New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adoptium SLSA Levels #160
Comments
https://slsa.dev/spec/v0.1/requirements Categories: Source, build, provenance, common (includes security of machines) LEVEL 1: Documentation of build process (Unsigned provenance)ACHIEVED AS WE HAVE SBOMs - POTENTIALLY MORE DETAIL TBD
LEVEL 2: Tamper resistance of bld svc (Hosted source/build, signed provenance)Achieved now that we have GPG signing Prevents tampering as build service is trusted
LEVEL 3: Extra resistance to threats (Security controls on host, non-falsifiable provenance)Mostly done - ephermeral environment certainly covered by docker containers, although they are routed via dockerhub
LEVEL 4: Highest level of confidence+trust (Two party reviews + hermetic builds)Allows reproducibility
|
Ref: https://slsa.dev/blog/2023/02/slsa-v1-rc SLSA 1.0RC has introduced the concept of "tracks" to make it easier to claim incremental progress. So far the build track has been defined with levels 1-3 which broadly map to 1-3 of the earlier specification version. A build level 4 and source track are expected to follow. Note that the specific wording around ephemeral build environments is no longer present, although the "prevent runs from influencing one another" is still present. |
SLSA1.0 is now finalised and has removed some of the more complex requirements such as hermetic builds which were not simple for people to implement. It has also been split into "tracks" for which the only one included in 1.0 is the Build track which currently has three levels (excluding Level zero which is "nothing") with a fourth planned for the future, so there are fewer levels to meet than we had before: LEVEL 1: Provenance showing how the package was built (Focus on mistakes & documentation)Package has provenance showing how it was built. Can be used to prevent mistakes but is trivial to bypass or forge.
LEVEL 2: Signed provenance, generated by a hosted build platform (Focus on preventing tampering after the build)Forging the provenance or evading verification requires an explicit “attack”, though this may be easy to perform. Deters unsophisticated adversaries or those who face legal or financial risk.
LEVEL 3: Hardened build platform (Focus on preventing Tampering during the build)Forging the provenance or evading verification requires exploiting a vulnerability that is beyond the capabilities of most adversaries. In practice, this means that builds run on a hardened build platform that offers strong tamper protection. Build platform implements strong controls to:
We likely meet all of these for our Linux platforms built in docker containers now, although we will need to look in more detail at the provenance requirements. At the moment we do not explicitly record "what entity built the product" We should probably add verification of the provenance by checking the signing after it is pushed to github, perhaps initially by the publish job, but later through a subsequent job that pulls from the API |
Downstream verification of provenance is being done under adoptium/temurin-build#3484 |
From discussion with @netomi today we identified a few potential omissions from the SBOM which we should seek to correct prior to claiming SLSA Build L3 (also captured in the issue mentioned above)
|
The above have all been completed and after discussions with @netomi and @mbarbero we have agreed that we are now good to go. Actions required:
|
@sxa What else is on the horizon for this issue? Can it be closed as done (with new issues for new tasks)? |
Windows SLSA3 support would be the obvious current omission. Nothing in this issue restricted it to particular platforms :-) Ideally Windows can be dealt with under the investigations and solution to adoptium/infrastructure#3286. I'd prefer to have the primary platforms at the same level if possible before closing this. |
This issue serves to document the SLSA criteria for Adoptium to meet. SLSA [1] is a secure software supply chain framework that defines four compliance levels [2] of increasing assurance.
Level 1
The build process must be fully scripted/automated and generate provenance.
Level 2 Tamper resistance of the build service
Requires using version control and a hosted build service that generates authenticated provenance.
Level 3 Extra resistance to specific threats
The source and build platforms meet specific standards to guarantee the auditability of the source and the integrity of the provenance respectively
Level 4 Highest levels of confidence and trust
Requires two-person review of all changes and a hermetic, reproducible build process.
[1]
https://slsa.dev/
[2]
https://slsa.dev/spec/v0.1/levels
The text was updated successfully, but these errors were encountered: