SUIT: Update to draft-ietf-v3

[bergzand]

Contribution description

This PR:

• Removes the currently available draft-moran-v4 SUIT firmware update module.
• Adds a reworked parser and update module based on draft-ietf-v3.
• Adds tooling to generated v3-style manifests using ARM python code.
• Adds a manifest parser test for the new SUIT firmware update module.
• Reworks the examples/suit_update to use the new SUIT firmware update module.

Removal of moran-v4 parser

The moran-v4 parser is outdated by now and should be removed as a replacement is provided with this PR. It has always been marked as experimental, so (IMHO) it should not have to go through a deprecation period first.

SUIT draft-ietf-v3 parser

The new parser is based on version 3 of the ietf draft. Compared to the previous version the manifest format is simplified a bit and functionality provided between the two versions is similar. As it is a draft it again is marked experimental and we expect minor (but incompatible) changes in follow up versions.

Tooling

The tool to generate manifests can be used in a similar way as the v4 tools. The tool is based on python code provided by ARM.

Test application

The test application generates a key and a number of correct and incorrect manifests. These are parsed and the expected result is asserted.

For the v4 version I placed the generated manifests in bin/manifest (it is a binary file) and it conveniently ensures that the files are included in the gitignore, please let me know if this should also be done with this PR.

Testing procedure

• Workflow as described by examples/suit_update works.
• Test application passes.

Issues/PRs references

Obsoletes #13440

[fjmolinas]

Here is a gist with putting up to date some things in the README. If you agree with the suggestions you can apply squash.

[bergzand]

Here is a gist with putting up to date some things in the README. If you agree with the suggestions you can apply squash.

Thanks! applied

[fjmolinas]

Thanks! applied

Pleas squash!

[bergzand]

Squashed!

[fjmolinas]

Seem there are some boards needing blacklist, and travis has a couple of complaints, Squash right away when addressed.

Otherwise there is still this:

@kaspar030 Is it possible that the Pi-based workers do not have ed25519 support in OpenSSL yet? The build run fails on generating the crypto keys.

[bergzand]

Seem there are some boards needing blacklist, and travis has a couple of complaints, Squash right away when addressed.

Added them

[bergzand]

@kaspar030, @fjmolinas All green here!

[bergzand]

@kaspar030, @fjmolinas All green here!

I added the examples/suit-update to the CI blacklist:

# This can be removed as soon as the Pi-fleet runners support an Openssl version
# with ed25519 support.
TEST_ON_CI_BLACKLIST = all

The suit_manifest test doesn't need to be blacklisted, all the crypto handling is done on build servers and those have a sufficiently modern Openssl.

[fjmolinas]

All my change requests have been addressed. I have tested the new test and the example. The Readme and documentation are up to date. ACK!

comments addressed

[bergzand]

🎉

Thanks!

[benpicco]

btw.: I now get

Traceback (most recent call last):
  File "/home/benpicco/dev/RIOT/dist/tools/suit_v3/suit-manifest-generator/bin/suit-tool", line 25, in <module>
    from suit_tool import clidriver
  File "/home/benpicco/dev/RIOT/dist/tools/suit_v3/suit-manifest-generator/bin/../suit_tool/clidriver.py", line 24, in <module>
    from suit_tool import create, sign, parse, get_uecc_pubkey
  File "/home/benpicco/dev/RIOT/dist/tools/suit_v3/suit-manifest-generator/bin/../suit_tool/create.py", line 20, in <module>
    from suit_tool.compile import compile_manifest
  File "/home/benpicco/dev/RIOT/dist/tools/suit_v3/suit-manifest-generator/bin/../suit_tool/compile.py", line 29, in <module>
    from suit_tool.manifest import SUITComponentId, SUITCommon, SUITSequence, \
  File "/home/benpicco/dev/RIOT/dist/tools/suit_v3/suit-manifest-generator/bin/../suit_tool/manifest.py", line 22, in <module>
    import cbor
ModuleNotFoundError: No module named 'cbor'

when building anything.
The build continues successfully, but this is of course annoying 😉

Maybe something like this?

diff --git a/Makefile.dep b/Makefile.dep
index 6c07ef3a2..4dc857eba 100644
--- a/Makefile.dep
+++ b/Makefile.dep
@@ -959,6 +959,9 @@ ifneq (,$(filter suit,$(USEMODULE)))
   USEMODULE += libcose_crypt_c25519
   USEMODULE += uuid
 
+  BUILDDEPS += $(SUIT_PUB_HDR)
+  CFLAGS += -I$(SUIT_PUB_HDR_DIR)
+
   # tests/suit_manifest has some mock implementations,
   # only add the non-mock dependencies if not building that test.
   ifeq (,$(filter suit_transport_mock,$(USEMODULE)))
diff --git a/makefiles/suit.base.inc.mk b/makefiles/suit.base.inc.mk
index ab0d84c10..710a3506e 100644
--- a/makefiles/suit.base.inc.mk
+++ b/makefiles/suit.base.inc.mk
@@ -21,8 +21,6 @@ SUIT_SEC ?= $(SUIT_KEY_DIR)/$(SUIT_KEY).pem
 
 SUIT_PUB_HDR = $(BINDIR)/riotbuild/public_key.h
 SUIT_PUB_HDR_DIR = $(dir $(SUIT_PUB_HDR))
-CFLAGS += -I$(SUIT_PUB_HDR_DIR)
-BUILDDEPS += $(SUIT_PUB_HDR)
 
 $(SUIT_SEC): $(CLEAN)
        @echo suit: generating key in $(SUIT_KEY_DIR)