设备到云供应链溯源.pdf

1、Raising the Supply Chain Security BarDevice to Cloud Supply Chain ProvenanceDarpana Munjal Loodu,MicrosoftAlex Tzonkov,AMDPrabhu Jayanna,AMDDevice to Cloud Supply Chain ProvenanceSECURITYHow are we doing with Firmware Supply Chain Security?Firmware Supply Chain ProvenanceSFRs,RIMs,SBOMsMeasurementRe

2、portsApproved 3P Auditors AuditRIMs,SBOMsVerifierStandardize Root of Trust CapabilitiesStructure and expand device attestation claimsCompare device claims,to auditor endorsed trustworthy conformance reportsManufacturerSecurity Appraisal Framework and EnablementOrchestration MechanismWhats Missing?Su

3、pply Chain Integrity,Transparency and Trust(SCITT)Trusted SigningServiceSDKIdentity RoadmapDistributed ID Transparency Service Auditing Tools SCITT Frontend SCITT Storage SCITT QueryArtifact RegistryLedgerTrusted SignerIdentity ServiceWHAT:Generic,interoperable,and scalable architecture for enhancin

4、g transparency and trustGOALS:Enhance TransparencyEnsure IntegrityFacilitate AccountabilitySupport InteroperabilityPromote ScalabilityDEFINES:Transparency ServiceSigned StatementsReceiptsRegistration PoliciesAuditability and Accountability:Software/Firmware Provenance with SCITTIdentity certificate

5、harvested at manufacturingAudit reports recorded on immutable ledgerSigned certificate sealed to chip at board assemblySBOMMetadata verified and certificate signed by SCITT signing&transparency servicesIntegratorChip ManufacturerOnline DatabaseChip ManufacturerData CenterSigning ServiceCSRSigned Cer

6、tAttestationServiceBindingFinal SBOMBoard ManufacturerTransparencyServiceAttests hardware,verifies identity,verifies receipts.SBOMs produced by component/platform vendorsWhat about Hardware Supply Chain Security?Wait there is More!Hardware Supply Chain ProvenanceHardware ThreatsD