IETF Logo Mail Archive

Re: [Suit] manifest18 review

"Rønningstad, Øyvind" <Oyvind.Ronningstad@nordicsemi.no> Thu, 18 August 2022 14:10 UTC

Return-Path: <Oyvind.Ronningstad@nordicsemi.no>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF183C14CE38 for <suit@ietfa.amsl.com>; Thu, 18 Aug 2022 07:10:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.006
X-Spam-Level:
X-Spam-Status: No, score=-2.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nordicsemi.no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rxNW25x2e5uV for <suit@ietfa.amsl.com>; Thu, 18 Aug 2022 07:10:48 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2086.outbound.protection.outlook.com [40.107.22.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84B21C157B41 for <suit@ietf.org>; Thu, 18 Aug 2022 07:10:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kUm8OsRL8NGfgStw1RDeQTAUACMTnrTq7iQ10WtUc2vQORyCDX3C/rEy3rcdgfyiBM21mLop7J0kYzDr9e2K5eFOXx3c7saJjpkPdakvj7ocZHtgxgrjyeC/TdO55yRKsgbp8CiYDLLAdk6qEXzHRQAEkfxv4YJyhg2BavP+YNvQzSzRrFWTII4BeZBVAowYGFXcZVy1aIS83i6g3i6CgnhPjvfM4UD7SNlo1bJVe0Ni+ykQdLa7J5080DZiH/lR9fZ87pmYNvKg9F6AIryj/ykkYJQyk8zk7XyMrj+LBL/eEylW6QWM0E+HveZu/kzAR+lTXDNl8tEU+GTuMzXqhw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DPPrSgKjTkKpgD9kNdIsWHA/VeoQvP91YKBxpXIcINM=; b=BF4vBm2aUEIxHzIHMSuaM3/ZTIhKp1oLTS6jhmOU1FtQb6WBDzJ+asgOPiaRFNdtVPb7Juz2uQzjwBvvBa8uIiuNXI7fYlAkQ4DpUeGz2df+fGhVxbsFSJEtxkALo/lEvMBa/caELWXrQQu9hF91lZ22IvJPJ8kclm7Ef7maLmrDu8Fkf6Z/xIS7aKERMiOFJAnvL5npNivTEXvqrCaa1WY+4sljPwn1yCmQv4wgp5WHNIkJ23e8pUF0CUhPQqaqUjOPvhrjN9vU+rQjlCd3xJD0UQ8ivobNE09Ta/SHBfTzZJ5CJpl6Sab5bfUe0Ik1xL+Zyb5FVYK1Fwjyyij00A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nordicsemi.no; dmarc=pass action=none header.from=nordicsemi.no; dkim=pass header.d=nordicsemi.no; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nordicsemi.no; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DPPrSgKjTkKpgD9kNdIsWHA/VeoQvP91YKBxpXIcINM=; b=kYxViZN/89bAyk4Abd8mWWKG+TOFDr/zTPNlqjY6HjoDF7Wu9g/hSJJjhMxrJSCbzOQcv0WQBYj1U8gLV/Ir+NJliTbmVmDhQsgZV0+iDRjuW8aRdetEw+vwJzsG/cNPP4p25MlYGPdMg1CxukwG8sfjfegXKr6Srb9LCiLxRrQ=
Received: from AM9PR05MB7668.eurprd05.prod.outlook.com (2603:10a6:20b:2cc::13) by HE1PR0501MB2380.eurprd05.prod.outlook.com (2603:10a6:3:74::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5525.11; Thu, 18 Aug 2022 14:09:57 +0000
Received: from AM9PR05MB7668.eurprd05.prod.outlook.com ([fe80::7cf1:5655:1a54:6b74]) by AM9PR05MB7668.eurprd05.prod.outlook.com ([fe80::7cf1:5655:1a54:6b74%2]) with mapi id 15.20.5525.019; Thu, 18 Aug 2022 14:09:57 +0000
From: "Rønningstad, Øyvind" <Oyvind.Ronningstad@nordicsemi.no>
To: Brendan Moran <brendan.moran.ietf@gmail.com>
CC: "suit@ietf.org" <suit@ietf.org>
Thread-Topic: [Suit] manifest18 review
Thread-Index: AdirHj1LlEQLPtoFTnSBRxEXcwCh+wCqnHKAAU+2KSA=
Date: Thu, 18 Aug 2022 14:09:57 +0000
Message-ID: <AM9PR05MB7668FF62A550E4F4CB914470886D9@AM9PR05MB7668.eurprd05.prod.outlook.com>
References: <AM9PR05MB7668A62C66CC7A2F2F86125E88639@AM9PR05MB7668.eurprd05.prod.outlook.com> <CAPmVn1M_2REwWkkmYnHcUhViDhryBrL5E9Fy7mGLSb2KAAdsxg@mail.gmail.com>
In-Reply-To: <CAPmVn1M_2REwWkkmYnHcUhViDhryBrL5E9Fy7mGLSb2KAAdsxg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nordicsemi.no;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d9a0757d-1b13-4798-39e6-08da81235503
x-ms-traffictypediagnostic: HE1PR0501MB2380:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ruO3WXNUbq1gRWieRNrNTOC6iI8Ey7U7d40R/ws9cw8db5PpNRBH0twI1VBBPhfsMeWkgLjrHcjXnWyKbdcq9nsw5rXhWAGhfmvAtxNHbXsFtXp+wuHTpAYbxoYpsnTxejN8dhwwDRExk2aJvIrE+IqHV38BmEk98QVjlC/O0GBg6MEklRjtjZDNakN1We3b1ALrkKPnJ5vbYwzckPZGEfRyV5k6dlrSZvPIuqlgUOGD6M/Qw6mlsX/GFamCnVXYRPQ5zZ/SJcNAo1+E+oVG5z15aBZV5rxDVgMgnwzVAo0D4I/JAlEIUTOFc7uZHcqpT8Lg/1/idYfJeURN4wVu8FmVB0RlLwKeMbKqkZ/U3LCMKf1pTllC3kgAe4B9/+c9og8jWPSyp6lSa0a3W9jgEtiOwYLXZYrxxoSzY+7AE6ywobu9n0gODRHFE99ewHDFVscCBTR91EZ2kjgu1Or0GQP46t+5MbF4dmD3YhZjUs2wFyN0h0EOyIHI7q06hEgONXnQyACGUERwfj3dE2o5u4PXjn+wAhDQABbm5x2G2MsYIjLlXN3DY7abfamw3jUjxBn6n5LP+tVCq74pZkRPBgftbS43o4Soc8HFLjVp0RP/H4MBaq8XHk2W5Xbyjmv49b0Dk7mzIimrB2WkiMnXOHnJyqOnILwMXdOx62uMfyoupE6xdwRFe1vyms6Vgu2Qei4/ZMBoDuhr5x9p3fGQ9s61ZV6QeTV95+UAJVGfMTYNlFWtjmh3Lw1jPCAEqaJwzQDhtelXPdOpWR1L/wc8KzwUOn5MRk3EyitSNyLEOdsW3S/XSKy5Atnq8n84Ntp2m2O8uQJA1f6GiWKMkDSI3g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM9PR05MB7668.eurprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(376002)(136003)(346002)(396003)(366004)(39850400004)(9686003)(41300700001)(478600001)(53546011)(83380400001)(71200400001)(6506007)(7696005)(86362001)(33656002)(166002)(38070700005)(186003)(66574015)(966005)(55016003)(8676002)(4326008)(66946007)(66476007)(66446008)(64756008)(6916009)(5660300002)(66556008)(316002)(122000001)(2906002)(52536014)(8936002)(76116006)(38100700002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ZAwNvGxl4JEA3zTGkbUgwmHhraCOCN6BigiC6+u3tqidumPKTf7VsctjD57Fy3rsUmNtWf9gvTqos+JQtgsrL2S1yl/DTTMPsx+SX1GZNGfchOqHs53uFgr267geVwC7i5ObZsQuPIn1f+t7SAK/+WM4cRCoBEuUsRIfJH2LniQmR5WRJFgswXWBKuYnjIrXRXgMu0+cGSRD1s20YQnXxxkFD2d0VqBa0tz+hzm9lUyZ5nrdSXbmYBYyxs28pDP4QsVYXT7c2hmkY8BDYzAycB/+lL7a7M0iAhrdEqSnDvyg2GjNDadh5i08vM9fj7ZEeVXqYQtlE8qvlI/HYyqZqx4rjTHtfGqYllIs20d3j6EjHbkmk82jcyr64Y6+Sa+D6kf+at6dr2XWYfVyqvhbpj1aO9TkSG1yp1KS672g1BddO7tA6x0JnwYebs3+jMYfmAQYyeBH9pxoPbNyy5p3mFXzeLGiSPvrwg1q1IL+bdkrvxY99ocfICR1kjxor7wBCQGpkkM3kT1LDZQr4Zn9e3i/MuQ5i6ZISyo7v07u7S0kZEn4UHZGriRloLLvS5TLe1WMFK2Q1W5y6AlluOoU3Zwn4Xq/z0GjuoVpw8FsMmvon4TQtsN9ZbJKTooaoJYmlkTMn2RGB5OpQbO2UKuceBfEp3XUnDyC1Y9y5ilST13DI+mtQ3peVy06v2t0z0rD/6oJAlEcAibSC0l7+EWdym65B3IBCiBHD2bSNf4NgfCFVBP3LDiOZrgIpSq4ApYLGBj8UaoH5m6wiCILoNGDRxVp1NHnA7b8pzYq7lJlJ0mnNSjyK2zpnILW1Nfx7i8tfXyb4llg8lXp/UIa35+kDignN2HhNaYOgc3Naynb5a5T9Fbd1bcP8wZ/SYnniPCiNofNiPjSzVS6ZEZeKU7sU2d9Hh1quMiTbxlOkOFQI5u5NxdnQZXrZraqQyF6tToRBU//jS2DaSQ64fMy8Wj3TkklbJ9iESorxH29wZH8dLKebubC4v167uj4fOpnmqdG9YGi+zFgcdiTgwvGb2Y2z+7W6Hongk8i/vKpyB3ucFQYKA/qdYhOm4hF4JVyZ9xZoalwgeqRN1LPTnlac+kO17v1Pq4MDpYJ0ofMAKglCVNefF05Xh0JciReaOWpKQEbyv8IjBMjQ6iSS2dIUaILpkOxK/OdYxvhQCkjwxeD+hW4O8cZypv/DSB6nj5BQRcAGjNrZNsNZkm3Vn9M8sPEOCtkk+YXolz2Cojo1OhUT6D459yI25Qbd0rHK3WmpLlPt8zaN6+TUhRLbb85fG7GVFzUJBq84AiJKW6Kd0KFDthvb67I86SMI5T/rM4lAS8D69SJ5H+BmLOXt1vZSOTeXU2qdn280cCDv3/W1cjWq3GwlhRutg1qFUe3Wk4z+LXIrzIItK+s6xbEv/4eMaMsYywS+C213ejQcsKDcIedWYrAR95ecK4xEV/MyA458qATZxVZt4EcvISybqnbhVjPA0oK8CpQm6bTmWS5pNliMEzVIhh2ogBnSo1RnkKa6TbEZgzkZ9Wzih3AQfu+6Qj4TAMMPQdYQH6bJfgQxa5o30wsta+tTKM6s5gLpB8TmXXgCqejt/ObC9js0hOX7gEupdw8Nc9Q+QmpQ/s9yaHwZtk4lLehU4PI0M1KXy4SwLZyYFVUbfTGm5LiD/Bx96kXCA==
Content-Type: multipart/alternative; boundary="_000_AM9PR05MB7668FF62A550E4F4CB914470886D9AM9PR05MB7668eurp_"
MIME-Version: 1.0
X-OriginatorOrg: nordicsemi.no
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM9PR05MB7668.eurprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d9a0757d-1b13-4798-39e6-08da81235503
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Aug 2022 14:09:57.5990 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 28e5afa2-bf6f-419a-8cf6-b31c6e9e5e8d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: txHYYxV734PM8v4YaHJDMgW2v/5ss9Ly94ZVIDRsfNoRt3thbsiQ+Uo/pPimz35GnmXFH6qL79yTe1T46Sf81XM9sxQpC5jTnk67eZ1YcptiwT95yOy/YI+/2kUAgaAO
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0501MB2380
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/6L0-FnWvUf5S9AuSJfz37Y1mYTg>
Subject: Re: [Suit] manifest18 review
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2022 14:10:54 -0000

Thanks Brendan. This mail went into my spam folder, otherwise I would reply sooner.


  1.  An alternative is something like a "content" parameter which is used by both the "write" directive, and a "check content" directive. If the content parameter is written during the shared sequence, it can e.g. be written and checked during installation, and then checked again during the "validate" sequence.
  2.  The tag does indeed do this, but the tag is strictly speaking optional. This is one of my pet peeves after having designed a few different custom serialization formats: Always include a version number first. IMO adding a version number with a '0' key at the very beginning is a relatively cheap way to save future headache, and have simpler resolution of versions. That's my two cents, I'll leave it up to you.
  3.  "invoke" is completely fine with me.
  4.  Did you have concerns about the shared command sequence not having the same name as the common block? IMO this isn't actually all bad, since common block vs common sequence is also a sort of collision between slightly different concepts. That said, I also wouldn't mind if you wanted to rename the common block to "shared block".
  5.
  6.  Thanks, IMO this should have a short note in the text.
  7.  No, it's fine, but should probably be clarified in the text.

Again, thank you,
Øyvind

From: Brendan Moran <brendan.moran.ietf@gmail.com>
Sent: Thursday, August 11, 2022 23:24
To: Rønningstad, Øyvind <Oyvind.Ronningstad@nordicsemi.no>
Cc: suit@ietf.org
Subject: Re: [Suit] manifest18 review

Hi Øyvind,

Thank you for your review. I have started working on making some of the changes you've suggested. I do have a few questions:

1. The write directive. I'm not fundamentally opposed to this directive, but I do have some questions about the intended behaviour. Primarily, I'm concerned about the verification of data written in this way.

- When a component is written with the write directive, how is the write checked to ensure that it was completed correctly?
- When using a SUIT manifest for secure boot, how is the component verified an expected value?

Obviously when a component is smaller than a digest, a direct comparison is a good option, but this is not a feature of the SUIT manifest. So then, how should we proceed? Do we need a new command for verifying small components against raw data that's present in the manifest?

What happens if the component is written in a severable section? Then the data is lost when that section is severed. Do we need a rule that raw data must not be placed in a severable section because it then becomes unverifiable?

2. The problem with an envelope version is that it can't be trusted because it is not part of the signed container. I'm not sure how much of a problem this is. We could add a version but I'm not sure what it would tell you that the tag doesn't. The only time that the tag would need to be changed is if we change the delegation mechanism, the authorisation object or the manifest *before* the version number (which is element 1). In other words, as long as we don't change the delegation or authentication block (which is just a digest followed by a list of COSE objects anyway) we should be fine? Is there a scenario I haven't considered?

3. You're right that the two meanings of run have a namespace collision. We have a few words to choose from: run, execute, invoke. We use "invoke" as a catch-all for secure boot and secure program launch already. What would you think of replacing run(current) with invoke(current)?

4. I'm fine, conceptually, with renaming "common sequence" to "shared sequence," but this does come with the side-effect that the common block will now contain a shared command sequence instead of a common command sequence. I don't think that this is an issue and I do see the problem with lexical scanning of "common sequence" versus "command sequence."

5. false is not a valid value for IndexArg in the CDDL. Internally, a parser may use false for the Component Index when a Dependency Index is set, but this has no effect on the CDDL. You're right, this should be uint/[+uint]/true

6. I think that the restriction in 6.7 it only applies when Strict Order = false.

7. Try Each was intended as "try each until success or options exhausted" Do you think this needs a different name?

Best Regards,
Brendan

On Mon, Aug 8, 2022 at 1:23 PM Rønningstad, Øyvind <Oyvind.Ronningstad=40nordicsemi.no@dmarc.ietf.org<mailto:40nordicsemi.no@dmarc.ietf.org>> wrote:
Hi everyone, here is another list of questions, suggestions, and clarifications for the manifest.


  *   (I've mentioned this before, but can't recall that we have properly discussed it) I feel the spec is missing a "write" directive for writing very small values (e.g. 32-bit configuration values). The only way to do this now would be to add the 4 bytes as a payload (possibly integrated), and have a digest check in the manifest followed by a copy. This is obviously a lot of wasted bytes and cycles. Can we add a suit-directive-write directive with a bstr argument that will be written directly to the current component?
  *   I think the envelope should have a suit-envelope-version analogous to suit-manifest-version, since it is the top-level type, and therefore needs to be correctly decoded before the suit-manifest-version can be checked.
  *   In Table 1 "run" is described as "run(current)" and "run sequence" is described as "exec(arg)". I suggest renaming "run sequence" to "execute sequence" in the whole document to avoid confusing the two concepts (which are quite different). Another source of confusion is that "the run sequence" can apply to the "run" command sequence in the manifest.
  *   I suggest renaming "common sequence" to "shared sequence" since it is less similar-sounding to "command sequence", and arguably slightly more descriptive.
  *   Is "false" a valid value for IndexArg (6.5 seems to imply no)? If not, the CDDL should be changed from "IndexArg /= bool" to "IndexArg /= true".
  *   6.7 (The section on parallell processing) states "To isolate each sequence from each other sequence, each sequence MUST begin with a Set Component Index directive with the following exception: when the index is either True or an array of indices, the Set Component Index is implied. Any further Set Component Index directives MUST cause an Abort". Does this restriction on Set Component Index inside Run Sequence always apply, or only when Strict Order is False in the surrounding context?
  *   In directive-try-each, if one sequence succeeds, should the try-each end, or should all sequences in the try-each be executed regardless?

BR, Øyvind
_______________________________________________
Suit mailing list
Suit@ietf.org<mailto:Suit@ietf.org>
https://www.ietf.org/mailman/listinfo/suit<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsuit&data=05%7C01%7COyvind.Ronningstad%40nordicsemi.no%7C18de4c33b7dc4604728508da7bdfdcc3%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C637958498806505111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=zoWjfmStxEtNTIqz5eVfP6skW5iaIfu8FgxPnxlRg0c%3D&reserved=0>

v2.23.0 | Report a Bug | By Email