Commit 67ba6585 authored by Mark Lodato's avatar Mark Lodato Committed by Mark Lodato
Browse files

Add SLSA 1.5 and split Tamper Resistant.

Add a new level, SLSA 1.5, between 1 and 2. We will renumber all the
levels to integers right before we finalize the first version. In the
meantime, we keep numbering the same to reduce confusion.

Split Tamper Resistant into Authenticated + Service Generated +
Non-Falsifiable. This split makes the meaning more clear, particularly
that SLSA 1 is unauthenticated. SLSA 1.5 requires only the first two,
with non-falsifiable being a property at SLSA 2.
parent 117a3256
...@@ -287,10 +287,11 @@ The following diagram shows the relationship between concepts. ...@@ -287,10 +287,11 @@ The following diagram shows the relationship between concepts.
## Proposed SLSA definitions ## Proposed SLSA definitions
_Reminder: The definitions below are not yet finalized and subject to change._ _Reminder: The definitions below are not yet finalized and subject to change. In
particular, the levels will be renumbered to be all integers._
There are three SLSA levels. SLSA 3 is the current highest level and represents There are four SLSA levels. SLSA 3 is the current highest level and represents
the ideal end state. SLSA 1 and 2 offer lower security guarantees but are easier the ideal end state. SLSA 12 offer lower security guarantees but are easier
to meet. In our experience, achieving SLSA 3 can take many years and significant to meet. In our experience, achieving SLSA 3 can take many years and significant
effort, so intermediate milestones are important. effort, so intermediate milestones are important.
...@@ -310,12 +311,13 @@ effort, so intermediate milestones are important. ...@@ -310,12 +311,13 @@ effort, so intermediate milestones are important.
<td>SLSA 2 <td>SLSA 2
<td>"Auditable." Moderate confidence that one can trace back to the original source code and change history. However, trusted persons still have the ability to make unilateral changes, and the list of dependencies is likely incomplete. <td>"Auditable." Moderate confidence that one can trace back to the original source code and change history. However, trusted persons still have the ability to make unilateral changes, and the list of dependencies is likely incomplete.
</tr> </tr>
<!-- <tr>
Old wording for SLSA 1, can be used for 1.5: Stepping stone to higher levels. Moderate confidence that one can determine either who authorized the artifact or what systems produced the artifact. Protects against tampering after the build. <td>SLSA 1.5
--> <td>Stepping stone to higher levels. Moderate confidence that one can determine either who authorized the artifact or what systems produced the artifact. Protects against tampering after the build.
</tr>
<tr> <tr>
<td>SLSA 1 <td>SLSA 1
<td>Stepping stone to higher levels. Unauthenticated assertion of how the artifact was produced. <td>Entrypoint into SLSA. Unauthenticated provenance.
</tr> </tr>
</tbody> </tbody>
</table> </table>
...@@ -324,30 +326,36 @@ Each SLSA level has a set of requirements. ...@@ -324,30 +326,36 @@ Each SLSA level has a set of requirements.
<table> <table>
<thead> <thead>
<tr><th colspan="2"> <th colspan="3">Required at </tr> <tr><th colspan="2"> <th colspan="4">Required at</tr>
<tr><th colspan="2">Requirement <th>SLSA 1<th>SLSA 2<th>SLSA 3</tr> <tr><th colspan="2">Requirement<th>SLSA 1<th>SLSA 1.5<th>SLSA 2<th>SLSA 3</tr>
</thead> </thead>
<tbody> <tbody>
<tr><td rowspan="4">Source<td>Version Control <td> <td><td></tr> <tr><td rowspan="4">Source
<tr> <td>Verified History <td> <td><td></tr> <td>Version Control <td> <td><td><td></tr>
<tr> <td>Retention <td> <td>18 mo.<td>indef </tr> <tr><td>Verified History <td> <td> <td><td></tr>
<tr> <td>Two-Person Review<td> <td> <td></tr> <tr><td>Retention <td> <td> <td>18 mo.<td>indef </tr>
<tr><td rowspan="6">Build <td>Scripted <td><td><td></tr> <tr><td>Two-Person Review <td> <td> <td> <td></tr>
<tr> <td>Build Service <td> <td><td></tr> <tr><td rowspan="6">Build
<tr> <td>Isolation <td> <td><td></tr> <td>Scripted <td><td><td><td></tr>
<tr> <td>Hermeticity <td> <td> <td></tr> <tr><td>Build Service <td> <td><td><td></tr>
<tr> <td>Reproducibility <td> <td> <td></tr> <tr><td>Isolation <td> <td> <td><td></tr>
<tr> <td>Source Integrity <td> <td>* <td></tr> <tr><td>Hermeticity <td> <td> <td> <td></tr>
<tr><td rowspan="3">Provenance <tr><td>Reproducibility <td> <td> <td> <td></tr>
<td>Available <td><td><td></tr> <tr><td>Source Integrity <td> <td> <td>* <td></tr>
<tr> <td>Tamper Resistant <td> <td><td></tr> <tr><td rowspan="5">Provenance
<tr> <td>Dependencies <td> <td> <td></tr> <td>Available <td><td><td><td></tr>
<tr><td rowspan="3">Deploy<td>Provenance Chain <td><td><td></tr> <tr><td>Authenticated <td> <td><td><td></tr>
<tr> <td>Policy <td> <td><td></tr> <tr><td>Service Generated <td> <td><td><td></tr>
<tr> <td>Logging <td> <td><td></tr> <tr><td>Non-Falsifiable <td> <td> <td><td></tr>
<tr><td rowspan="3">Common<td>Security <td> <td><td></tr> <tr><td>Dependencies <td> <td> <td> <td></tr>
<tr> <td>Access <td> <td><td></tr> <tr><td rowspan="3">Deploy
<tr> <td>Superusers <td> <td><td></tr> <td>Provenance Chain <td><td><td><td></tr>
<tr><td>Policy <td> <td><td><td></tr>
<tr><td>Logging <td> <td> <td><td></tr>
<tr><td rowspan="3">Common
<td>Security <td> <td> <td><td></tr>
<tr><td>Access <td> <td> <td><td></tr>
<tr><td>Superusers <td> <td> <td><td></tr>
</tbody> </tbody>
</table> </table>
...@@ -398,11 +406,15 @@ nuanced. We only provide a brief summary here for clarity. ...@@ -398,11 +406,15 @@ nuanced. We only provide a brief summary here for clarity.
cryptographic hash of the artifact, the identity of the system that cryptographic hash of the artifact, the identity of the system that
performed the build, and the top-level source repository (i.e. the one performed the build, and the top-level source repository (i.e. the one
containing the build script). containing the build script).
* **[Tamper Resistant]** The build platform generates the provenance and the * **[Authenticated]** Provenance's authenticity and integrity can be verified,
platform's users cannot falsify it. such as through a digital signature.
* **[Dependencies]** The provenance records all build dependencies, meaning * **[Service Generated]** Provenance is generated by the build service itself,
every artifact that was available to the build script. This includes the as opposed to user-provided tooling running on top of the service.
initial state of the machine, VM, or container of the build worker. * **[Non-Falsifiable]** Provenance cannot be falsified by the build service's
users.
* **[Dependencies]** Provenance records all build dependencies, meaning every
artifact that was available to the build script. This includes the initial
state of the machine, VM, or container of the build worker.
**[Deploy]** An artifact deployed to a resource meets SLSA 3 if: **[Deploy]** An artifact deployed to a resource meets SLSA 3 if:
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment