fb603f2660
18459: makefiles/suit: make it possible to accept multiple SUIT keys r=miri64 a=benpicco 18724: nanocoap_sock: implement DTLS socket r=miri64 a=benpicco 19081: sys/stdio_udp: add stdio over UDP r=benpicco a=benpicco 19082: core/init: add early_init() r=benpicco a=benpicco 19136: CI: re-add "synchronize" event to check-labels r=miri64 a=kaspar030 Co-authored-by: Benjamin Valentin <benjamin.valentin@ml-pa.com> Co-authored-by: Benjamin Valentin <benjamin.valentin@bht-berlin.de> Co-authored-by: Kaspar Schleiser <kaspar@schleiser.de> |
||
---|---|---|
.. | ||
bin | ||
suit_tool | ||
LICENSE | ||
README.md | ||
setup.py |
Manifest Generator
This repository contains a tool to generate manifests following the specification in https://tools.ietf.org/html/draft-ietf-suit-manifest-03.
Installing
First clone this repo:
$ git clone https://github.com/ARMmbed/suit-manifest-generator.git
Next, use pip to install the repo:
$ cd suit-manifest-generator
$ python3 -m pip install --user --upgrade .
Input File Description
The input file is organised into four high-level elements:
manifest-version
(a positive integer), the version of the manifest specificationmanifest-sequence-number
(a positive integer), the anti-rollback counter of the manifestcomponents
, a list of components that are described by the manifest
Each component is a JSON map that may contain the following elements. Some elements are required for the target to be able to install the component.
Required elements:
install-id
(a Component ID), the identifier of the location to install the described component.install-digest
(a SUIT Digest), the digest of the component after installation.install-size
(a positive integer), the size of the component after installation.vendor-id
(a RFC 4122 UUID), the UUID for the component vendor. This must match the UUID that the manifest processor expects for the specifiedinstall-id
. The suit-tool expects at least one component to have avendor-id
class-id
(a RFC 4122 UUID), the UUID for the component. This must match the UUID that the manifest processor expects for the specifiedinstall-id
. Thesuit-tool
expects at least one component with avendor-id
to also have aclass-id
file
(a string), the path to a payload file. Theinstall-digest
andinstall-size
will be calculated from this file.
Some elements are not required by the tool, but are necessary in order to accomplish one or more use-cases.
Optional elements:
-
bootable
(a boolean, default:false
), when set to true, thesuit-tool
will generate commands to execute the component, either frominstall-id
or fromload-id
(see below) -
uri
(a text string), the location at which to find the payload. This element is required in order to generate thepayload-fetch
andinstall
sections. -
loadable
(a boolean, default:false
), when set to true, thesuit-tool
loads this component in theload
section. -
compression-info
(a choice of string values), indicates how a payload is compressed. When specified, payload is decompressed before installation. Theinstall-size
must match the decompressed size of the payload and the install-digest must match the decompressed payload. N.B. The suit-tool does not perform compression. Supported values are:gzip
bzip2
deflate
lz4
lzma
-
download-digest
(a SUIT Digest), a digest of the component after download. Only required ifcompression-info
is present anddecompress-on-load
isfalse
. -
decompress-on-load
(a boolean, default:false
), when set to true, payload is not decompressed during installation. Instead, the payload is decompressed during loading. This element has no effect ifloadable
isfalse
. -
load-digest
(a SUIT Digest), a digest of the component after loading. Only required ifdecompress-on-load
istrue
. -
install-on-download
(boolean, default: true), If true, payload is written toinstall-id
during download, otherwise, payload is written todownload-id
. -
download-id
(a component id), the location where a downloaded payload should be stored before installation--only used wheninstall-on-download
isfalse
.
Component ID
The suit-tool
expects component IDs to be a JSON list of strings. The suit-tool
converts the strings to bytes by:
- Attempting to convert from hex
- Attempting to convert from base64
- Encoding the string to UTF-8
For example,
["00"]
will encode to814100
([h'00']
)["0"]
will encode to814130
([h'30']
)["MTIzNA=="]
will encode to814431323334
([h'31323334']
)["example"]
will encode to81476578616D706C65
([h'6578616d706c65']
)
N.B. Be careful that certain strings can appear to be hex or base64 and will be treated as such. Any characters outside the set [0-9a-fA-F]
ensure that the string is not treated as hex. Any characters outside the set [0-9A-Za-z+/]
or a number of characters not divisible by 4 will ensure that the string is not treated as base64.
SUIT Digest
The format of a digest is a JSON map:
{
"algorithm-id" : "sha256",
"digest-bytes" : "base64-or-hex"
}
The algorithm-id
must be one of:
sha224
sha256
sha384
sha512
The digest-bytes
is a string of either hex- or base64-encoded bytes. The same decoding rules as those in Component ID are applied.
Example Input File
{
"components" : [
{
"download-id" : ["01"],
"install-id" : ["00"],
"install-digest": {
"algorithm-id": "sha256",
"digest-bytes": "00112233445566778899aabbccddeeff0123456789abcdeffedcba9876543210"
},
"install-size" : 34768,
"uri": "http://example.com/file.bin",
"vendor-id" : "fa6b4a53-d5ad-5fdf-be9d-e663e4d41ffe",
"class-id" : "1492af14-2569-5e48-bf42-9b2d51f2ab45",
"bootable" : true,
"install-on-download" : false,
"loadable" : true,
"decompress-on-load" : true,
"load-id" : ["02"],
"compression-info" : "gzip",
"load-digest" : {
"algorithm-id": "sha256",
"digest-bytes": "0011223344556677889901234567899876543210aabbccddeeffabcdeffedcba"
},
},
{
"install-id" : ["03", "01"],
"install-digest": {
"algorithm-id": "sha256",
"digest-bytes": "0123456789abcdeffedcba987654321000112233445566778899aabbccddeeff"
},
"install-size" : 76834,
"uri": "http://example.com/file2.bin"
}
],
"manifest-version": 1,
"manifest-sequence-number": 7
}
Invoking the suit-tool
The suit-tool
supports three sub-commands:
create
generates a new manifest.sign
signs a manifest.parse
parses an existing manifest into cbor-debug or a json representation.keygen
Create a signing key. Not for production use.pubkey
Get the public key for a supplied private key in uECC-compatible C definition.
The suit-tool
has a configurable log level, specified with -l
:
suit-tool -l debug
verbose outputsuit-tool -l info
normal outputsuit-tool -l warning
suppress informational messagessuit-tool -l exception
suppress warning and informational messages
Create
To create a manifest, invoke the suit-tool
with:
suit-tool create -i IFILE -o OFILE
The format of IFILE
is as described above. OFILE
defaults to a CBOR-encoded SUIT manifest.
-f
specifies the output format:
suit
: CBOR-encoded SUIT manifestsuit-debug
: CBOR-debug SUIT manifestjson
: JSON-representation of a SUIT manifest
The suit-tool
can generate a manifest with severable fields. To enable this mode, add the -s
flag.
To add a component to the manifest from the command-line, use the following syntax:
-c 'FIELD1=VALUE1,FIELD2=VALUE2'
The supported fields are:
file
the path fo a file to use as a payload file.inst
theinstall-id
.uri
the URI where the file will be found.
Sign
To sign an existing manifest, invoke the suit-tool
with:
suit-tool sign -m MANIFEST -k PRIVKEY -o OFILE
PRIVKEY
must be a secp256r1 ECC private key in PEM format.
If the COSE Signature needs to indicate the key ID, add a key id with:
-i KEYID
Parse
To parse an existing manifest, invoke the suit-tool
with:
suit-tool parse -m MANIFEST
If a json-representation is needed, add the '-j' flag.
Keygen
Create an asymmetric keypair for non-production use. Production systems should use closely guarded keys, such as keys stored in an HSM.
suit-tool keygen [-t TYPE] -o KEYFILE
suit-tool keygen
defaults to creating SECP256r1 keys. To create another type of key, use -t
followed by one of:
secp256r1
secp384r1
secp521r1
ed25519
UECC public key
Derive a public key in the format used by micro ECC. The input is a PEM private key.
suit-tool pubkey -k FILE
The tool will then print the public key in micro ECC format.