Re: [Suit] Introducing draft-moran-suit-manifest-04

David Brown <> Fri, 22 March 2019 17:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9A0F0131376 for <>; Fri, 22 Mar 2019 10:39:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EIBLSReyBM-n for <>; Fri, 22 Mar 2019 10:39:13 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 333F4131381 for <>; Fri, 22 Mar 2019 10:39:13 -0700 (PDT)
Received: by with SMTP id t28so3435503qte.6 for <>; Fri, 22 Mar 2019 10:39:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=NCy4tMod9JyH3GbLZCxAAB8s6ESIQyU2eVPTo0JVc1o=; b=M3onU8MZF2wE09nFCYZM2TLrdk8DvQ+S3u2BKEHKk2rJeoFBhl0oYpMC/d3SxVn+mo vjo3cinnsmiExnnuJrnwqko4QWAHmAZIv19f+0v+bcwBJfN8Qz+OXmKu+KG25i28kljA U/TnPCzshnBYLx2e3OM3cs4Qg5f1zoFYzBWNsFZeGQs+xbPs+at/5dB+jCnCtGZOcSXP EYH344hw+NoNAwGvdpujFDL4KuNOmZMNrMO3un8wM83GftW0YjKqCpvPYi70/3+XSrmp GYps4OCfhVUXHIC8nIwD6uhyMqn21FKzJOB4YF1r5cT5L/Mmpgvy5lBu49krXS/KuNOC 8ZZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=NCy4tMod9JyH3GbLZCxAAB8s6ESIQyU2eVPTo0JVc1o=; b=JkV2o8iWjTkHPm9g/n7zKobpDE8byadLywXwgi7BZoXVHBwyWmONDNy//kWQ8kD3cx k581A/2NQMhEdJcWj5HGALifPdT8mAApa/VPlmST9IIlHYOfXreDfgK8+lIgG8O6BT6U pGny8JPwO0KCeLWknqq6wr2eq8B9mhsoKJ6JU/kH8caN5DDGpU+EG0Ag+4heTgV4Jzf0 ovgKAzRcFhwCgYP2NPD4FtlmurAgw4fec51X2L93pLl7RTz2C0l+2jLHsIRTk2EcsHyL /11WCHbJoz6K3I1AiRdf5biREnLy/wJUdPeQ9OSQfJCv4lIij0PRTlm5uT594oF8Y5Bt PkAw==
X-Gm-Message-State: APjAAAXQJrCoiNntkC8ezmxW3/BXJZrmJHpVPy3giaLHFar9Vj2dm6er wVJyWSGDarD1bmmeBhCzlUGGuQ==
X-Google-Smtp-Source: APXvYqy2bfeGfIuQN+bH0y+zNoOBlzoulc9RHNHNGCps1dnhI3gOrvAyYAv8uoyyutIfz+7/NrGF8A==
X-Received: by 2002:ac8:24f2:: with SMTP id t47mr9122125qtt.192.1553276351995; Fri, 22 Mar 2019 10:39:11 -0700 (PDT)
Received: from ( []) by with ESMTPSA id u16sm8732002qtc.84.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Mar 2019 10:39:11 -0700 (PDT)
Date: Fri, 22 Mar 2019 11:39:08 -0600
From: David Brown <>
To: Brendan Moran <>
Cc: "" <>
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <>
Subject: Re: [Suit] Introducing draft-moran-suit-manifest-04
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Mar 2019 17:39:16 -0000

On Thu, Mar 21, 2019 at 04:30:53PM +0000, Brendan Moran wrote:

>Reboot resilience for “swap” is probably outside the scope of this draft.
>Adding a condition to check the success marker might be useful.

I'm not sure it really even makes sense to describe the reboot
resilience in the manifest.  At least for swap, it is a large number
of steps that have to be done carefully, along with a lot of extra
state that is written every step.  I would think this intermediate
state is beyond the scape of the manifest.

For those interested, I've thrown together a bit of an amination
describing how the swap operation works in MCUboot, including at least
part of its state.

I'm not actually sure it is even going to make very much sense for
MCUboot to follow steps in the manifest, rather than just verifying
that they are present.  The steps make sense for the download

Some of the modes I envision ultimately supporting in MCUboot:

  - swap: The current mode.  This is initiated by a "trailer" being
    written to the secondary image, and the bootloader verifying that
    the manifest is correct.  It might make sense for it to follow the
    "swap" instruction, but it would only look at this secondary
    manifest after being instructed to, out of band.

  - overwrite: The other current possible mode.  Also initialized by
    the "trailer" being written at the end of the second image, and
    the bootloader verifying that the manifest is correct.  The second
    image is copied to the primary image slot.  This is easier to make
    resilient, since the entire operation can be restarted.

  - Boot best: not implemented.  The upgrade would download an image
    in the slot that is not being used.  There would be two images
    built, one linked to each slot.

Right now, upon boot, MCUboot checks the manifest of the primary slot,
and will boot that image if it is valid.  Before this, it will check
the trailer of the second slot to see if an upgrade is requested, and
if so, check that manifest, and possibly swap/overwrite depending on
how it is built.

One difficulty I see following steps in the manifest is that the code
currently maintains state out-of-band from the manifest.  The current
state is:

  - copy done: indicates that a copy/swap has finished and the primary
    image can be checked (avoids having to check the secondary
    partition manifest on every boot).

  - image ok: after a new image boots, and decides it is functional,
    it writes this marker.  Without this marker being written, a
    subsequent reboot will cause the swap operation to be repeated to
    revert the image.

  - swap state: a series of markers to track the state of a swap, so
    that it can be resumed if necessary.

Any thoughts on what is appropriate to even represent in the manifest?
The two instructions that the bootloader would follow would be "swap"
or "apply" (depending on configuration), and "run".  Right now, we
distinguish swap vs copy by whether the new image contains the "image
ok" marker, but having two instructions could distinguish this as

There is some concern within the MCUboot community about semantic
differences between how the existing manifest is processed and how
SUIT will be processed.