New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multi-Roundtrip TA Installation #43
Comments
What is the use case for this? I can't think of one right now where this would be needed. |
Manifests can be bundled with and without binaries. Additionally, a binary may have a dependency on another binary. In those cases where the provided manifest came without a binary or when there is another binary needed (as a dependency) then we need to have a way for the TEEP Agent to get back to the TAM and inform the TAM that more binaries are needed. (The same may be true for personalization data or configuration data that is referenced as a dependency.) The mechanism above is what I am proposing to address this use case. |
Since the TAM gets the list of TAs installed, then the TAM should be able to install the dependencies before pushing down the dependent manifest. Thus, success of a dependency install means the TAM can now do a TrustedAppInstall that depends on it.
The only case I can think of where you have to pend things is if the personalization data comes via a different TAM. The "continue" proposal would not work in this case with different TAMs, whereas the approach I describe above does not need any "Continue" response and works with multiple TAMs. |
You are making the TAM do all the dependency resolution upfront while I am trying to add a solution to the case where the client also does some degree of dependency resolution. |
No I am not. See my statement above which shows a client driven mechanism:
|
Per IETF 109 side meeting discussion Addresses part of issue #43 but not all of it Signed-off-by: Dave Thaler <dthaler@ntdev.microsoft.com>
Per IETF 109 side meeting discussion Addresses part of issue #43 but not all of it Signed-off-by: Dave Thaler <dthaler@ntdev.microsoft.com>
Slide 7 of the TEEP protocol presentation covered this issue at IETF 109 The proposed resolution is:
The thing to note is that we still need to provide freshness (replay protection) of SUIT reports, so if we use a token or nonce, then the TAM has to store it while the install is outstanding. |
Issue #141 tracks the freshness discussion. |
…ution Addresses #43 per discussion at IETF 109 Signed-off-by: Dave Thaler <dthaler@microsoft.com>
Fixed in draft-06 |
If a TA installation that contains a SUIT manifest requires further interactions to perform a complete installation of dependencies then the TEEP Agent has to be given the ability to tell the TAM that further interactions are needed.
Hence, I should suggest to add the possibility to continue the TA installation after the TrustedAppInstall message.
Here is an example of what I have in mind:
The text was updated successfully, but these errors were encountered: