IETF Logo Mail Archive

Re: [Suit] Review of draft-ietf-suit-manifest-09

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 30 July 2020 17:34 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17ADC3A0FB3 for <suit@ietfa.amsl.com>; Thu, 30 Jul 2020 10:34:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3qNJxcHIoiZn for <suit@ietfa.amsl.com>; Thu, 30 Jul 2020 10:34:21 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 000733A0D27 for <suit@ietf.org>; Thu, 30 Jul 2020 10:34:20 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id EE420389E4; Thu, 30 Jul 2020 13:13:45 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id MAdzc0qy1agA; Thu, 30 Jul 2020 13:13:45 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 00E6E389DB; Thu, 30 Jul 2020 13:13:45 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 95D8F35C; Thu, 30 Jul 2020 13:34:18 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Brendan Moran <Brendan.Moran@arm.com>, Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org>, suit <suit@ietf.org>
In-Reply-To: <3ff3915e-c61c-2c00-f780-a77c9ab494cc@sit.fraunhofer.de>
References: <BL0PR2101MB1027152EC8DAD9B3847C3E89A3770@BL0PR2101MB1027.namprd21.prod.outlook.com> <70453005-8DFA-4DBE-8C04-9882839D5005@arm.com> <3ff3915e-c61c-2c00-f780-a77c9ab494cc@sit.fraunhofer.de>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 30 Jul 2020 13:34:18 -0400
Message-ID: <10787.1596130458@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/z54QzkB8vyKQsslaFORQdlDHUsE>
Subject: Re: [Suit] Review of draft-ietf-suit-manifest-09
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 17:34:24 -0000

    dthaler> 6. SUIT_Report
    dthaler> SUIT_Report and Reporting Engine text is added but does not appear to be
    dthaler> about what goes in a SUIT manifest, so I argue that it doesn’t belong in
    dthaler> this spec (and is arguable as to whether it’s in scope for SUIT at all)

    bm> You’re right. This has not been raised on the list. If it’s more
    bm> appropriate to put it in a new draft, I’m happy to do that. However, it’s a
    bm> natural consequence of adding the SUIT_Reporting_Policy, which was
    bm> discussed at the virtual interim. It seemed to me that if a reporting
    bm> policy was specified, then an implementor would naturally want to know how
    bm> to report that information. If there is a need for logging SUIT commands,
    bm> along with their arguments and results, this seems very specific to SUIT in
    bm> general and the SUIT manifest in specific. I struggle to see what document
    bm> would be more appropriate than the SUIT manifest for the SUIT_Report.

I had tweaked on Dave's question here about whether IPFIX might be an
appropriate transport.  I am intringued by this possibility.
I would like to understand more about this as a concept.
I think that I would not want an IPFIX client in a bootloader, so:

    dthaler> Furthermore, it says SUIT_Report can go in an attestation report.  What’s
    dthaler> the rationale for that as opposed to some more typical logging/reporting
    dthaler> mechanism that might integrate with existing error reporting mechanisms
    dthaler> and trouble ticketing?

    bm> SUIT_Reporting_Policy has two output channels: “system information,” that
    bm> is the “actual” values compared against in conditions, and “command
    bm> records” which are effectively logs of command execution. For an update
    bm> case, these are adequately served by logging infrastructure. However, in a
    bm> bootloader case, this is inadequate because the bootloader and the booted
    bm> application are different security domains. This means that any system
    bm> information or command records need to be protected from modification by
    bm> the application. Typically, this would be done with a signature; I don’t
    bm> see how this is different from attestation.

I don't know what "existing error reporting mechanism" a bootloader (in a
nanny cam) might have access to :-)
From Dave's probably TEEP point of view, I can see that the TAM could well
provide a very rich of facilities.
The observation that the bootloader and booted application are in different
security domains is probably more relevant than the observation I was going
to make that the bootloader might not have any network.

I think that we can reasonably separate this into another draft, that I
think, TEEP would ignore.

    bm> 7. Vendor IDs
    bm> I’d argue that I have not defined a new identifier space. It was defined in
    bm> RFC4122. That said, I think that PEN could be beneficial if we can work
    bm> around some of the complexities associated with it.
    bm>
    bm> OUIs may be prohibitive for small manufacturers (US $2,995). For example, I
    bm> have seen small manufacturers avoid building USB devices due to the cost of
    bm> obtaining a USB VID. Class IDs still require a UUID Name Space
    bm> Identifier. There is no rule I can find for constructing an OUI UUID, so it
    bm> cannot be used as a UUID Name Space Identifier.

At one point, this was just not an issue because you always had to get one
for ethernet.   But, in many lower-end semi-industrial cases, the network is
provided by a "wifi module", which really does layers 1-4 (sometimes TLS
too), so the vendors do not pay for ethernet OUI.

    bm> Private Enterprise Numbers seem manageable by small manufacturers.
    bm> There is a UUID Name Space Identifier for OIDs, however this gets a bit
    bm> confusing. You would need to construct a class ID as follows:

PENs are easy. You send an email to IANA, and a week or so later, you get
number.  I have one.

    bm> There’s a lot more complexity here than just “use a PEN.”

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.23.0 | Report a Bug | By Email