IETF Logo Mail Archive

Re: [Suit] draft-ietf-suit-trust-domains: proposal of new command sequence

"Kończyk, Sylwester" <sylwester.konczyk@nordicsemi.no> Thu, 21 December 2023 06:01 UTC

Return-Path: <sylwester.konczyk@nordicsemi.no>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF74EC13AE26 for <suit@ietfa.amsl.com>; Wed, 20 Dec 2023 22:01:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nordicsemi.no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q27cWHVBo-jp for <suit@ietfa.amsl.com>; Wed, 20 Dec 2023 22:01:24 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on2083.outbound.protection.outlook.com [40.107.7.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B776C14CE33 for <suit@ietf.org>; Wed, 20 Dec 2023 22:01:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BVgRBGHuD5TaQSaKgOkU6r7pDGb/t6q+BXh23MknIlDRiiY1Z+gyb0ZKErzjOXOijq8YyMQglcq/GqaqjUkgODr9VliWqeSTP/kLHXUcNAwo+xn6WNr+SxZ33Dy44VV3hQgW1DpFX8uTWziIKwHATb7TYSJ8n+S/Q7enpn1IqmSHzjw7eeQDIDEcKprD1cq6admMn0mb6Wdc7KWSR+zx+AjOsdcjJ6crGonG0cbFcf914JlzbKo0OpHmxG6+tiK5wvU06k9FO800l7NJjoQbHcCKCPNueM/GbR8bJ8Fvf/9n0lVXOb7Yg3cOumrHZcY6hJSUv2NSW6xoGj82tXwTBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tzx/c/A2wK3Mbhrg10kQg0LT30dUxk6TGP/wSRxbYlE=; b=cSqpYlbnkneeL8sNidXaMdRXBKC88+IHToSUUbaU9xukmrGSyV2ZrSc8MKTq1aOsJLJ3C+uPk1V7X/i/WjHGrQQAj7y4KJpBOi3GMVWMPvdbTxOu8btdQkOt5C925kV4nyCTwe6bI4FBoSY11Ip4yI/6Fu1Rer1bOjBUjbURQ3HGTzDv8I5FP4ZAUUCCCzkpMUFQZgOqWkK46mEQMvwBcTOCJ/sth4zT3HOe2K+NF/Iqf8OMrJj6pWgd6Q5bFxs+pZ9uNOomluNQz/MY+c6a+zPELt/CSqF2GDU9cBB/rZ/5EIt4UmMee1SKNKcikh5AepdEEF8urv/XQ6KWRceIig==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nordicsemi.no; dmarc=pass action=none header.from=nordicsemi.no; dkim=pass header.d=nordicsemi.no; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nordicsemi.no; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tzx/c/A2wK3Mbhrg10kQg0LT30dUxk6TGP/wSRxbYlE=; b=BYbuXksgGxoC6VEPWxSAShsRm9+jHr4dYNBMDswr6ClE1ct9BhIVGeLJuxHjw+CGUskFUUB0qy6kMtJlZwARZCfNqPBBY7oxDoBsZWtls2cVKNkLShGdy4pHtUOrEVWp6JhlWF115P57GM+lyg/pU0ZXc3HBx/T0952aOYzrrrcYDJEcu9WWsY7uvpptWzGvMpfPR+i8zOadBh855KyV9P5wSaWnLOaUyK1n0u5VY06YvxkiJG6RPPXRPDSIP/tJ5t+pILdpF6VwT1sum73NSObzlGKO9CEl9LgRCBMxZBcnqCNpPw+WgsCmjLtIXjIp4YNmhCJtgu1m+RZ6H+Kr0A==
Received: from DU0PR05MB10075.eurprd05.prod.outlook.com (2603:10a6:10:441::7) by DBAPR05MB6981.eurprd05.prod.outlook.com (2603:10a6:10:181::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7113.21; Thu, 21 Dec 2023 06:01:17 +0000
Received: from DU0PR05MB10075.eurprd05.prod.outlook.com ([fe80::34aa:d83d:4934:187c]) by DU0PR05MB10075.eurprd05.prod.outlook.com ([fe80::34aa:d83d:4934:187c%3]) with mapi id 15.20.7113.016; Thu, 21 Dec 2023 06:01:17 +0000
From: "Kończyk, Sylwester" <sylwester.konczyk@nordicsemi.no>
To: Brendan Moran <Brendan.Moran@arm.com>, "suit@ietf.org" <suit@ietf.org>
Thread-Topic: draft-ietf-suit-trust-domains: proposal of new command sequence
Thread-Index: AdozF/DOyCDWPu2LSwmnIhxAAOCOKwAPuwVUABy6uMA=
Date: Thu, 21 Dec 2023 06:01:17 +0000
Message-ID: <DU0PR05MB10075EA07524D2FDEF829D988F195A@DU0PR05MB10075.eurprd05.prod.outlook.com>
References: <DU0PR05MB1007598D80C708EF5E31D6C1FF196A@DU0PR05MB10075.eurprd05.prod.outlook.com> <DBAPR08MB5576FEBEC9ADFCEFFA5C9F51EA96A@DBAPR08MB5576.eurprd08.prod.outlook.com>
In-Reply-To: <DBAPR08MB5576FEBEC9ADFCEFFA5C9F51EA96A@DBAPR08MB5576.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nordicsemi.no;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0PR05MB10075:EE_|DBAPR05MB6981:EE_
x-ms-office365-filtering-correlation-id: 7d27852e-ec22-40ac-64f7-08dc01ea3f32
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2/A7wljn1Em8a9uNJkXhdCfkO2zi10hxh91Rq96NcI8MfunkvwYIA+czjra1CWLUQDRrn0Ap6iodGpKgdgglm4SpYr1pPoZTtaOnv6wDpqn8pd7jXDZ9m37QXHKa02CpfapmZFLG8HNX/Zpus0kRY3vvjoOgHQWeJEyL/m90rcTevqW854+Ogx1TyxT++6jzrdS8+cvkX0A5+2ddh0PwEdgdlh9kDRGmerFYtuG0/Rd7S9/MA3Hv0osUN4gZTkVgbCe6gNoMCs5GAMpcopTh0pg/8cGZN6KhTkB4VFDF3x6c9JBbf/ZQ6bkNijiXDXLk/MujTWBfC7edYLcACVf9gptUlX51KbmNz25mX70XzSxQM86LWjtyzZWhiqTjWp5n/jhmb47nQlr3FoY60ReqtpMfYw4TyIyqbivuVAQc4rIKKBN3M2AqWGTtWXsHikV3eiPibu0visvtwDgPrM7StXkqSCZsNf/Lu9UPCwebWN8NMfB0m4Q0QP+Rqkb3XG8MAhsI6GLGKXV/SjGa4B5sT90oyZhi+ng1iquv0oLu35MHzTz8U2CpwL5Pp6KCIFdpAq6A7iS34n1PbiRsFeCNgPflkNg5kcMD/SVw/8rN/JCSCjLSzEF1KF5Xiq4k3YfIppS6jGRc7x9AhuIzBIpVMmQ1rxdL2SRM3tfWmfMUxoNz+GYteRsa6wK+YGLsgDKjlFt2G2AlroajZNKJDOG4JFWGeD58zcTyS4axaznYurm4r78jKPUBJdDitzw7Inde7rt37VVSuOIyAePTNgcOBg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0PR05MB10075.eurprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376002)(366004)(396003)(136003)(346002)(39850400004)(230173577357003)(230273577357003)(230373577357003)(230473577357003)(230922051799003)(451199024)(64100799003)(1800799012)(186009)(5660300002)(30864003)(2906002)(3613699003)(86362001)(122000001)(166002)(38100700002)(41300700001)(110136005)(66946007)(66556008)(33656002)(76116006)(64756008)(66446008)(66476007)(26005)(66574015)(316002)(71200400001)(53546011)(9686003)(6506007)(19627405001)(7696005)(55016003)(478600001)(966005)(52536014)(38070700009)(8936002)(9326002)(8676002)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: luwhEsuhCXDvnIngpgPpMvGpmkoy/K1xpL5O9nHt5O87cOGzmiHmA1atlsMqDv80boDA8MYgsV6dwyPWH0TUmArv/gHtIV5WWSy0HK3RZGhgoyN6HrsBBISy0LPyfYSJEv9+Dx5eSIQjaW4JCCR4F7WvSFLJbn5n5xV0RsU3il9vsp4VfIFTBHLERkwxzm4m3v4aPdvm4m/rIpHETA66R0Q7phrTNxHXn4OzLJO4gdwel9kAU5mi6od3j3q82hi5ts6D42eVwCrHW2Ul/m7NuaOiNUam5IjGOQPRPSZIOkAwuYMUvO6gnRuffVidCz+sF9nDniE1tpUuH7/REyP73ZpRIDY5/DrqOb/8r+S14lFfUy0a5/OCTIFw8sZ7rMzR6QK72aPgtiMkUlYnO6Kgv2tLlQK+RuNmAfSdWsnbZaHCJpevGsjXSXlK/MxnAvHxXUgY+Tk1h1PkSriCc8P/MJdIwrZJkAYioGBjQkLNbYj8UKIgBAza96MvvVLESIhPSwGgxebKQBZ5Q0T6ONxROHplaLJvEzJ/BNaJ4QU7NVX0wjuC5Tq5PvcsoH043ik0wvtvLQTOzXkb+lEUQFPPOerR7NyGLhtkrdpNUYrtjjo8ZqJ4y6q4EjUN0glskx4Pw3zGrUYbHq7EwW5BeNWcwjjhiQVP8GfLdbOWPy35KrOg2ddsArqy33k74F3IxjbM9eFmDyhZEUUGMoUC0rzsgUXJSurZmcAVjxU0GXJJH6OHhS0nDXZnhA47he+r9958xwVkPQe0MAa4WnRtDjb/XEIY67odlVkk+Ah33Ock5zyhoG31yvIYWz/92j4QHpgZgSlU0l3SInPdbdMgVcGodWr4g0CbAmP+iuBUTsfgUqnzfakq6NI3r+3ACa/eU7Y7K1QgptSQISrcbiA+D8LV/a59LrC/bJVwyEnk0lRnZuYmMCKZWGlEEJXNPaLKO1TeNaN+qspJg48LPI3R0EEC1fW6uVFDWNQqSDXD/YHX3PQ58WpB8zO7unZYsDkJiqj9yH1/emBXv/rxqAp6yPTaAE39DRk3YEHgVgtW/uc80QupxTLe8vAP5ErkJVq+Wl+sDFE5iQM4AhoFjhUppYRhHUiLPOXW3R9pVBocTkviPLgYxeuRk/6VBB8GX50vH9+t49RAfBc0I4eujboxkPha0h6zR2lCgdxw7I9RwMJPl/8WNWw3OItq2G/42rWKqoYykanKvJ9pLL+xKJXZP4r7TxDStBlrPzEAEHxQ2BbIzzmFqXBxm9fJQhxcG2gQb6u8fNLSrqm4ZsScbMu3eEShEkY5Moil1PDYFiRGlPLQ9+6O96/O/4nxImS6FyVBWTu3agdhhHeT9ckaw/lHPmY8sARgGJ5A7uNp2kMaGQ8TFA2TmfqkBVCdyF1UjWBd1EuJZlKbL4GBbc3HIzVkGNqUXZHu7KUFbe43dFd2Bf1q2HjHD7o4naumGRY9JIIYE2ZS7WvzaF7MpY0DiH9TkPqq08B1rjJPJL3b4TiFq1pypRWuCzE5LavdJronhKyyZKBTzN9sZAA3i3vGuFxK+WBd+cg2wNs+Z5lF6CoTdc2t+tKLduOHO9yjHT0wcb6XyQlMJYCVd4QYNhrqvaDG7dDixA==
Content-Type: multipart/alternative; boundary="_000_DU0PR05MB10075EA07524D2FDEF829D988F195ADU0PR05MB10075eu_"
MIME-Version: 1.0
X-OriginatorOrg: nordicsemi.no
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0PR05MB10075.eurprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7d27852e-ec22-40ac-64f7-08dc01ea3f32
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Dec 2023 06:01:17.3604 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 28e5afa2-bf6f-419a-8cf6-b31c6e9e5e8d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: s1lX9j/AjlSlrJ+UCQpdfM6vtc5leYmfdNPzH1o1FH0ahVNGi6OfNylc+C8O1BKfEezVppe6HCeYIvKI+I1OXwFoyrXzdi1FJWyzeVMCdvs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR05MB6981
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/vBFe4IMqr3zHQy0Aea3bdJ4rfXA>
Subject: Re: [Suit] draft-ietf-suit-trust-domains: proposal of new command sequence
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Dec 2023 06:01:29 -0000

Hi Brendan,

Thank you for prompt response, let me add clarifications/comments referring directly to your message.


> If it is mandatory that one manifest processor downloads an image to a staging area and a *different* manifest processor validates it in-situ and installs it, and that the second manifest processor has a manifest with multiple dependencies that have payloads, then I can see how we could need pre-install-validate. Is this your use case?
This is exactly the case.


> 1. The system is composed of multiple components in at least two trust domains.
Correct.

> 2. At least one of the trust domains has secure memory that the other trust domains cannot access (a TEE).
Correct.

> 3. The TEE has no network access and cannot download its own payloads. It also does not have a mechanism to stream data from the non-secure world.
TEE has no direct network access but regarding to streaming the data from non-secure world - it varies between end products. In scenario I particularly have in mind the TEE does not stream the data from non-secure world. So, let's assume - Correct.

> 4. The TEE has its own manifest processor with a component prefix as described in draft-ietf-suit-trust-domains, Section 6.4.1
There are some similarities and some differences to deployment described in draft-ietf-suit-trust-domains-05, Section 6.4.1. Indeed, there are two instances of suit processor, one executed in untrusted environment, and another one in TEE, but those processors are not active at the same time. Responsibility of non-TEE processor is to fetch missing dependencies/payloads to staging area, while responsibility of TEE processor is to install candidate update/boot the system.

> 5. The TEE manifest has at least *two* dependencies, each with at least one payload.
Correct, but I would rather rephrase, saying that the 'Root' Manifest has at least *two* dependencies, each with at least one payload.

> 6. The TEE requires that payloads are staged in NON-secure memory (presumably encrypted).
Correct.

> 7. The system does not have enough slots for a rollback in case of a broken install. ("update procedure crashes in the middle of 'suit-install' sequence executed on another dependency manifest, leaving the device in incoherent state.")
Correct.

> 8. The expected workflow is:
> 8.a. The update client executes the Root Manifest's dependency resolution sequence, causing downloads of the the TEE's manifest and its dependency/dependencies.
Correct.

> 8.b. The update client executes the Root Manifest's payload fetch sequences, causing downloads of all relevant payloads to staging areas.
Correct, but clarification is required here. payload-fetch sequence of the Root manifest is written in a way that it executes process-dependency on dependencies resolved on step 8a.  And those dependency manifests fetch missing payloads to stage area (NON-secure memory). Thanks to that mechanism the ''Non-secure' instance of suit processor is able to fetch missing payloads for all domains, including update candidate for TEE.

> 8.c. When the update client's manifest processor encounters manifests matching the TEE's component prefix, these manifests are sent to the TEE's manifest processor
No. The update client executes the Root Manifest's payload fetch sequence, which in turn, may execute directive-process-dependency on ANY of dependencies.

> 8.d. The nonsecure manifest processor verifies all payloads (Maybe not? It should have done this during payload-fetch.)
Author of manifest controls that. I would say that payload-fetch sequence should be written in the way that both detached and integrated payloads are verified against corruption. And yes, payload-fetch sequences are executed in non-secure environment.

> 8.e. The TEE's update manifest processor verifies all the payloads that are staged in the non-secure memory
It shall be done like that, and that is the point. The only sequence at disposal is suit-install, executed in TEE on candidate Root manifest (and respective dependencies via directive-process-dependency).

> 8.f. The Update Client executes the Root Manifest's install step. When the manifest processor encounters manifests matching the TEE's component prefix, these are sent to the TEE manifest processor, which installs them into secure memory
No. Once system enters 8e, the Update Client is deactivated. One of reasons is that is to update the 'Executed in Place' Update Client. So steps 8.e and 8.f are performed in TEE.

> 8.g. When the sequence is done, the system reboots, verifying each component to ensure correctness before moving on to loading and invocation.
Correct. Performed by suit processor in TEE.


> In view of point 7, how will devices implement the robustness requirements defined in Section 4 of RFC 9019?
>> Devices must not fail when a disruption, such as a power failure or network interruption, occurs during the update process.
System is designed to be idempotent. In event of power failure install-sequence from candidate Root manifest is executed from the begin.

> In view of point 6, How will devices mitigate the TOCTOU vulnerability that exists between 8.e and 8.f?
(...)
All concerns you have raised are valid (fortunately - addressed). One of security measures are indeed MPUs, making the staging area inaccessible by entities other than TEE during phases 8.e and 8.f, without any gap between 8.e and 8.f
So, candidate manifests and candidate payloads became 'Immutable' at the begin of 8.e.


With Regards,

Sylwester

From: Suit <suit-bounces@ietf.org> On Behalf Of Brendan Moran
Sent: Wednesday, December 20, 2023 4:14 PM
To: Kończyk, Sylwester <sylwester.konczyk=40nordicsemi.no@dmarc.ietf.org>; suit@ietf.org
Subject: Re: [Suit] draft-ietf-suit-trust-domains: proposal of new command sequence

You don't often get email from brendan.moran@arm.com<mailto:brendan.moran@arm.com>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>

Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hi Sylwester,

I think I understand what you're asking for. I'm not opposed to it, but I want to make sure that we're not adding extra complexity. Please tell me if I understand the scenario correctly.

1. The system is composed of multiple components in at least two trust domains.
2. At least one of the trust domains has secure memory that the other trust domains cannot access (a TEE).
3. The TEE has no network access and cannot download its own payloads. It also does not have a mechanism to stream data from the non-secure world.
4. The TEE has its own manifest processor with a component prefix as described in draft-ietf-suit-trust-domains, Section 6.4.1
5. The TEE manifest has at least *two* dependencies, each with at least one payload.
6. The TEE requires that payloads are staged in NON-secure memory (presumably encrypted).
7. The system does not have enough slots for a rollback in case of a broken install. ("update procedure crashes in the middle of 'suit-install' sequence executed on another dependency manifest, leaving the device in incoherent state.")
8. The expected workflow is:
8.a. The update client executes the Root Manifest's dependency resolution sequence, causing downloads of the the TEE's manifest and its dependency/dependencies.
8.b. The update client executes the Root Manifest's payload fetch sequences, causing downloads of all relevant payloads to staging areas.
8.c. When the update client's manifest processor encounters manifests matching the TEE's component prefix, these manifests are sent to the TEE's manifest processor
8.d. The nonsecure manifest processor verifies all payloads (Maybe not? It should have done this during payload-fetch.)
8.e. The TEE's update manifest processor verifies all the payloads that are staged in the non-secure memory
8.f. The Update Client executes the Root Manifest's install step. When the manifest processor encounters manifests matching the TEE's component prefix, these are sent to the TEE manifest processor, which installs them into secure memory
8.g. When the sequence is done, the system reboots, verifying each component to ensure correctness before moving on to loading and invocation.

Please can you let me know if I don't have this scenario defined correctly? If I do have it correct, then I have a few questions:

In view of point 7, how will devices implement the robustness requirements defined in Section 4 of RFC 9019?
> Devices must not fail when a disruption, such as a power failure or network interruption, occurs during the update process.

In view of point 6, How will devices mitigate the TOCTOU vulnerability that exists between 8.e and 8.f? There are many potential TOCTOU vulnerabilities in the manifest processor (one is defined in RFC9124, Section 4.2.18) but they are, largely, mitigated by secure boot and the requirement to hold manifests immutable (RFC 9124, section 4.3.21). There is also an assumption that there is some form of protection (e.g. MPU) that can be applied to mitigate some of these concerns--it's generally not great if executable code is modifiable after a digest check. This, however, is different. When the digest check is done by the TEE, the code is still sitting in the non-secure world. The TEE then returns control to the non-secure world. At that point, anything can happen.

So how do we mitigate this? Well, there's a couple of options:
1. The staging areas that contain the TEE's staged images are assigned to the TEE and remapped into the secure world.
2. The TEE can have control of the MMU/MPU and enforce that the memory is not writable.

If the second option is used, then I could see it working. If point 5., above, is not true, then well-structured manifests (image check *before* process dependency, copy *after* process dependency) should be adequate to prevent an incorrect system state.

The original idea behind multiple manifest processors was that they would each fetch their own payloads and be responsible for their correctness at the end of payload-fetch, in which case there is no need for a pre-install-validate.

If it is mandatory that one manifest processor downloads an image to a staging area and a *different* manifest processor validates it in-situ and installs it, and that the second manifest processor has a manifest with multiple dependencies that have payloads, then I can see how we could need pre-install-validate. Is this your use case?

Best Regards,
Brendan

From: Suit <suit-bounces@ietf.org<mailto:suit-bounces@ietf.org>> on behalf of Kończyk, Sylwester <sylwester.konczyk=40nordicsemi.no@dmarc.ietf.org<mailto:sylwester.konczyk=40nordicsemi.no@dmarc.ietf.org>>
Date: Wednesday, 20 December 2023 at 07:45
To: suit@ietf.org<mailto:suit@ietf.org> <suit@ietf.org<mailto:suit@ietf.org>>
Subject: [Suit] draft-ietf-suit-trust-domains: proposal of new command sequence
Hi,

I would like to discuss extension of suit-trust-domains, by adding optional 'pre-install-validate' command sequence.

$$SUIT_severable-members-extensions //= (suit- pre-install-validate' => bstr .cbor SUIT_Command_Sequence)

$$severable-manifest-members-choice-extensions //= ( ? suit- pre-install-validate => bstr .cbor SUIT_Command_Sequence / SUIT_Digest)

Aim of that sequence, executed right before 'suit-install' sequence, would be to assess that all payloads required for installation are in place. This is especially important in context of suit-trust-domains, where an update may be organized as Root Manifest and several Dependency Manifests. Lack of 'pre-install-validate' may lead to situation where components managed by one of dependency manifests are updated, but update procedure crashes in the middle of 'suit-install' sequence executed on another dependency manifest, leaving the device in incoherent state.

Already defined command sequences (suit-validate and suit-payload-fetch, suit-install) cannot help here:

suit-validate - its purpose is not to evaluate coherency of payloads in envelope or 'staging' components, but rather to evaluate the state of components involved in invocation sequences.

suit-payload-fetch - here explanation is more complex. Let's assume system composed of several security domains, where one domain is responsible for fetching payloads (effectively executing suit-dependency-resolution and suit-payload-fetch) and another (second) domain is responsible for installation (executing suit-install sequence). Let's also assume that first domain cannot be trusted by the second domain. In that case the second domain require some methods (like 'pre-install-validate') to validate completeness of candidate payloads before it starts an update.

suit-install - placing checks at the begin of suit install sequence would not work on systems organized as Root and several Dependency Manifests - in such case validation instructions would be mixed with installation (validation dependency1, installation dependency1, validation dependency2, installation dependency2 and so on)

Summarising, it's not impossible to solve the stated problems by other means, but this solution is in my opinion simple, effective, and hardly increases the complexity of the spec.

Invocation procedure is expressed by three command sequences, addressing separated concerns (suit-verify, suit-load, suit-invoke). Having similar clarity (and separation of concerns) in update procedure would be even more desired.



With Regards,

Sylwester

_______________________________________________
Suit mailing list
Suit@ietf.org<mailto:Suit@ietf.org>
https://www.ietf.org/mailman/listinfo/suit
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email