Markdown Version | Session Recording

Session Date/Time: 19 Dec 2022 16:00

SCITT

Summary

The SCITT Working Group discussed several use cases, focusing on early boot firmware integrity, consumer software supply chain assurance, and auditor requirements for transparent, historical statements. Marty presented a detailed firmware use case leveraging TPMs, highlighting SCITT's potential role in providing public visibility for metadata and reference integrity measurements (RIMs). Hank updated the group on refined App Store and auditor use cases, emphasizing the need for discoverability and reduced cost in verifying software provenance. Tracy introduced relevant case studies from the sigstore community, prompting discussion on incorporating them into SCITT's use cases, particularly for air-gapped and confidential computing environments. The group also addressed the status of open Pull Requests and planned for continued work over the upcoming holiday period.

Key Discussion Points

• Firmware Use Case Presentation (Marty):
  • Marty presented a use case focusing on supply chain assurance for firmware, particularly the code that runs prior to and during the operating system boot (e.g., BIOS, UEFI, SMI handlers). This code operates with high privilege and is critical for system security.
  • He detailed how Trusted Platform Modules (TPMs) are used to measure and record the integrity of early boot components via Platform Configuration Registers (PCRs). PCRs operate with an "extend" operation, creating an immutable, non-tamperable log of hashed measurements.
  • An event log, stored externally, complements the PCRs, providing a richer, verifiable record. A TPM's "quote" mechanism allows remote verification of PCR values against reference integrity measurements (RIMs) provided by manufacturers or independent parties.
  • SCITT's Role: Marty highlighted two main aspects for SCITT:
    1. Making metadata of firmware and low-level software publicly available through a notary service/ledger for discoverability and version tracking.
    2. Uploading RIMs to the SCITT ledger for verifiers to compare against actual system measurements.
  • Marty also noted that independent parties, not just manufacturers, could produce and publish RIMs, which aligns well with SCITT's trust model.
  • Clarification on Multi-threading: John raised a question about multi-threaded boot scenarios impacting PCR verification. Marty clarified that while event log sequences might vary, the PCR would still reflect the actual sequence of measurements, allowing verification against the actual sequence rather than an assumed one.
• App Store and Auditor Use Cases (Hank):
  • Hank provided an update on use cases refined with Dick Brooks, abstracting the "App Store" scenario to focus on the discovery of authoritative entities and statements in the broader consumer software supply chain. The goal is to reduce the cost and effort for consumers to make informed decisions by making such information easily accessible.
  • He also detailed an auditor use case, emphasizing the challenges auditors face in finding all relevant, historical statements (e.g., code reviews, certifications, virus scans, vulnerability reports, security impact justifications). SCITT could provide a standardized, long-term available audit trail to reduce the cost of compliance checking.
• Terminology Discussion:
  • Royce questioned the pushback on specific terminology (e.g., "endorsement") in use cases, advocating for capturing existing terminology from various verticals before premature simplification.
  • Hank and Bob Martin clarified that use cases should generally use "layman's terms" and be neutral to avoid being tied to specific architectural concepts or overloaded terms, saving the detailed terminology discussion for later stages of the architecture document.
• Sigstore Case Studies (Tracy):
  • Tracy introduced several sigstore case studies (Rancher, DB Schenker, Verizon, Edgeless Systems), highlighting practical applications such as air-gapped environments and confidential computing.
  • The group discussed the potential to extract specific requirements from these case studies and either integrate them into existing SCITT use cases (e.g., air-gapped scenario) or create new, standalone ones (e.g., for confidential computing).
  • It was noted that confidential computing use cases would require careful consideration of the boundaries and complementary aspects with other technologies like RATS.
• Pull Request Status:
  • K's Pull Request for a summarization chapter was merged as a non-conflicting draft.
  • Steve's Pull Request containing editorial improvements was identified for merging.
  • Hank's Pull Request for his updated use cases was held to allow for more community review over the holiday period before a decision to merge.

Decisions and Action Items

• Decision: K's Pull Request for a summary of problem statements was merged.
• Decision: Steve's Pull Request containing editorial improvements will be merged.
• Action Item (Marty & Hank): Coordinate offline to refine the firmware use case text. This includes shortening the existing description, expanding on SCITT's specific benefits, incorporating details about multi-threaded boot scenarios, and adding references to relevant TCG documents.
• Action Item (Tracy): Share links and details about the sigstore case studies (e.g., air-gapped systems, confidential computing) on the SCITT mailing list for further discussion and consideration for integration into existing or new SCITT use cases.
• Action Item (Hank): Hank's Pull Request for the App Store and Auditor use cases will remain open for community review over the holidays. The WG will evaluate feedback and make a merge decision early next year.
• Action Item (Dick Brooks): The use case for "registering press scores" shared on the mailing list will be reviewed by the chairs and community.

Next Steps

• The WG will continue reviewing open Pull Requests and the newly proposed use cases over the upcoming holiday period.
• Specific focus will be on the detailed discussions and refinements for the firmware, App Store, and auditor use cases, as well as exploring the integration of sigstore case studies.
• The next WG meeting will take place at the beginning of next year. Individuals are encouraged to reach out to the chairs with any questions or for further discussion before then.