Re: [Suit] HR Review: Firmware Update Architecture for IoT Devices
David Brown <david.brown@linaro.org> Wed, 11 July 2018 23:50 UTC
Return-Path: <david.brown@linaro.org>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAF1B130E73 for <suit@ietfa.amsl.com>; Wed, 11 Jul 2018 16:50:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=linaro.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vBbrKScuf9LA for <suit@ietfa.amsl.com>; Wed, 11 Jul 2018 16:50:42 -0700 (PDT)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72A1A130E86 for <suit@ietf.org>; Wed, 11 Jul 2018 16:50:42 -0700 (PDT)
Received: by mail-io0-x233.google.com with SMTP id r24-v6so26128328ioh.9 for <suit@ietf.org>; Wed, 11 Jul 2018 16:50:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=O3tcfoKoXG5faoMn07WbC/KYi1g9qyD04TGcXEU9I5w=; b=gktfBQDxHT4/DMC70WLdb7ugRSca7fiy3+fhpkgcNLw7/LIEbUN/o0b6AKGnSn92Cs +Qpkv7yuuaW//22rjQQOticxzf1LIbO5yLmkqH3aZzdP8JcSA7PDEgrkuG7HiQH4WUyq Sgs7Y6yuihz8oLiLCZV1q2EmBDSbzI/wIbvxw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=O3tcfoKoXG5faoMn07WbC/KYi1g9qyD04TGcXEU9I5w=; b=c4HT5GcMtgDz2u19XEf0W/czScIiOQoQcrH8O9nzViAFR2s/d3+SBgRWuC1LiUd/GE avttSb0uHylRUpu44c+NE2+pLtKGKVe2Q+z+f6eHYK5db3/y7gbNoqpBD7iyRg05sXc9 v5NP1juPTmsMiRlg055gndeCdWPBUiLhIDUM9Pcj3cLFE0MT+YIpOC/R3MQ8b6Gd+izT 98G+P1T8sZdBfFU+DwYcR1liaUvC45QhBtktc7klcByF4HWaYSBuz3yhqmSDSINbGJxj l5z1JFLhAX1XpNM1uPJLqaFnsmCZSAnKHigdbCCayhiLnteH2Ai6GPlFDcsVTYNTrbwR mMYQ==
X-Gm-Message-State: AOUpUlEB9T2849yHPKwW3oEu1aO7PWCJGI6L2WXdGgYqatSQXvnhMC1V zzrNXtJ2G6rGixX4OCPkr4vNb/FO67w=
X-Google-Smtp-Source: AAOMgpepwT5Fx1HMHeLaI2Cp/LVNxIio31lZs0DifNz8RtQsKaVEpwRIpHuTWcm5OHzEXDoGwiTgwQ==
X-Received: by 2002:a6b:e52:: with SMTP id 79-v6mr844025ioo.658.1531353041525; Wed, 11 Jul 2018 16:50:41 -0700 (PDT)
Received: from davidb.org ([2601:283:4300:987c:6245:cbff:fe6d:5400]) by smtp.gmail.com with ESMTPSA id e11-v6sm3567874iog.56.2018.07.11.16.50.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Jul 2018 16:50:40 -0700 (PDT)
Date: Wed, 11 Jul 2018 17:50:39 -0600
From: David Brown <david.brown@linaro.org>
To: Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org>
Cc: Gurshabad Grover <gurshabad@cis-india.org>, "suit@ietf.org" <suit@ietf.org>, "hrpc@irtf.org" <hrpc@irtf.org>, Sandeep Jha <sandeepkjha18@gmail.com>
Message-ID: <20180711235039.GA20649@davidb.org>
References: <11993b06-5da6-e397-3457-de6ecec87bb4@cis-india.org> <SN4PR2101MB0816F43DE79B8811CE63FCACA35A0@SN4PR2101MB0816.namprd21.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <SN4PR2101MB0816F43DE79B8811CE63FCACA35A0@SN4PR2101MB0816.namprd21.prod.outlook.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/tW6NYjlFNfWg_GnIFIo68wlfCVc>
Subject: Re: [Suit] HR Review: Firmware Update Architecture for IoT Devices
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2018 23:50:46 -0000
On Wed, Jul 11, 2018 at 10:07:39PM +0000, Dave Thaler wrote: >Thanks Gurshabad. > >A clarifying question below... > >> # Privacy ([RFC8280], section 6.2.2) >> Privacy considerations are with regards to maintaining the confidentiality of firmware image and >> manifest. Both the firmware image and manifest contain information about the device. As mentioned >> in the older version of the drafts, Class ID and Vendor ID are typically compiled as strings into the >> firmware image. If an untrusted intermediary storage is assumed, as in [SUIT-ARCH], this device >> information will be available to all intermediary and snooping parties, which may violate the device >> operator’s privacy. Additionally, device information can be used by an attacker to design and mount >> targeted attacks on the device. >> >> Concern: The drafts are inconsistent in its recommendation of encryption of firmware images. >> Section 3.3.13 of [SUIT-IM] says that the information model must enable encrypted payloads to >> prevent the attackers from reading the content of the firmware images whereas Section 3.3 of >> [SUIT-ARCH] leaves the choice of encryption to the authors/OEMs. >> >> Recommendation: We recommend removing these inconsistencies, and that the drafts mandate >> the encryption of the firmware image. Accordingly, we recommend the relevant text of section >> 3.3 of [SUIT-ARCH] be updated. > >I believe the argument for it not being mandatory is that many IoT devices are not associated with >humans. For example, factory devices are owned by the factory not a human. Can you elaborate >on what the concern is for such devices that would warrant mandatory encryption? Your comment >seems focused on devices associated with humans, and so I cannot tell whether your comment >applies more generally to all use cases that are in scope for the drafts. In addition, the range of devices covered by these drafts include those with insufficient capabilities to support encryption. It is also unclear how it would be possible to not present class and vendor information in plain text somewhere. The systems involved in the software upgrade process need to be able to know what firmware image to look at, presumably this will be indexed by these values, or something equivalent. Even if the image were encrypted, it would be clear from where the image is coming from what device it applies to. The intention of encrypting the information is to protect the firmware author, and I'm not sure that it addresses privacy concerns about the image. David
- [Suit] HR Review: Firmware Update Architecture fo… Gurshabad Grover
- Re: [Suit] HR Review: Firmware Update Architectur… Dave Thaler
- Re: [Suit] HR Review: Firmware Update Architectur… David Brown
- Re: [Suit] HR Review: Firmware Update Architectur… David Brown
- Re: [Suit] HR Review: Firmware Update Architectur… Gurshabad Grover
- Re: [Suit] HR Review: Firmware Update Architectur… Gurshabad Grover
- Re: [Suit] HR Review: Firmware Update Architectur… Kvamtrø
- Re: [Suit] HR Review: Firmware Update Architectur… Russ Housley
- Re: [Suit] HR Review: Firmware Update Architectur… Gurshabad Grover
- Re: [Suit] HR Review: Firmware Update Architectur… Brendan Moran
- Re: [Suit] HR Review: Firmware Update Architectur… Gurshabad Grover