Henk Birkholz <[email protected]> wrote: > Hi Eliot,
> replying to a single item below.
> On 18.08.20 15:18, Eliot Lear wrote:
>> Perhaps. I can’t say. We’re going to need some operational
>>experience. There are a number of use cases in the IoT field where you
>>plug in different components that require different software loads. One
>>aspect of SBOM, by the way, that hasn’t been explored is the difference
>>between software being installed and the code being placed in service.
>>Particularly drivers and supporting user-level software.
> "code being placed in service"
> Does that refer to a software creation process or a packaging process, or
> both? (or... something entirely different that I did not get)
to recap:
There are multiple ways to get:
1) a MUD URL
2) an SBOM URL
For MUD, one can get it from: IDevID or DHCP/LLDP.
To this, we are talking about adding: via SUIT manifest.
For SBOM URL, the ways I know of, at present are:
a) this proposed MUD->SBOM
b) a possible SUIT->SBOM
c) something like CHARRA via EAT.
The path via IDevID(MUD URL), MUD(SBOM) involves at least one signature from
the manufacturer, probably two if the MUD is signed.
But, no assurance that the device is actually running that version of the
software, since IDevID are hard to update. But, that's 100x better than what
we have now!
The path via SUIT->SBOM involves a single signature from the manufacturer,
but again, no assurance that the firmware provided to the device is what is
currently running.
The path via DHCP for the MUD URL, could result in a MUD file that is not
signed (could be fake), and could result in a pointer to an SBOM that is
bogus.
The best would seem to be have a SBOM come from Evidence produced by
CHARRA. It would be signed by the IDevID (or other Attestation key).
This probably means that the device is running the correct firmware.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
