creating conditional sequences" don't look right, are they outdated?

An example with dependencies would of course be useful.

-----Original Message-----
From: Suit <suit-bounces@ietf.org> On Behalf Of Brendan Moran
Sent: Tuesday, March 12, 2019 11:35
To: suit@ietf.org
Subject: [Suit] Introducing draft-moran-suit-manifest-04

draft-moran-suit-manifest-04 has now been published.


This draft is the result of combining the information model in draft-moran-suit-behavioural-manifests-00 (the 01 version fixes example formatting only) with that in draft-ietf-suit-information-model, then serialising the result in CBOR. This is a significant departure from previous drafts. It attempts to preserve flexibility, fully define the behaviour of recipient, simplify the manifest structure, reduce code-size of the recipient, and reduce the size of the manifest. This ambitious set of goals required a significant change in approach as compared to draft-moran-suit-manifest-03 and before. In order to outline the approach clearly, we have separately published draft-moran-suit-behavioural-manifests-00. draft-moran-suit-manifest-04 focuses more on the serialisation of the manifest.

I look forward to discussing this draft in more detail.

Best Regards,
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

Suit mailing list