Introducing a secure software supply chain mechanism, such as in-toto, to Uptane

[jhdalek55]

At our last 2020 Standards meeting, the issue was raised that Uptane Deployment Best Practices should discuss options for securing the supply chain for automotive software. The Secure System Lab's in-toto project has already proven successful in integrating with TUF for such purposes. This issue thread can serve as a forum for discussing how to utilize the in-toto framework to minimize attack surfaces, and extend the protections of Uptane through the lifecycle of a piece of software.

[trishankatdatadog]

I think ITE-2 and ITE-3 should be decent start points for documentation on why and how to combine TUF and in-toto.

[jhdalek55]

@trishankatdatadog Do you think we could extract some starter text from those documents to begin playing with a PR on this issue? I think discussion is always better when we can put some text in play.

[jhdalek55]

Can someone take a run at developing some starter text for this issue? It is flagged for 2.0.0, but I think it would be helpful to put together a proposal for text on the Deployment pages. Even if we are not ready to propose an actual solution, I believe in the wake of SolarWinds, we should acknowledge that this is an issue we are investigating.

[jhdalek55]

This issue was discussed at some length at the 4/13/21 Uptane meeting. @JustinCappos recommended we look at the DataDog integration and/or software bill of materials (SBOM) entries. @iramcdonald pointed us towards the NTIA Software Component Transparency (https://www.ntia.doc.gov/SBOM). We will be looking at various approaches and will add some copy to the Deployment pages on this topic.

[iramcdonald]

Hi Lois,

For NTIA, the primary reference should be to their SBOM (Software Bill of Materials) project:

https://www.ntia.gov/SBOM

The other NTIA reference was to a related conference, but does not include the list of tools, formats, and standards for SBOMs (which are listed at the above reference).

My TCG colleague Henk Birkholz (Fraunhofer Security Institute) is actively participating in the NTIA SBOM project.

Cheers,

• Ira

Ira McDonald (Musician / Software Architect)

Chair - SAE Trust Anchors and Authentication TF Co-Chair - TCG Trusted Mobility Solutions WG

Co-Chair - TCG Metadata Access Protocol SG

*Chair - Linux Foundation Open Printing WGSecretary - IEEE-ISTO Printer Working GroupCo-Chair - IEEE-ISTO PWG Internet Printing Protocol WGIETF Designated Expert - IPP & Printer MIBBlue Roof Music / High North Inchttp://sites.google.com/site/blueroofmusic http://sites.google.com/site/blueroofmusichttp://sites.google.com/site/highnorthinc http://sites.google.com/site/highnorthincmailto: @. @.>(permanent) PO Box 221 Grand Marais, MI 49839 906-494-2434*

On Tue, Apr 20, 2021 at 9:30 PM Lois Anne DeLong @.***> wrote:

This issue was discussed at some length at the 4/13/21 Uptane meeting. @JustinCappos https://github.com/JustinCappos recommended we look at the DataDog integration and/or software bill of materials (SBOM) entries. @iramcdonald https://github.com/iramcdonald pointed us towards the NTIA Software Component Transparency ( https://www.ntia.doc.gov/SoftwareTransparency). We will be looking at various approaches and will add some copy to the Deployment pages on this topic.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/uptane/deployment-considerations/issues/82#issuecomment-823709294, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE33UO2BVBPO5IPRUZXJGWDTJYTD7ANCNFSM4VRPVJ5A .

[jhdalek55]

Thanks for the update, Ira.

[trishankatdatadog]

ITE-2 and ITE-3 might help...

[jhdalek55]

As of the 8/3 Standards meeting, it was decided this topic will be addressed in our next whitepaper, which is to be released in December. Text will likely be added to the Deployment pages but possibly not in time for 2.0.0..

[jhdalek55]

Note that @trishankatdatadog opened PURE Issue #2 dealing with this topic (https://github.com/uptane/pures/issues/2), so in parallel with the whitepaper he and @mnm678 will be drafting a PURE as well.

[jhdalek55]

Closing this via PR #121. I have left Issue #222 on the Standard page as a placeholder for additional thoughts on supply chain.