Re: [Suit] Introducing draft-moran-suit-behavioural-manifests-00
Kvamtrø, Frank Audun <frank.kvamtro@nordicsemi.no> Mon, 11 March 2019 13:15 UTC
Return-Path: <frank.kvamtro@nordicsemi.no>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BCB31277D8 for <suit@ietfa.amsl.com>; Mon, 11 Mar 2019 06:15:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.922
X-Spam-Level:
X-Spam-Status: No, score=-0.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nordicsemi.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xHpiJFJ-H3p5 for <suit@ietfa.amsl.com>; Mon, 11 Mar 2019 06:15:16 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50078.outbound.protection.outlook.com [40.107.5.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6422A1277D0 for <suit@ietf.org>; Mon, 11 Mar 2019 06:15:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nordicsemi.onmicrosoft.com; s=selector1-nordicsemi-no; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WFn+BqMvgv0z8i6tnaPMJeNu4OSdmY98JEUzh1SK5HM=; b=PwlGzpy6uppDBdf0Yl9L0mtRGkJ4p3WQF2ZWMn06evCbH3lVs+tzBQ4ZkIe8po6uDWOx1fiXWZJ34bcLBHLqQQWhPuzoWKONiHCoE0JfSfah/NDEYSzj7JqTjQ+5D6PTxalchHoNvGiVysyuWDQgPyD9aohm/58Q3Y4VzCLVh2U=
Received: from VI1PR0501MB2288.eurprd05.prod.outlook.com (10.169.135.13) by VI1PR0501MB2672.eurprd05.prod.outlook.com (10.172.13.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.17; Mon, 11 Mar 2019 13:15:12 +0000
Received: from VI1PR0501MB2288.eurprd05.prod.outlook.com ([fe80::b00c:a435:903a:2c88]) by VI1PR0501MB2288.eurprd05.prod.outlook.com ([fe80::b00c:a435:903a:2c88%7]) with mapi id 15.20.1686.021; Mon, 11 Mar 2019 13:15:12 +0000
From: "Kvamtrø, Frank Audun" <frank.kvamtro@nordicsemi.no>
To: Brendan Moran <Brendan.Moran@arm.com>, "suit@ietf.org" <suit@ietf.org>
Thread-Topic: Introducing draft-moran-suit-behavioural-manifests-00
Thread-Index: AQHU1b7FUHOtQLPEbkmOXwapehVVpKYGW6Hw
Date: Mon, 11 Mar 2019 13:15:12 +0000
Message-ID: <VI1PR0501MB22885868BFB301CA087E621DFC480@VI1PR0501MB2288.eurprd05.prod.outlook.com>
References: <A65149C9-4CEF-4343-9B03-20BC8E60288E@arm.com>
In-Reply-To: <A65149C9-4CEF-4343-9B03-20BC8E60288E@arm.com>
Accept-Language: nb-NO, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=frank.kvamtro@nordicsemi.no;
x-originating-ip: [194.19.86.146]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bc300ef5-d9e2-4f1b-e1cc-08d6a623980b
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:VI1PR0501MB2672;
x-ms-traffictypediagnostic: VI1PR0501MB2672:
x-ms-exchange-purlcount: 2
x-microsoft-exchange-diagnostics: 1;VI1PR0501MB2672;23:6qD7Eip2JyjGs/E82ZNpnMoiahZpyUX/cyBv9eX5u1mE/yYZSaIgvuNmNQgsBxq5HCLHO8EaicgwjNFbqbPaeckOJMXLH1+zqenQS/WWf4hZLIffp47dFwakP7yaX5idQpreEm1fKpM/rRcqVsumO8FdosB0Fth3Jg/dZn0w3AIMlzv/KVZDeXj0a0EU5T1yoVWvERWh9sub2CdzsKVSboIHuZcTmMH0UKigQ5kYqJGsEKPcdOikGDresdtdHgTEVJSpi93NHp2B7dw5bfSfEDBSN7QJXG+C7j+AY6vKDy5TGs67iefb+48Af3g99mVpQ/prZ2scIvs8iZD0OoBRXcTugu2QadwgX65N7eocTArk6qVMrJEPvMS/gCN0MabZuaN9f54ty22Cl2+Im8qWiWHW+6D99m1aP3Z6DMCg/318J9mkwl1rGqrlHvgbh8DWWPBUSENhISiiMFIVtaY20h17gBWhsFYu68XixhIx/vSXUXau0uhKNztqeY9y7N82/IWar1GxTGmZqMoQhay6mtGfyjjdvitGFu6dQhiY7PAnxp72+pDXkaV/XNzKNX58Ow80LPkk1DH/0NCAKyLE7kNSmelizRmfmwQ8LT0m+CuRa+8LLQRxSUsV8s9W+6heP0cALD5yU6G/GGbUm7Bd6C4M78TLbNKauEjAvCszTU48t56pw8vfe1HkviCR/mlUusr2FktgvFMyB/PRqJiKFquowDBcEc9DKQq+l/jePkmIREAdBWN50nHLNxNuGw5Be+MPLKwpadRSBTFM3Lacv1BL+cbov0rN4CKuL/4w1YM9VxRRmN++so9NZQEIZ23XVeFLWW3DYbHw1ZRrXJhXAEgOLS3o7/QmsMJJv5v3RsQSuLXULSjaprBZfBIymLI1BF9M4nwCJb6qk4yeJD6X+BWZe+vDGtLzl7kUbkPRXk/qUCd+xWn3mrO6kEN5KhQ2oYzpQb0BiY+blaDYAizpghS9CgqhqcoT/BfHNbGjS/8kp6GGwEMLK4qdg6+rLHTfGJaV21I6jfqE+6amh+1AvkNFEd2GPJIrNQmlwFkScdt3MD9Mug7ISYjmCoMKKND3sUNwjeBdaTPi6XM5KpXh7Jfp/+wM+ewPMseLHQ8xyAtM4UsyZbGI8hFjhQPx1sMq+xRPNayddHGo+Da/mCOkCyQAPHfmL3x+kHXFGIDOsy3KkKE9xnhX7+ZsuqBYo2BX7j1K7DJC+UH9sccdO0CZbhwe3eXTp0osL2veow0jhVeI9vHP+9NLAoOGFAovNh2NheJXMFAv5hMw8GrKkcwoxF3hM5pCgtffR+n9wbtcVanspvKYS45eSB+jmh9+w4CC7DLBN9L5N1LiuQ13u8V8p8e+qLZqMjIDMnS1Rl2I5KBlIu7tyUhDyk93aogrfpyq
x-microsoft-antispam-prvs: <VI1PR0501MB2672CF9B7A973C98F7A15FD6FC480@VI1PR0501MB2672.eurprd05.prod.outlook.com>
x-forefront-prvs: 09730BD177
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(376002)(346002)(39850400004)(396003)(366004)(54094003)(13464003)(199004)(189003)(229853002)(74316002)(53936002)(8676002)(81166006)(33656002)(97736004)(6506007)(53546011)(316002)(7696005)(478600001)(71190400001)(71200400001)(476003)(11346002)(446003)(486006)(81156014)(2501003)(74482002)(7736002)(305945005)(55016002)(6246003)(6436002)(6306002)(9686003)(66066001)(8936002)(2906002)(85182001)(5024004)(186003)(3846002)(256004)(68736007)(6116002)(5660300002)(86362001)(76176011)(14454004)(99286004)(14444005)(966005)(25786009)(110136005)(26005)(52536013)(106356001)(102836004)(105586002)(777600001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0501MB2672; H:VI1PR0501MB2288.eurprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nordicsemi.no does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 2h8OiB/dFQAuKV3GfRuzxm3t/y+7jGIK16Kio9uSiYbFSQ9UPHRUaBp3GLX0K0mmhQl8hD7td2819YwLiGDF7K6PEaCrF64XmtUd+sGuWmgrtezZC8vjzYDOtBRdE0omqe6bmBJu2OU0nyJNj4kKgdGK/Hb4zT5YNWpR54n0X6w9I3U415Q0iWoWpxAniVfSiUeWBieXQxjpTOgZMhtH3hRbrND3nZsxZ/Nq19d7RC+0zqmoV3/iC0spp44CyLopTRgbHhYVnTmG66x7EMtBDJ5auG+wEx3k4VWWF8epRKSAftwhF4VzkKtp9GaDlO8fCDgXJMF9nJk9FFhMd2vZB3B8FRAzpuzgZbzKB2+H0HDuq0w75SkwQO3s/1KVFh2ea3637qTMnT7d9zNTu/R8PPk9tNFhZPxJUggtok2x4HU=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nordicsemi.no
X-MS-Exchange-CrossTenant-Network-Message-Id: bc300ef5-d9e2-4f1b-e1cc-08d6a623980b
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2019 13:15:12.3104 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 28e5afa2-bf6f-419a-8cf6-b31c6e9e5e8d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0501MB2672
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/iZojKq3KBpGrwCwbjY5PPgCQmsA>
Subject: Re: [Suit] Introducing draft-moran-suit-behavioural-manifests-00
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 13:15:19 -0000
Great to see work on this!
I wonder if this document needs to be a bit more distinct with regards
to secure boot. It is mentioned in the ingress, but there are not a lot of
indication right now on where to put e.g. an asymmetric signature or MAC to
ensure the validity and/or integrity of the processable items as part
of the behavior described in this draft...
From looking at multiple standards on security the term "verify" is often
distinctly reserved to mean cryptographic verify functionality, e.g. using a
signature or a MAC qualifying the next jump etc. In this draft "verify" is
stated in 5 different versions of conditions, but none of them clearly defines
a behavior I would equate to a cryptographic verify function. In my mind
I'm able to put said cryptographic verification functionality in the
conditions in commands 5.2, 5.4 and 5.5 dependent on the use-case.
Such functionality is not explicitly mentioned in any of these except from
a loose reference to doing a similar type operation, i.e. cryptographic hash
function in 5.2 - Verify Image presence, but then the assumption must be
that there is a signature at a different level, safeguarding the digest.
I also struggle with this due to a collision in text at the end of chapter
3 where in a paragraph before and after talk about processing steps in
chapter 4.1:
"System validation is used to ensure that all required dependencies
are present and that all required images are preset. This process
is equivalent to that used in the validation portion of Secure boot
workflows".
I as a reader would equate this to validation being a processing step
in 4.1, although the concept "validation" is fairly broad on this level
compared to the use of conditional verification in chapter 5.
If a cryptographic verify function is to be understood to live inside
conditional commands in chapter 5, then I have some proposals:
-Change the wording in processing steps (4.1) to limit them to
"doing" operations, so instead of stating "symmetric cryptographic operations"
simply state "decryption". This means that MAC operations isn't
falsely included as a processing step.
-Be more explicit on the location and intention of doing a cryptographic
verify operation (asymmetric signature check or MAC) inside one or more
of the verify commands in chapter 5 or in the ingress of chapter 5
so that it is tighter coupled with the concept of a "condition".
If the content of this operational description is *not* based on a
signature check inside said behavioral description, but rather a
signature around the complete set of behaviors, then this could be
made clearer in the ingress in my opinion
The term "signature" is not mentioned once in this document, and I wonder
if this is done on purpose... I think it should be mentioned since
secure boot is referenced at several locations in this draft, even if
signatures as a concept is skipped on purpose...
Regards
Frank Audun Kvamtrø
> -----Original Message-----
> From: Suit <suit-bounces@ietf.org> On Behalf Of Brendan Moran
> Sent: 8. mars 2019 15:54
> To: suit@ietf.org
> Subject: [Suit] Introducing draft-moran-suit-behavioural-manifests-00
>
> After IETF103, it became clear that we need to focus more on very
> constrained devices and that optimising the format for constrained parsers
> was very important. Simultaneously, we were presented with several more use-
> cases that required extension and complication of the format. It very
> quickly became clear that the existing serialisation would not meet the
> stated goals of reducing complexity in constrained devices, but also enable
> all the desired use-cases.
>
> This made it very clear that we needed to take a new approach.
>
> Internally, at Arm, we have been developing a new sort of mechanism for
> describing firmware updates and secure boot. It is a significant departure
> from the format we were developing before, but it comes with a lot of
> advantages. I’m pleased to be able to share it with SUIT today!
>
> https://datatracker.ietf.org/doc/draft-moran-suit-behavioural-manifest/
>
> This approach focuses less on describing the data that a process needs and
> more on describing the actions the process should take. We’ve been
> evaluating it against the use cases in draft-ietf-suit-information-model-02
> and more besides, and it produces compact results.
>
> The forthcoming draft-moran-suit-manifest-04 will be based on a union of
> draft-ietf-suit-information-model-02 and draft-moran-suit-behavioural-
> manifest-00.
>
> Best Regards,
> Brendan
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
> _______________________________________________
> Suit mailing list
> Suit@ietf.org
> https://www.ietf.org/mailman/listinfo/suit
- [Suit] Introducing draft-moran-suit-behavioural-m… Brendan Moran
- Re: [Suit] Introducing draft-moran-suit-behaviour… Kvamtrø
- Re: [Suit] Introducing draft-moran-suit-behaviour… Brendan Moran
- Re: [Suit] Introducing draft-moran-suit-behaviour… Carsten Bormann
- Re: [Suit] Introducing draft-moran-suit-behaviour… Kvamtrø
- Re: [Suit] Introducing draft-moran-suit-behaviour… Michael Richardson
- Re: [Suit] Introducing draft-moran-suit-behaviour… Brendan Moran