From b5340087da89ade3726c5b555ab0963ed3400e88 Mon Sep 17 00:00:00 2001 From: Radoslav Dimitrov Date: Wed, 16 Feb 2022 17:08:52 +0200 Subject: [PATCH 1/4] Update metadata version comparison rules in client workflow The client workflow has a set of version comparison rules for how to update metadata files. The following PR addresses the differences coming from the fact that when updating not all metadata files should be treated equally. Fixes #207 and is related to #114 Signed-off-by: Radoslav Dimitrov --- tuf-spec.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tuf-spec.md b/tuf-spec.md index 1ca9b0a..15dd095 100644 --- a/tuf-spec.md +++ b/tuf-spec.md @@ -1315,11 +1315,11 @@ it in the next step. and report the signature failure. 5. **Check for a rollback attack.** The version number of the trusted - root metadata file (version N) MUST be less than or equal to the version + root metadata file (version N) MUST be less than the version number of the new root metadata file (version N+1). Effectively, this means checking that the version number signed in the new root metadata file is - indeed N+1. If the version of the new root metadata file is less than the - trusted metadata file, discard it, abort the update cycle, and report the + indeed N+1. If the version of the new root metadata file is less than or equal + to the version of the trusted metadata file, discard it, abort the update cycle, and report the rollback attack. 6. Note that the expiration of the new (intermediate) root metadata @@ -1368,9 +1368,9 @@ it in the next step. 3. **Check for a rollback attack.** 1. The version number of the trusted timestamp metadata file, if - any, MUST be less than or equal to the version number of the new timestamp - metadata file. If the new timestamp metadata file is older than the - trusted timestamp metadata file, discard it, abort the update cycle, and + any, MUST be less than the version number of the new timestamp + metadata file. If the new timestamp metadata file is less than or equal to + the trusted timestamp metadata file, discard it, abort the update cycle, and report the potential rollback attack. 2. The version number of the snapshot metadata file in the From 17fd272a7b59aee723fabdec743f71826bd511b8 Mon Sep 17 00:00:00 2001 From: Radoslav Dimitrov Date: Thu, 17 Feb 2022 12:40:44 +0200 Subject: [PATCH 2/4] Bump date and version to 1.0.29 Signed-off-by: Radoslav Dimitrov --- tuf-spec.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tuf-spec.md b/tuf-spec.md index 15dd095..d3d315f 100644 --- a/tuf-spec.md +++ b/tuf-spec.md @@ -3,7 +3,7 @@ Title: The Update Framework Specification Shortname: TUF Status: LS Abstract: A framework for securing software update systems. -Date: 2021-12-14 +Date: 2022-02-17 Editor: Justin Cappos, NYU Editor: Trishank Karthik Kuppusamy, Datadog Editor: Joshua Lock, VMware @@ -16,7 +16,7 @@ Boilerplate: copyright no, conformance no Local Boilerplate: header yes Markup Shorthands: css no, markdown yes Metadata Include: This version off, Abstract off -Text Macro: VERSION 1.0.28 +Text Macro: VERSION 1.0.29 Note: We strive to make the specification easy to implement, so if you come From d0086070b1fe0a327dd8e1aba996344a0c150519 Mon Sep 17 00:00:00 2001 From: Radoslav Dimitrov Date: Fri, 25 Feb 2022 18:27:04 +0200 Subject: [PATCH 3/4] Address what happens in case of equal metadata versions for client update Signed-off-by: Radoslav Dimitrov --- tuf-spec.md | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/tuf-spec.md b/tuf-spec.md index d3d315f..2c8e33b 100644 --- a/tuf-spec.md +++ b/tuf-spec.md @@ -1318,9 +1318,10 @@ it in the next step. root metadata file (version N) MUST be less than the version number of the new root metadata file (version N+1). Effectively, this means checking that the version number signed in the new root metadata file is - indeed N+1. If the version of the new root metadata file is less than or equal - to the version of the trusted metadata file, discard it, abort the update cycle, and report the - rollback attack. + indeed N+1. If the version of the new root metadata file is less than the version + of the trusted metadata file, discard it, abort the update cycle, and report the + rollback attack. In case they are equal, again discard the new root metadata, but + proceed the update cycle with the already trusted root metadata. 6. Note that the expiration of the new (intermediate) root metadata file does not matter yet, because we will check for it in step 5.3.10. @@ -1361,7 +1362,7 @@ it in the next step. 2. **Check for an arbitrary software attack.** The new timestamp metadata file MUST have been signed by a threshold of keys specified in the - trusted root metadata file. If the new timestamp metadata file is not + trusted root metadata file. If the new timestamp metadata file is not properly signed, discard it, abort the update cycle, and report the signature failure. @@ -1369,13 +1370,17 @@ it in the next step. 1. The version number of the trusted timestamp metadata file, if any, MUST be less than the version number of the new timestamp - metadata file. If the new timestamp metadata file is less than or equal to - the trusted timestamp metadata file, discard it, abort the update cycle, and - report the potential rollback attack. + metadata file. If the new timestamp metadata version is less than the trusted + timestamp metadata version, discard it, abort the update cycle, and + report the potential rollback attack. In case they are equal, discard the new + timestamp metadata and abort the update cycle. This is normal and it + shouldn't raise any error. The reason for aborting the update process is that + there shouldn't be any changes in the content of this, or any other metadata + files too, considering it has the same version as the already trusted one. 2. The version number of the snapshot metadata file in the trusted timestamp metadata file, if any, MUST be less than or equal to its - version number in the new timestamp metadata file. If not, discard the new + version number in the new timestamp metadata file. If not, discard the new timestamp metadata file, abort the update cycle, and report the failure. 4. **Check for a freeze attack.** The expiration timestamp in the From 24638a67ff225154aba973fb585f1838339aa7a2 Mon Sep 17 00:00:00 2001 From: Joshua Lock Date: Thu, 28 Apr 2022 21:23:35 +0100 Subject: [PATCH 4/4] Update VERSION and Date --- tuf-spec.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tuf-spec.md b/tuf-spec.md index 2c8e33b..64e7ed6 100644 --- a/tuf-spec.md +++ b/tuf-spec.md @@ -3,7 +3,7 @@ Title: The Update Framework Specification Shortname: TUF Status: LS Abstract: A framework for securing software update systems. -Date: 2022-02-17 +Date: 2022-04-28 Editor: Justin Cappos, NYU Editor: Trishank Karthik Kuppusamy, Datadog Editor: Joshua Lock, VMware @@ -16,7 +16,7 @@ Boilerplate: copyright no, conformance no Local Boilerplate: header yes Markup Shorthands: css no, markdown yes Metadata Include: This version off, Abstract off -Text Macro: VERSION 1.0.29 +Text Macro: VERSION 1.0.30 Note: We strive to make the specification easy to implement, so if you come