Re: [Suit] draft-ietf-suit-architecture-01
David Brown <david.brown@linaro.org> Fri, 13 July 2018 15:46 UTC
Return-Path: <david.brown@linaro.org>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8009C130E5B for <suit@ietfa.amsl.com>; Fri, 13 Jul 2018 08:46:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=linaro.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2YzvMA9jgF3W for <suit@ietfa.amsl.com>; Fri, 13 Jul 2018 08:46:54 -0700 (PDT)
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8821D130F07 for <suit@ietf.org>; Fri, 13 Jul 2018 08:46:54 -0700 (PDT)
Received: by mail-it0-x22e.google.com with SMTP id 16-v6so12073896itl.5 for <suit@ietf.org>; Fri, 13 Jul 2018 08:46:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=OVGM64VGNwqLF2w5/SnQaCqtVMK/3SS2A8sfF7xJpQc=; b=gHBeViQUVhT3vxcSF43f3HA9EGcPLZCtly8+ydowB6dkRZPe67cEzWlNGZOYyNMuWo 0XaOFax7VMlUxD2Gxa6OzIhDXiOVCa8wEH+1ELz8X2g90vfRetCoJcJx9qlZOjGSUcva jEP+3jNH6ugflxRiCeAcyAs5guXHqpb0STB+c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=OVGM64VGNwqLF2w5/SnQaCqtVMK/3SS2A8sfF7xJpQc=; b=gs/cxjeAik9QnXYKoD/JMPA1MpTZYYPXlQYnPucT+Io9u9Y5iGz13avPLo0EsCe/Ef JK1e7QIJYQOm4oUf8VoTJJYj55vrxPbs3xWHnYN7yroopQqE713jbC+TbtM7yI7sAWJr P8FHpp2fo7Nbo28/+i9TgKIwUeZ2OTCId4IDCk3GxYRjo/e+K9kG69u+Mmwk+Xjs/8V7 clJiDbhQuwl9jYzfUtqX4E0sC6D753u/ynE7YF7yX0GhuQHOKquO/Kx/vfKTh7QsnDSZ ZgMtXM24DlfaWMtfZEOyIPZ3e48Atg7pqxbCkl6oZkUpydqHJWRi/yCR24bXe58i4wnD BC+g==
X-Gm-Message-State: AOUpUlGJbofZdknkgIII3hmHphQGeNbPoRPJpYkAHqBqQOxBWZ040Ejc O6FHmN1M9xGSNEzWgw5NDjx0kg==
X-Google-Smtp-Source: AAOMgpeZ4+V82h6WKfM4PHdzDYs2to8g+Rhb2z7Bu7CuJJWlaTQuRtPcDJTh4+oRFHacV2aPw52fFQ==
X-Received: by 2002:a24:2745:: with SMTP id g66-v6mr5212976ita.77.1531496813557; Fri, 13 Jul 2018 08:46:53 -0700 (PDT)
Received: from davidb.org ([2601:283:4300:987c:6245:cbff:fe6d:5400]) by smtp.gmail.com with ESMTPSA id x94-v6sm4146633ita.18.2018.07.13.08.46.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 13 Jul 2018 08:46:52 -0700 (PDT)
Date: Fri, 13 Jul 2018 09:46:50 -0600
From: David Brown <david.brown@linaro.org>
To: Brendan Moran <Brendan.Moran@arm.com>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Denis <denis.ietf@free.fr>, "suit@ietf.org" <suit@ietf.org>
Message-ID: <20180713154650.GA27373@davidb.org>
References: <VI1PR0801MB2112A08944328EE625D4DE5CFA430@VI1PR0801MB2112.eurprd08.prod.outlook.com> <ec04d5da-0b76-f4d7-c548-e69579530856@free.fr> <VI1PR0801MB21127B3F43736CA592FD52B5FA420@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CD3C4129-5F07-406A-B688-ECF773B4371C@linaro.org> <ABA348F9-735F-41DA-A57F-D43093455C00@arm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <ABA348F9-735F-41DA-A57F-D43093455C00@arm.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/rb8NbEhgEWmue8KFMPG8WjX6RB0>
Subject: Re: [Suit] draft-ietf-suit-architecture-01
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2018 15:47:03 -0000
On Thu, Jul 12, 2018 at 02:19:58PM +0000, Brendan Moran wrote: >I think there’s insufficiently precise language somewhere in the architecture >document. This is absolutely not the intent of the architecture. >Locally-initiated rollback is a necessary feature for guaranteeing the >reliability of a device. > >The specific threat we’re trying to defend against is: > > 1. Device X has firmware A. > 2. Firmware Authority releases firmware B > 3. Device X is updated to firmware B > 4. Malicious actor finds vulnerability in firmware A that is no longer present > in firmware B. > 5. Malicious actor reissues firmware A to device X > 6. Device X reverts to firmware A > 7. Malicious actor exploits device using firmware A. > >This means that it is dangerous to have any remote triggers for rollbacks >without strong guarantees of authenticity. I agree here. The problem I've encountered is when it comes to people implementing actual devices in the field, they ignore this security requirement, favoring the ability to easily trigger a revert. >I think this is actually an optimisation problem. Is the client smart enough to >look for a local copy of a resource before fetching it remotely? Does this need >to be addressed in the manifest directly? I haven’t seen a compelling argument >for that yet. Unfortunately, I think we're giving too much ability to the "client". At least originally, our charter was intended to include very resource-constrained devices. I'm going to write up a few more emails about some specifics, but I think we need to at least make it possible for the client to not be very smart. I think it would be better for the instructions to be more explicit, and maybe explicitly state something like "move firmware in slot 1 into slot 0". More likely, something like: 1. Verify slot one contains hash XXX. 2. Swap slot 1 and 0. But, let me write this up in a separate email. >Notwithstanding the above, the way to refer to a “built-in” image is to refer >to it by uri: [1]file:///, for example. I don’t think there’s a uri namespace >for numerically addressed storage (raw flash). I should note that URIs are >optional. That is intended for use when a device knows where to look for >updates without being told, and behaviour is implementation-defined. An >appropriate approach to a manifest that has no URI is to walk through available >sources of resources by cost, checking if they have the specified payload (by >hash). The lowest cost is the local storage, which would solve this problem, I >think. > >Does that address the problem? Remember, some of this decision has to be made on every boot, based on one or more manifests. Having to hash multiple firmware slots would not be ideal. David
- [Suit] draft-ietf-suit-architecture-01 Hannes Tschofenig
- Re: [Suit] draft-ietf-suit-architecture-01 Brendan Moran
- Re: [Suit] draft-ietf-suit-architecture-01 Denis
- Re: [Suit] draft-ietf-suit-architecture-01 Hannes Tschofenig
- Re: [Suit] draft-ietf-suit-architecture-01 David Brown
- Re: [Suit] draft-ietf-suit-architecture-01 Hannes Tschofenig
- Re: [Suit] draft-ietf-suit-architecture-01 Denis
- Re: [Suit] draft-ietf-suit-architecture-01 Brendan Moran
- Re: [Suit] draft-ietf-suit-architecture-01 David Brown
- Re: [Suit] draft-ietf-suit-architecture-01 Hannes Tschofenig
- Re: [Suit] draft-ietf-suit-architecture-01 Michael Richardson