Re: [Suit] Wording for integrated payload size

Brendan Moran <Brendan.Moran@arm.com> Mon, 20 January 2020 15:40 UTC

Return-Path: <Brendan.Moran@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49B72120859 for <suit@ietfa.amsl.com>; Mon, 20 Jan 2020 07:40:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=q18Ib7aF; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=kvWt/QXh
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9W4Rd60pob8a for <suit@ietfa.amsl.com>; Mon, 20 Jan 2020 07:40:13 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on20619.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1a::619]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37F5212085D for <suit@ietf.org>; Mon, 20 Jan 2020 07:40:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yy3q76zDQnN5Vfv//ONoKwyiKwwr3KE3pZ+73uo60LA=; b=q18Ib7aFG1K4PzKB4XePicPHOre1O1/N7pV8UkBYJIOo/blseZRB+wWZQivITpvswF5/Jk1XEpzALco1PHQYyQXEj+a/dAOul6ipcNhyNrlg/EJy5XCXFL1v2tYcJEbm2pvGSTMqnZSLE1CVdLnnsXYUrrebmD9iuN5fQ/gXvAI=
Received: from VI1PR08CA0116.eurprd08.prod.outlook.com (2603:10a6:800:d4::18) by AM0PR08MB3748.eurprd08.prod.outlook.com (2603:10a6:208:fb::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.19; Mon, 20 Jan 2020 15:40:10 +0000
Received: from DB5EUR03FT052.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::207) by VI1PR08CA0116.outlook.office365.com (2603:10a6:800:d4::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.19 via Frontend Transport; Mon, 20 Jan 2020 15:40:09 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT052.mail.protection.outlook.com (10.152.21.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.23 via Frontend Transport; Mon, 20 Jan 2020 15:40:09 +0000
Received: ("Tessian outbound 1da651c29646:v40"); Mon, 20 Jan 2020 15:40:09 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 501e2bf3a9666c72
X-CR-MTA-TID: 64aa7808
Received: from 1954640f40d8.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 849D94EB-77B9-42B8-9E93-FFACC3266EA0.1; Mon, 20 Jan 2020 15:40:04 +0000
Received: from EUR05-AM6-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 1954640f40d8.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 20 Jan 2020 15:40:04 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NwSPUZ4qGx44d6tTYzlM+TxGYb8oi4RaN8KVjDuIY+50SpgQcA63SGGzm2evMI3U2Z31+2BsZuYuGSiov324Zk9NNrfM03QZ98x1o6J9prDsec7Doist4hj7akLijA0gmk2XzBUZZCBXHFGan15I2ZWFXONdBne8YlhWrTHTOguMjjFzr10yvhdasocHYjZPlUVQzLKnksYZtCuPCmhciety2M1iYvn3UH+hKNmy9eNvI3FPO5IX1J/47n53gSud1qGjFaktaAGYv5Bj6C7p8eV3NgZFvyuvXm9fJxQNocdXfiFoS8q2j7xoTVGTDhW6YSAqamF2lVh0aSd7VVzC4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pN067A2h66u4T2+szmhl1TlinR33iI5nnIHwfwKVJTE=; b=MQsHU4uYlSZ6dx+rJAr9UEAjJEKlNz+W+7lWz9m/OS8kc+5Owcsc9dqJf/YlyIuO+B32U4k8d6CP4AkAHzoaifQyu/XNBa/y1r6cibXBWT3bfFomu9VmR8BoEVO2FIqJNBeM+o+M/fuZmz3NieL8gkdYvXlLfpcTqzwRc8j6NHwSh0rAqOyYB/TtgdB5EzAowPMhYBZBLKylsLH/UhXIZRR+39YdoaNVGn9V4UPquc5+YKae2t9W2stS9jiW/qqTL41iz6tQ9m3XsEZxiS5L23WKxHlS0G2ZS8yxtmMVgmGZ7HpYK+8grlgT2ujuD9RclWnu4l9HvspebdJoNb8BUQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pN067A2h66u4T2+szmhl1TlinR33iI5nnIHwfwKVJTE=; b=kvWt/QXhCTqhRV3fhyDiA7fyW+QfcwA1WWmFhPRgBOJsqvqOz1/HPGY3Dk/v8kh6mhC9XCJDMsDFmvIR5ViyYpZ05y6iCJXvrhxonSu09DqPuVwVgtZ4NBBHo/UkSvMHXJYWLP3G2irj2phvdps1E0vghaSGx2dAwdJM1xP6SeE=
Received: from AM6PR08MB4738.eurprd08.prod.outlook.com (10.255.99.138) by AM6PR08MB3189.eurprd08.prod.outlook.com (52.135.163.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.19; Mon, 20 Jan 2020 15:40:02 +0000
Received: from AM6PR08MB4738.eurprd08.prod.outlook.com ([fe80::99bb:dd46:a0a0:562a]) by AM6PR08MB4738.eurprd08.prod.outlook.com ([fe80::99bb:dd46:a0a0:562a%7]) with mapi id 15.20.2644.026; Mon, 20 Jan 2020 15:40:02 +0000
From: Brendan Moran <Brendan.Moran@arm.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: suit <suit@ietf.org>, Dave Thaler <dthaler@microsoft.com>
Thread-Topic: [Suit] Wording for integrated payload size
Thread-Index: AQHVrEAJ810bu5nmR0yDzlF5CgRTAKe1T4IAgAj8UICAAH6rAIAI32qAgCYB3YCABkt8gA==
Date: Mon, 20 Jan 2020 15:40:02 +0000
Message-ID: <B5A7C2B5-CC38-4EAA-BA41-0ADAEE030F83@arm.com>
References: <734509A8-7562-4B47-AAE5-54F840C4A298@arm.com> <MWHPR21MB0784F574BE1FFD50743040FCA35A0@MWHPR21MB0784.namprd21.prod.outlook.com> <3EC3D5C9-1475-4659-BCE5-FEFFD7144248@arm.com> <16551.1576611482@localhost> <621E962F-2F2B-4778-B211-90F2E6FB65CE@arm.com> <7BC31B76-76AF-49B6-BF56-2E153C7B0424@arm.com>
In-Reply-To: <7BC31B76-76AF-49B6-BF56-2E153C7B0424@arm.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3601.0.10)
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Brendan.Moran@arm.com;
x-originating-ip: [217.140.106.51]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: f9861a9f-182d-4663-9f94-08d79dbf0839
X-MS-TrafficTypeDiagnostic: AM6PR08MB3189:|AM0PR08MB3748:
X-Microsoft-Antispam-PRVS: <AM0PR08MB374834876A7C25795595B1D2EA320@AM0PR08MB3748.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 0288CD37D9
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(346002)(376002)(396003)(39860400002)(189003)(199004)(2906002)(91956017)(6512007)(4326008)(76116006)(53546011)(26005)(54906003)(6506007)(316002)(186003)(36756003)(966005)(478600001)(5660300002)(6486002)(81166006)(86362001)(8936002)(66946007)(81156014)(33656002)(8676002)(71200400001)(64756008)(2616005)(66556008)(66446008)(66476007); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB3189; H:AM6PR08MB4738.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 4BhphlN/EgLLTdgA/+/X2tc5UL6NiSAGFxeA0wD5dNJN64pmJ3PahlXsuiBVdNi6TIlRefTCPWgU3Uvrfsx6FkEoIJ/aadIAg07Qozc8x6pUdy5eOp4D1htId9vZ6z8flOEtC2YLeeFDd1cNk1YnyfeeeBs1eY/g4cd6cc8YqCEi1L8nYIjC1JN1mj5CeV6pqBrWBsf5EDpeQpYmBag9yV3LJ7V1LxvOXmPI13hB+HeNtVfOoG0ewF0lt9FTe/nCx/aib+k+pt6GLKGQQuNtwUlv1PsjGjEUKGc6PpAnzcvapmNZpm+mmAbxF8ijH5yTLz2OWHf4Q8VtftSp0E2Q6lOqvHEmq2U5YAntJUzBVYoZ2ylqM+md9TM1++m5jC71s54jlyNBkhTar1t5GBfFKJvg9CylBM6SCcXtu8y9HUbPuoaMn7vWwR4p7xh2W6GVgpBmnNeQB0FWNiud/v4EncOgEiz/ShjovKN5p8JPRO5cjz9zPAXp/ZEG01fSq3iQxz4yBEobDXe/zyr1YwZSYw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_B5A7C2B5CC384EAABA410ADAEE030F83armcom_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3189
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Brendan.Moran@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT052.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(376002)(346002)(136003)(396003)(39860400002)(199004)(189003)(2906002)(6862004)(107886003)(6512007)(70586007)(336012)(4326008)(30864003)(6506007)(54906003)(53546011)(26005)(316002)(33964004)(186003)(36756003)(966005)(356004)(478600001)(5660300002)(45080400002)(6486002)(81166006)(70206006)(86362001)(8936002)(8676002)(33656002)(81156014)(2616005)(26826003); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR08MB3748; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Pass; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: fe3978cc-f65b-41b2-2864-08d79dbf03f3
X-Forefront-PRVS: 0288CD37D9
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: kj0q2RtFQJszH5rpLwm81MKfV38Ef0dEjD0zckQFGnxeK4d2x099As+M6MvxM53+3NfcyWvNTUeSMW08rnWwF7+rt9x+6Qz8X9TVqDe8fd9ZVVP6GUW7SbzUxofcsn3cFBQDX+2VtQ5n9aE1jU0CCMXJQhQtTjNMIwqwS5xJ7CkP1Tu1n6aDtmOw0qOCRLUBVDpyuOVlzFmZEGSYQgfvH20gYYDj0bj5SOeBaYeOv5YPTEcTdGYpE6dDujyue8kkrPp/n8VUsPiE38yMo1In7XNrliyq2bQy4EBNaGuNBBddiBlVNFwB9r5W4kmJ9BUN0W7AynKq/4O4ujOVm43c+KstJrawlixtQcBb1hwCAiwS+1LMlsg0mxtkCbN0gGGXJ7XG2WwUqBMDqxyi3PoHlmnZZuOUC3xIxVkVZEihJ5LmnHRxeBXX+PAQ59Bf3178kPVyUmiQAokeWnKGbBXrMZZ6ahilHGrfr/7ny7mVNH4OXVUe/HkIlJtecIkLd28H1OGYQjO6t7G9n/w2Lk8o9g==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jan 2020 15:40:09.7632 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f9861a9f-182d-4663-9f94-08d79dbf0839
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3748
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/mc4v_XkvdLtgyXA4FBbPyVDU9sE>
Subject: Re: [Suit] Wording for integrated payload size
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2020 15:40:22 -0000

I have now submitted version 05 of the information model, with the paragraph below included.

Best Regards,
Brendan

On 16 Jan 2020, at 15:32, Brendan Moran <Brendan.Moran@arm.com<mailto:Brendan.Moran@arm.com>> wrote:

If there is no objection, I’d like to submit this paragraph in an update to the information model. I think this is the last outstanding element that needs to be cleared before this document can be accepted.

Best Regards,
Brendan

On 23 Dec 2019, at 11:07, Brendan Moran <Brendan.Moran@arm.com<mailto:Brendan.Moran@arm.com>> wrote:

When I talk about holding memory invariant, I’m referring to another part of the information model. Specifically, REQ.SEC.MFST.CONST. I mistakenly used “invariant” rather than “immutable” in the snippet that I shared.

Is this version clearer?

Best Regards,
Brendan

When an integrated payload is provided, this increases the size of the manifest. Manifest size can cause several processing and storage concerns that require careful consideration. The payload can prevent the whole manifest from being contained in a single network packet, which can cause fragmentation and the loss of portions of the manifest in lossy networks. This causes the need for reassembly and retransmission logic. The manifest must be held immutable between verification and processing (see [REQ.SEC.MFST.CONST](#req-sec-mfst-const)), so a larger manifest will consume more memory with immutability guarantees, for example internal RAM or NVRAM, or external secure memory. If the manifest exceeds the available immutable memory, then it must be processed modularly, evaluating each of: delegation chains, the security container, and the actual manifest, which includes verifying the integrated payload. If the security model calls for downloading the manifest and validating it before storing to NVRAM in order to prevent wear to NVRAM and energy expenditure in NVRAM, then either increasing memory allocated to manifest storage or modular processing of the received manifest may be required. While the manifest has been organised to enable this type of processing, it creates additional complexity in the parser. If the manifest is stored in NVRAM prior to processing, the integrated payload may cause the manifest to exceed the available storage. Because the manifest is received prior to validation of applicability, authority, or correctness, integrated payloads cause the recipient to expend network bandwidth and energy that may not be required if the manifest is discarded and these costs vary with the size of the integrated payload.


On 17 Dec 2019, at 19:38, Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>> wrote:


Brendan Moran <Brendan.Moran@arm.com<mailto:Brendan.Moran@arm.com>> wrote:
I see why the use of RAM as a requirement is surprising. There are two
requirements here. I believe that one of them is required and one is
optional.

It is required that the manifest be held invariant between verification and
processing. This could mean storing in internal RAM or NVRAM, storing in a
secure external memory, etc.

I think that you are also attempting to defend against hardware attacks where
the contents of memory get changed mid-process.  That's not *explicitely*
stated in the text.

But, it's why you speak about internal RAM (vs RAM), and I guess "secure
external memory" means that it has some cryptographic checks not attackable
From outside the SoC.

Maybe the attempt to abstract the text is detracting from understanding?

--
Michael Richardson <mcr+IETF@sandelman.ca<mailto:mcr+IETF@sandelman.ca>>, Sandelman Software Works
-= IPv6 IoT consulting =-




IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
Suit mailing list
Suit@ietf.org<mailto:Suit@ietf.org>
https://www.ietf.org/mailman/listinfo/suit

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
Suit mailing list
Suit@ietf.org<mailto:Suit@ietf.org>
https://www.ietf.org/mailman/listinfo/suit

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.