Re: [Suit] intentional rollback of firmware

Dave Thaler <dthaler@microsoft.com> Wed, 11 December 2019 18:46 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E787120821 for <suit@ietfa.amsl.com>; Wed, 11 Dec 2019 10:46:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e1lMRPtDvPWg for <suit@ietfa.amsl.com>; Wed, 11 Dec 2019 10:46:49 -0800 (PST)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0720.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe45::720]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A609120820 for <suit@ietf.org>; Wed, 11 Dec 2019 10:46:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J+a0Ae7IJGhdtKP0+CUstC5rJ0R1zTBtPu6D2MJfrL4GfAyM0jV+L3W0LayM5ochlhBvSLkA1LdlOpFpGMbslTpZSIJvzzCeQo3ibVSnrY5rgKSoFgmFG1tgY587wUM2oWPn4i06GLsuglTMc3ybzBe02h/PT+fqgtJPp4N9+G2oW0349Ai4apDthmsHow3nZCwIpAFc/BqLNW6GxPSlX7MS97IbGeACk7BXquB8HV5ciRcXk74i5jZQA6lMM0xFQjJsFh8KlN+Z1l8b7tPfttDeP2SN67OwiBFIIRYJ6gIXrjB7txO97qZfxYkcF3fH8Djp5DR9/E1W8WL2vUbdbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0kGs7gFnCU9cnABYZGiefCDOJ4VKSHWwI/I/5V5wz5M=; b=CyTQL5LBqssnu7BMjq6qvUROgXJBO2+MF79pt02IfeiTQqsWj9FwM14+n6zBmW0uAhrTz+GgbnCzHOJauCgfNlZzsN8/pQw/cwY2mBhkL5//m4UTt/scJSFZPss8dBxQE9drJhM4xwmVRwySNpQsfw5fA58Bs23cXOizGSjVY7i6dW+9AWhD0wUVzbOEZoROtJAxXs7Mh/pQ5AzMYmTp1fHYP9KpHD+CY05CHrGbjNOIp4Fe6FSB5KK5Nh9tu/W0ESD5nqYar6qR4hWAQrG4Ogdy/8Z4Fjjm0UaPxm1QZH/xYOKccZSHRot9MGWpeTXQZ+YOhjBk0SxIPMzhjUci9A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0kGs7gFnCU9cnABYZGiefCDOJ4VKSHWwI/I/5V5wz5M=; b=DmN0rLZU++k5SI+6tGCVNFdl0MXCR+V7/2eFRuU7h6puPPRZ4TRPXQa8pPTzhnznUJysaB3ahyDx8erjTL1ndG8uZKfM8697BqC5RwpTws7Yy7u9tX/1A7hhuQaAEZllw2iZqDquYMg/ufJJKkLi7p2tLdQEc2wpxl6DOPkeSkQ=
Received: from MWHPR21MB0784.namprd21.prod.outlook.com (10.173.51.150) by MWHPR21MB0862.namprd21.prod.outlook.com (10.173.51.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2559.7; Wed, 11 Dec 2019 18:46:28 +0000
Received: from MWHPR21MB0784.namprd21.prod.outlook.com ([fe80::a116:227:f704:a027]) by MWHPR21MB0784.namprd21.prod.outlook.com ([fe80::a116:227:f704:a027%14]) with mapi id 15.20.2538.012; Wed, 11 Dec 2019 18:46:27 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "suit@ietf.org" <suit@ietf.org>
Thread-Topic: [Suit] intentional rollback of firmware
Thread-Index: AQHVsFIJU4hNtQUZskaK7C4BDp4Nzqe1RLqw
Date: Wed, 11 Dec 2019 18:46:27 +0000
Message-ID: <MWHPR21MB07843D8D21C1A01336E8EFEBA35A0@MWHPR21MB0784.namprd21.prod.outlook.com>
References: <19658.1576089434@localhost>
In-Reply-To: <19658.1576089434@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=dthaler@ntdev.microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-12-11T18:46:26.0863194Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=8ec6fef0-7f61-45cd-8217-d918bb61e332; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dthaler@microsoft.com;
x-originating-ip: [73.59.106.235]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 79a0f13d-f0ec-4722-92d5-08d77e6a6e57
x-ms-traffictypediagnostic: MWHPR21MB0862:
x-microsoft-antispam-prvs: <MWHPR21MB08625772EA8E9EFC28FC4E98A35A0@MWHPR21MB0862.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5236;
x-forefront-prvs: 024847EE92
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(366004)(136003)(376002)(396003)(346002)(199004)(189003)(13464003)(26005)(186003)(8990500004)(9686003)(55016002)(316002)(76116006)(7696005)(53546011)(66556008)(66476007)(64756008)(66446008)(66946007)(6506007)(71200400001)(52536014)(8936002)(8676002)(81166006)(81156014)(966005)(33656002)(2906002)(478600001)(110136005)(10290500003)(5660300002)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR21MB0862; H:MWHPR21MB0784.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vb5bXjP+oX57ByKacXE0cr3Goie4K5aKOcK4l+Qmlcnhh/2A3Tq0Q255xTDtyYVmRROEQGCK5wDw0kW2K84Q17rBwJuDXkhneRg/H524AMO2tOHDnmut9kD8MocRUaWwN+5bFSBzzg2lZM82axFDxQ61EFugacWTYqzkQT327hOmWc9Pik8hww9JAmDWFylbWJfXsVmubsTgb9iHyl1QVLMHvL6hNygtTId0HWlr5dByAQIc0EV0PS5sIciXMuttvfs/aZGe3DRH+NSyUw/wSLb5TKw1gaQQKg8fiXMXrLgkQeD0d1AJDFNRM+I1t2obrcJraeOTZMzsANCgrESuv8zcqtUUj53eRrx829wsvEFJ56abmoJe5fGL4yA5o5NSUF6QNSRxWXTitpfgHP0iFbkbCln/XcmLMu+SgEDSmGd6+XIuVPjhnHC9Co182xYc0+SKtqPXUm1E5S1g1kB7si5JpTzR2Sh7SV6Cgzyjt+0nkbcpZwojya2HCxb3weYwFjOE2zHApnDoXKAE1HdsocGDJgXn1rxaxME9e95ocnw=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 79a0f13d-f0ec-4722-92d5-08d77e6a6e57
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Dec 2019 18:46:27.8710 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: r/buQfRuz9k8puz2HbUbKvHVz+elsqaPixwTNKFQ7KaYTvg31/WOteda0hG08O41px/9m3ujbtzlTVTffNr3icQfc5eC0IUBB/ffzs7uGuM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR21MB0862
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/pSwwf38nqYtBRDzBgGl3mX8MPBg>
Subject: Re: [Suit] intentional rollback of firmware
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2019 18:46:52 -0000

https://tools.ietf.org/html/draft-ietf-suit-information-model-04#section-4.3.1 says:
>   Note: This is not a firmware version.  It is a manifest sequence
>   number.  A firmware version may be rolled back by creating a new
>   manifest for the old firmware version with a later sequence number.

The information model doc is referenced in several places in the architecture, but maybe it should be explicit about the threat model is covered in detail in the information model document.

Dave

-----Original Message-----
From: Suit <suit-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: Wednesday, December 11, 2019 10:37 AM
To: suit@ietf.org
Subject: [Suit] intentional rollback of firmware


The SUIT Architecture is clear that we need to prevent rollback attacks.
    https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-suit-architecture-08%23section-3.4&amp;data=02%7C01%7Cdthaler%40microsoft.com%7Cf061bcb0dab747e06b2e08d77e692a28%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637116862460595657&amp;sdata=kp2u1h2skhvm1cn%2BhYRg0i5m7qe%2BAuvNzxLe464M1lw%3D&amp;reserved=0

and this is also mentioned in SUIT-manifest 5.1.  But I can't find any "hit-them-over-the-head" text in either Security Considerations explaining how a customer should do a planned back out of a upgrade.
(Specifically: a higher manifest sequence number pointing at an older firmware binary)

This implies that the customer/operator is able to produce signed manifests that the device is willing to trust.

This has come up in the context of firmware updates for OpenBMC.

--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works  -= IPv6 IoT consulting =-