From 08b92e867f2ce643ced933f94ed4cbb37748033c Mon Sep 17 00:00:00 2001 From: Marcela Melara Date: Tue, 17 Sep 2024 17:35:37 -0700 Subject: [PATCH] Finalize first draft of L2, L3, remove L4 Signed-off-by: Marcela Melara --- docs/spec/draft/attested-build-env-levels.md | 177 +++++++++++-------- 1 file changed, 99 insertions(+), 78 deletions(-) diff --git a/docs/spec/draft/attested-build-env-levels.md b/docs/spec/draft/attested-build-env-levels.md index 99ea338d7..1a9f51fa6 100644 --- a/docs/spec/draft/attested-build-env-levels.md +++ b/docs/spec/draft/attested-build-env-levels.md @@ -29,18 +29,21 @@ execution context. In this track, provenance describes how a [build image] was created, how the [hosted] build platform deployed a build image in its environment, and the compute platform they used. -| Track/Level | Requirements | Focus -| ------------- | ------------ | ----- -| [BuildEnv L0] | (none) | (n/a) -| [BuildEnv L1] | Signed build image provenance exists | Tampering during build image distribution -| [BuildEnv L2] | Attested build environment instantiation | Tampering via the build platform's control plane -| [BuildEnv L3] | Hardware-authenticated build environment | Tampering via the compute platform's host interface -| [BuildEnv L4] | Runtime monitored build environment | Tampering by the build platform or compute platform during the build - -> [!IMPORTANT] -> The Environment track currently requires a [hosted] build platform. -> A future version of this track may generalize requirements to cover local -> build environments (e.g., developer laptop). +| Track/Level | Requirements | Focus | Trust Root +| ------------- | ------------ | ----- | ---------- +| [BuildEnv L0] | (none) | (n/a) | (n/a) +| [BuildEnv L1] | Signed build image provenance exists | Tampering during build image distribution | Signed build image provenance +| [BuildEnv L2] | Attested build environment instantiation | Tampering via the build platform's control plane | The compute platform's host interface +| [BuildEnv L3] | Hardware-attested build environment | Tampering via the compute platform's host interface | The compute platform's hardware + +> :warning: +> The Build Environment track currently requires a [hosted] build platform. +> A future version of this track may generalize requirements to cover bare-metal +> build environments. + +> :grey_exclamation: +> We may consider the addition of an L4 to the Build Environment track, which +> covers hardware-attested runtime integrity checking during a build. ### Build environment model @@ -55,16 +58,15 @@ A typical build environment will go through the following lifecycle: 1. *Build image creation*: A build image producer creates different build images through dedicated build process. For the SLSA Environment track, the build image producer outputs provenance describing this process. - 2. *Build environment instantiation*: The hosted build platform calls - into the *host interface* to create a new build environment from a given - build image. The *build agent* begins to wait for an incoming build - dispatch. - **[TODO: revise]** For the SLSA Environment track, the hosted build - platform attests to the *measurement* of the environment's *initial +2. *Build environment instantiation*: The hosted build platform calls + into the *host interface* to create a new instance of a build environment + from a given build image. The *build agent* begins to wait for an incoming + build dispatch. For the SLSA Environment track, the host interface in the + compute platform attests to the integrity of the environment's *initial state* during its boot process. 3. *Build dispatch*: When the tenant dispatches a new build, the hosted build platform assigns the build to a created build environment. - **[TODO: revise]** For the SLSA Environment track, the build platform + For the SLSA Environment track, the build platform attests to the binding between a build environment and *build ID*. 4. *Build execution*: Finally, the *build executor* running within the environment executes the tenant's build definition. @@ -84,9 +86,9 @@ and roles: | Build dispatch | The process of assigning a tenant's build to a pre-deployed build environment on a hosted build platform. | Compute platform | The compute system and infrastructure underlying a build platform, i.e., the host system (hypervisor and/or OS) and hardware. In practice, the compute platform and the build platform may be managed by the same or distinct organizations. | Host interface | The component in the compute platform that the hosted build platform uses to request resources for deploying new build environments, i.e., the VMM/hypervisor or container orchestrator. -| Boot process | In the context of builds, the process of loading and executing the layers of firmware and/or software needed to start up a build environment on the build platform. +| Boot process | In the context of builds, the process of loading and executing the layers of firmware and/or software needed to start up a build environment on the host compute platform. | Measurement | The cryptographic hash of some component or system state in the build environment, including software binaries, configuration, or initialized run-time data. -| Quote | Hardware-signed data that contains one or more hardware-generated measurements. Quotes may additionally include nonces for replay protection, firmware information, or other platform metadata. +| Quote | (Virtual) hardware-signed data that contains one or more (virtual) hardware-generated measurements. Quotes may additionally include nonces for replay protection, firmware information, or other platform metadata. | Reference value | A specific measurement used as the good known value for a given build environment component or state. TODO: Disambiguate similar terms (e.g., image, build job, build runner) @@ -178,8 +180,10 @@ integrity for build environments at the time of build image distrbution. - Build Platform: - MUST meet SLSA [Build L2] requirements. - - Prior to deployment of a new build environment, the SLSA Provenance - for the selected build image SHOULD be automatically verified. + - Prior to the instantiation of a new build environment, the SLSA Provenance + for the selected build image MUST be automatically verified. + A signed attestation to the result of the SLSA Provenance verification MUST + be generated and distributed (e.g., via a [VSA]).
Benefits
@@ -196,9 +200,9 @@ source and build process.
Summary
-The build environment is measured and authenticated prior to dispatching -any builds, attesting to the integrity of initial state of the environment -when it's deployed by the build platform. +The build environment is measured and authenticated by the compute platform +upon instantiation, attesting to the integrity of the initial state +of the environment prior to executing a build.
Intended for
@@ -212,32 +216,46 @@ All of [BuildEnv L1], plus: - Build Image Producer: - Build images MUST be created via a SLSA [Build L3] or higher build process. - - **[TODO: revise]** MUST add support in the build image to: - - Automatically check build image components against their - reference values during build environment startup. - In VM-based images, this can be achieved by enabling a [trusted boot] - process. In container-based build images, a dedicated program MUST be - used to perform these checks.[^1] - - Automatically generate and distribute a signed attestation that - the initial state of a given build environment instance has been - verified against the corresponding build image, incl. its SLSA - Provenance (e.g., using [SCAI] or a [VSA]). - MUST automatically generate and distribute signed reference values for the following build image components: bootloader or equivalent, - guest kernel, build agent, build executor, and root filesystem. + guest kernel, build agent, build executor, and root filesystem (e.g., + via the image's SLSA Provenance, or [SCAI]). Additional build image components whose initial state is to be checked MAY be also measured. - -- **[TODO: revise]** Build Platform Requirements: + - The running build environment MUST be capable of: + - Upon completion of the boot process: Automatically interfacing + with the host interface to obtain a signed quote for the + environment's initial state. + - Upon build dispatch: Automatically generating and distributing + a signed attestation that binds its boot process quote to the + assigned build ID (e.g., using [SCAI]). + +- Build Platform Requirements: - MUST meet SLSA [Build L3] requirements. - - Prior to deployment of a new build environment, the SLSA Provenance - for the selected build image MUST be automatically verified. A signed - attestation to the verification of the build image's SLSA Provenance - MUST be automatically generated and distributed (e.g., via a [VSA]). - - Prior to dispatching a tenant's build to a deployed environment, its - initial state attestation MUST be automatically verified. A signed - attestation binding the tenant's build ID to the verified initial state - of the selected build environment MUST be generated and distributed. + - Prior to dispatching a tenant's build to an instantiated environment, + its boot process quote MUST be automatically verified. A signed + attestation to the result of the verification MUST be generated and + distributed (e.g., via a [VSA]). + +- Compute Platform Requirements: + - The host interface MUST be capable of generating signed quotes for + the build environment's system state. + In a VM-based environment, this MUST be achieved by enabling a feature + like [vTPM], or equivalent, in the hypervisor. + For container-based environments, the container orchestrator MAY need + modifications to produce these attestations. + - The host interface MUST validate the measurements of the build image + components against their references values during the build environment's + boot process. + In a VM-based environment, this MUST be achieved by enabling a process + like [Secure Boot], or equivalent, in the hypervisor. + For container-based environments, the container orchestrator MAY need + modifications to perform these checks.[^1] + - Prior to instantiating a new build environment, the host interface + MUST automatically verify the SLSA Provenance for the selected build + image. A signed attestation to the verification of the build image's + SLSA Provenance MUST be automatically generated and distributed (e.g., + via a [VSA]).
Benefits
@@ -251,59 +269,62 @@ adversary.
-### BuildEnv L3: Hardware-authenticated build environment +### BuildEnv L3: Hardware-attested build environment
Summary
-The initial state of the build environment is measured and autenticated by -trusted hardware, and the build ID is verifiably bound to the -deployed build environment, attesting to the integrity of the environment -when a tenant's build is first dispatched. +The initial state of the build's host environment is measured +and autenticated by trusted hardware, attesting to the integrity +of the build environment's underlying compute stack prior to executing +a build.
Intended for
-Organizations wanting strong assurances that their build was dispatched in -a known good environment. +Organizations wanting strong assurances that their build ran on a good +known host environment.
Requirements
All of [BuildEnv L2], plus: -**[TODO: These requirements need to be re-formulated.]** - - Build Image Producer: - - MUST add support in the build image to: - - Use trusted hardware to check build image component reference - values and integrity of the build environment startup. - - Automatically generate and distribute a signed attestation - that a given build ID was dispatched in the corresponding build - environment instance, incl. its initial state attestation (e.g., - using [SCAI] or a [VSA]). - - Use trusted hardware to sign all build image-generated - attestations. - -- Build Platform Requirements: TODO - -- Compute Platform Requirements: TODO + - Upon completion of the boot process: The running build environment + MUST be capable of automatically interfacing with the *trusted hardware* + component to obtain a signed quote for the host interface's boot process + quote and the environment's initial state. + - Upon build dispatch: The generated dispatch attestation MUST include + the host interface's boot process quote. + +- Build Platform Requirements: + - Prior to dispatching a tenant's build to an instantiated environment, + the *host interface's* boot process quote MUST be automatically verified. + A signed attestation to the result of the verification MUST be generated + and distributed (e.g., via a [VSA]). + +- Compute Platform Requirements: + - MUST have trusted hardware capabilities, i.e., built-in physical + hardware features for generating measurements and quotes for its system + state. This SHOULD be achieved using a feature like [TPM], + [confidential computing], or equivalent. + - MUST enable validation of the host interface's boot process against + its reference values. This MUST be achieved by enabling a process + like [Secure Boot], or equivalent, in the host platform.
Benefits
-Provides hardware-authenticated evidence that a build running on a hosted -build platform was dispatched in the expected build environment, even in the -face of a compromised host interface (hypervisor/container orchestrator). +Provides hardware-authenticated evidence that a build ran in the expected host +environment, even in the face of a compromised host interface +(hypervisor/container orchestrator).
-
-### BuildEnv L4: Runtime monitored build environment +## Considerations for Distributed Builds TODO -
- [^1]: Since containers are executed as processes on the host platform they do not contain a traditional bootloader that starts up the execution context. @@ -317,11 +338,11 @@ TODO [BuildEnv L1]: #buildenv-l1 [BuildEnv L2]: #buildenv-l2 [BuildEnv L3]: #buildenv-l3 -[BuildEnv L4]: #buildenv-l4 [SCAI]: https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md +[Secure Boot]: https://wiki.debian.org/SecureBoot#What_is_UEFI_Secure_Boot.3F [VSA]: verification_summary.md [build image]: #definitions [build model]: terminology.md#build-model [hosted]: requirements.md#isolation-strength [several classes]: #build-environment-threats -[trusted boot]: https://csrc.nist.gov/glossary/term/trusted_boot +[vTPM]: https://trustedcomputinggroup.org/about/what-is-a-virtual-trusted-platform-module-vtpm/