Using Cryptographic Message Syntax (CMS) to Protect Firmware Packages
draft-housley-cms-fw-wrap-11
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
11 | (System) | post-migration administrative database adjustment to the No Objection position for Harald Alvestrand |
2005-01-28
|
11 | Amy Vezza | State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza |
2005-01-28
|
11 | Amy Vezza | IESG state changed to Approved-announcement sent |
2005-01-28
|
11 | Amy Vezza | IESG has approved the document |
2005-01-28
|
11 | Amy Vezza | Closed "Approve" ballot |
2005-01-27
|
11 | Sam Hartman | State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Sam Hartman |
2005-01-27
|
11 | Harald Alvestrand | [Ballot comment] Reviewed by Scott Brim, Gen-ART No objections from the reviewer. I worried about adequate review by people who know code management - but … [Ballot comment] Reviewed by Scott Brim, Gen-ART No objections from the reviewer. I worried about adequate review by people who know code management - but subsequently, several people have said that they have reviewed it and are happy with it. So I'm sending this forward. |
2005-01-27
|
11 | Harald Alvestrand | [Ballot Position Update] Position for Harald Alvestrand has been changed to No Objection from Discuss by Harald Alvestrand |
2005-01-25
|
11 | (System) | New version available: draft-housley-cms-fw-wrap-11.txt |
2005-01-19
|
11 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2005-01-19
|
10 | (System) | New version available: draft-housley-cms-fw-wrap-10.txt |
2005-01-07
|
11 | Sam Hartman | State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation::AD Followup by Sam Hartman |
2005-01-07
|
11 | Sam Hartman | I talked to Jeff Hutzelman and received permission to put this in the tracker. We also had a discussion about the dependency issue. I pointed … I talked to Jeff Hutzelman and received permission to put this in the tracker. We also had a discussion about the dependency issue. I pointed out that his suggestion (2) was actually already true in the current draft: if the dependency information in the current draft is provided, an implementation MUST check it, but a vendor can choose to use their own dependency information imbeded in the package. I agree we need to adopt Jeff's suggestion 1 for dependencies. I believe adopting suggestion 3 would be a bad idea: it introduces significant complexity and parties requiring that complexity almost certainly have a preferred format for expressing dependencies. During our discussion of his review Jeff and I decided we would like to see the draft point out the issue of circular dependencies. We should point out that you can build a system on top of this document that handles circular dependencies but describing a particular solution is out of scope. The probable solution is to provide a facility for atomically apply a set of firmware packages. However there is a lot of complexity associated with the security analysis and failure handling. I'd rather not go down that path with this draft. From: Jeffrey Hutzelman Subject: draft-housley-cms-fw-wrap-09.txt Below is the first rev of my comments on Russ's document, more or less prepared as I read it through for the first time. There are some things I want to go back and examine in more detail and/or think about some more, especially in light of Harald's comments. I'll try to do that in the next week, but I thought I'd send you what I have so far. I'm CC'ing Russ on this, since most of it won't change between now and when I'm done, and I see no reason to hold it back. The main caveat is that my comments on handling dependencies might change signficantly after I've thought about the issue some more. They might also be affected a lot by things like the intended application and how much work Russ wants to do (what's in there now suggests relatively simple changes; I could suggest something a lot more complete, but it'd be more work to specify and maybe to implement, and I'm not sure it's a good idea). Overall, the document is well-written, easy to understand, and sucks less than PKINIT (though the last is faint praise). Aside from the dependency issues, nothing I've found so far is something I would consider a show-stopper. - The spec seems to assume that all the work will be done inside the hardware module whose firmware is to be upgraded. It seems like the applicability of this document could be broadened by allowing for the case where all the work is done on a general-purpose computer which then programs a "dumb" device, or writes the unpackaged firmware image onto a piece of removable media in a bootable form. - I don't understand the purpose of the authorization model where a package contains information about what devices are allowed to have it, and the device is trusted to implement the access control. The trust model here seems backwards -- if only some devices are permitted to load the package, then the vendor should limit distribution of the package or encrypt it in keys known only to the authorized devices. - Dependency analysis is hard. This document describes only the simplest of dependency models, in which a package can indicate the need for at least a specified minimum version of one or more other packages. Unfortunately, as the number of packages and versions grows beyond just a few, this proves to be insufficient. A complete dependency system will have at least the following features (approximately in decreasing order of importance): - Minimum and maximum versions for each dependency, which can be used separately or together. - Anti-dependencies; that is, other packages (or versions) with which this package is incompatible. - The ability to load multiple packages in one atomic transaction, so it is possible to install sets of packages where there is a cycle in the dependency graph. - The ability for one package to obsolete another. For example, a new package might subsume functionality previously provided by multiple packages. - The ability for packages to provide and depend on versioned "features" other than the package name itself. This allows representation of the situation where package X requires a feature which might be provided by any of A, B, or C. In addition, when loading a package it is not enough to check that the dependencies of the package being loaded are satisfied. It is also critical to check that loading the new package does not violate the requirements of any other package already loaded. Obviously, the focus of this document is not on providing a complete packaging system for products involving hundreds or thousands of packages. So, it would be inappropriate to spend lots of effort on a complex dependency system, which is itself a hard problem. Still, it doesn't seem right to abandon the problem entirely, either. So, I have three recommendations for this... (1) Loading a package MUST fail if it would cause the dependency requirements of an already-loaded package to be violated. (2) Packages should be able to include additional information about dependencies, in a vendor-defined format. (3) This is not critical, but it would be nice to have a richer dependency data model, with these properties; + Preferred-form dependencies have both min and max versions + Dependencies can be on "features" in addition to packages + Packages can include a list of features they provide. (think of a feature as a "phony" package name) - I'm concerned about the requirement that "A unique object identifier MUST identify the collection of features that characterize the firmware package". This and the subsequent text seem desgined to insure that different branches or feature trains will have different OID's. That's probably a good thing, but the text as written seems to require that if I introduce a new feature, I have to change the OID. - When an earlier version is replacing a newer one, the bootstrap loader should not only generate a warning, but offer an opportunity to abort the load. Obviously this is not possible in all cases... - In storing preferred stale version numbers, only the most recent stale version for any given OID needs to be recorded. One would hope that implementors could figure this out for themselves, but it can't hurt to call it out. 2.2.3 Firmware Package Identifier: Should PreferredOrLegacyPackageIdentifier be extensible? Make stale a SEQUENCE, to allow one package to identify more than one stale version? 2.2.8 CommunityIdentifiers Should CommunityIdentifier be extensible? 4.1.3 FirmwarePackageLoadError I think the integer vendorErrorCode is a step in the right direction, but insufficient by itself. It should be possible to provide an OCTET STRING containing detailed information about the cause and circumstances of the error in a vendor-specific format. |
2005-01-07
|
11 | Sam Hartman | Date: Thu, 06 Jan 2005 13:33:05 -0500 From: Jeffrey Altman Organization: Not Affiliated with Columbia University in the City of New York To: Sam Hartman … Date: Thu, 06 Jan 2005 13:33:05 -0500 From: Jeffrey Altman Organization: Not Affiliated with Columbia University in the City of New York To: Sam Hartman Subject: Re: Secdir review: draft-housley-cms-fw-wrap-09 as a software packaging format Sam Hartman wrote: > > Hi. I'm shepherding a document for protecting firmware to be loaded > into hardware devices. The security aspects of the document seem > fine, but Harald has an outstanding discuss asking for more review of > the software packaging aspects of the document. > > I know all three of you have spent significant time evaluating > software packaging systems and using them in your environments. I > understand that you typically deal with environments where the > software packaging is for computers/os software rather than embed i > systems, but I believe the software packaging requirements for that > environment are strictly more involved than for embedded systems.d > > > > Please evaluate the software packaging aspects of this proposal. > Please let me know if you will have time for this review ASAP and > please return evaluations by 2005-01-06. > > > --Sam Sam: Overall I think this document is excellent. The contents of the firmware packaging support for restricted rollbacks, applicable uses, and designated communities is well thought out. It would be desirable to see this level of support for protecting the software package distributions for Linux, MacOSX or Windows. Unfortunately, there is thing which gnaws at me throughout the document: We cannot assume that the hardware module which is accepting the firmware package is either directly connected to a network or contains a clock. This means that revocation checks cannot be performed by the module. This is not described in the Security Considerations although it is briefly discussed in the Introduction (first paragraph page 5.) One thought that comes to mind is whether or not this document should provide optional support for the entity delivering the firmware package to the hardware module to also provide an OCSP response similar to what we are doing in draft-ietf-krb-wg-ocsp-for-pkinit. This would allow the hardware module to perform a validation check although it would still be forced to trust its peer in the delivery process to provide it a statement of current time. If a clock was provided the validation process would be complete. Some other minor items: #1 There is something wrong with the formatting of this document. At random points throughout there are line breaks inserted in the middle of words. #2 Last two paragraphs of page 8. Each paragraph ends with a discussion of "stale versions". Once for legacy and once for preferred. The text is similar enough that it would be better to extract the discussion into its own paragraph. I have not validated the ASN.1 as part of this review. Jeffrey Altman |
2004-12-17
|
11 | Amy Vezza | State Changes to IESG Evaluation::AD Followup from IESG Evaluation by Amy Vezza |
2004-12-17
|
11 | (System) | Removed from agenda for telechat - 2004-12-16 |
2004-12-16
|
11 | Thomas Narten | [Ballot Position Update] New position, No Objection, has been recorded for Thomas Narten by Thomas Narten |
2004-12-16
|
11 | Bill Fenner | [Ballot Position Update] New position, No Objection, has been recorded for Bill Fenner by Bill Fenner |
2004-12-16
|
11 | Alex Zinin | [Ballot Position Update] New position, No Objection, has been recorded for Alex Zinin by Alex Zinin |
2004-12-16
|
11 | Harald Alvestrand | [Ballot comment] Reviewed by Scott Brim, Gen-ART No objections from the reviewer. |
2004-12-16
|
11 | Harald Alvestrand | [Ballot discuss] This mechanism specifies one component of a firmware management system. It does not specify the architecture of the system, and it does not … [Ballot discuss] This mechanism specifies one component of a firmware management system. It does not specify the architecture of the system, and it does not specify the usage models envisioned for the system. It is apparently specialized for some particular application (naming exported functions with the attribute "Implemented Crypto Algorithms" is a dead giveaway), but this is never mentioned in the introduction. The model of using only exact matching of complete object identifiers for both hardware module versions and software dependency versions also indicates that this is only useful in an environment where "control is everything". Google found no sign of a review on a public mailing list. There is no mention in the document of any company intending to use this. There is no mention of a review by people who are experts in the software management business. I would have no problem with this as Experimental - I'd find it valuable. But I think it's very likely to require substantial change before it's a generally usable mechanism for software module maintenance. Proposed Standard is inappropriate. |
2004-12-16
|
11 | Harald Alvestrand | [Ballot Position Update] New position, Discuss, has been recorded for Harald Alvestrand by Harald Alvestrand |
2004-12-16
|
11 | Bert Wijnen | [Ballot Position Update] Position for Bert Wijnen has been changed to No Objection from Undefined by Bert Wijnen |
2004-12-16
|
11 | Bert Wijnen | [Ballot comment] I see reference: UTF-8 Yergeau, F. UTF-8, a transformation format of ISO 10646. … |
2004-12-16
|
11 | Bert Wijnen | [Ballot Position Update] New position, Undefined, has been recorded for Bert Wijnen by Bert Wijnen |
2004-12-16
|
11 | Michelle Cotton | IANA Comments: We understand this document to have NO IANA Actions. |
2004-12-16
|
11 | Jon Peterson | [Ballot Position Update] New position, No Objection, has been recorded for Jon Peterson by Jon Peterson |
2004-12-15
|
11 | Margaret Cullen | [Ballot Position Update] New position, No Objection, has been recorded for Margaret Wasserman by Margaret Wasserman |
2004-12-15
|
11 | David Kessens | [Ballot Position Update] New position, No Objection, has been recorded for David Kessens by David Kessens |
2004-12-14
|
11 | Ted Hardie | [Ballot Position Update] New position, No Objection, has been recorded for Ted Hardie by Ted Hardie |
2004-12-12
|
11 | Scott Hollenbeck | [Ballot Position Update] Position for Scott Hollenbeck has been changed to No Objection from Undefined by Scott Hollenbeck |
2004-12-12
|
11 | Scott Hollenbeck | [Ballot comment] There are several places where the lines are broken strangely. |
2004-12-12
|
11 | Scott Hollenbeck | [Ballot Position Update] New position, Undefined, has been recorded for Scott Hollenbeck by Scott Hollenbeck |
2004-12-12
|
11 | Sam Hartman | No last call comments. |
2004-12-12
|
11 | Sam Hartman | State Changes to IESG Evaluation from Waiting for AD Go-Ahead by Sam Hartman |
2004-12-11
|
11 | (System) | State has been changed to Waiting for AD Go-Ahead from In Last Call by system |
2004-12-07
|
11 | Russ Housley | [Ballot Position Update] New position, Recuse, has been recorded for Russ Housley by Russ Housley |
2004-12-07
|
11 | Sam Hartman | [Ballot Position Update] New position, Yes, has been recorded for Sam Hartman |
2004-12-07
|
11 | Sam Hartman | Ballot has been issued by Sam Hartman |
2004-12-07
|
11 | Sam Hartman | Created "Approve" ballot |
2004-11-19
|
11 | Sam Hartman | Placed on agenda for telechat - 2004-12-16 by Sam Hartman |
2004-11-13
|
11 | Amy Vezza | Last call sent |
2004-11-13
|
11 | Amy Vezza | State Changes to In Last Call from Last Call Requested by Amy Vezza |
2004-11-12
|
11 | Sam Hartman | Last Call was requested by Sam Hartman |
2004-11-12
|
11 | Sam Hartman | State Changes to Last Call Requested from AD Evaluation by Sam Hartman |
2004-11-12
|
11 | (System) | Ballot writeup text was added |
2004-11-12
|
11 | (System) | Last call text was added |
2004-11-12
|
11 | (System) | Ballot approval text was added |
2004-11-12
|
09 | (System) | New version available: draft-housley-cms-fw-wrap-09.txt |
2004-11-12
|
11 | Sam Hartman | State Changes to AD Evaluation from Publication Requested by Sam Hartman |
2004-11-12
|
11 | Sam Hartman | Draft Added by Sam Hartman in state Publication Requested |
2004-10-25
|
08 | (System) | New version available: draft-housley-cms-fw-wrap-08.txt |
2004-10-13
|
07 | (System) | New version available: draft-housley-cms-fw-wrap-07.txt |
2004-09-20
|
06 | (System) | New version available: draft-housley-cms-fw-wrap-06.txt |
2004-09-07
|
05 | (System) | New version available: draft-housley-cms-fw-wrap-05.txt |
2004-06-24
|
04 | (System) | New version available: draft-housley-cms-fw-wrap-04.txt |
2003-09-29
|
03 | (System) | New version available: draft-housley-cms-fw-wrap-03.txt |
2003-07-28
|
02 | (System) | New version available: draft-housley-cms-fw-wrap-02.txt |
2003-04-01
|
01 | (System) | New version available: draft-housley-cms-fw-wrap-01.txt |
2003-02-12
|
00 | (System) | New version available: draft-housley-cms-fw-wrap-00.txt |