-
Notifications
You must be signed in to change notification settings - Fork 520
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Proposal] Guidance for Confidential Supply Chains #1367
Comments
@mnm678 Could you elaborate or link to more information about the term "confidential supply chain?" |
At one simple level within the Confidential Containers project one of our Use Cases relates to CI/CD. However a big challenge we have when pushing for this or any use case is also the reflection that if anything was compromised in other aspects of the supply chain (not just building container Images) then trying to use a Confidential Containers environment later will not deliver on the Confidential Computing promise. So we need to layer in the complexity that comes with Confidential Computing , our supply chain here is not simply about the software that forms the containers deployed within a pod. We need to consider the hardware/firmware, the generating of measurements to allow us to verify the use of a particular environment at a later deployment time, the management of keys/secrets which should only be released after we verify the environment (attestation) How do we manage these additional artifacts as part of a supply chain to achieve the end goal of running any workload/solution within a cloud native confidential computing environment. So for me an interesting goal for "Guidance for Confidential Supply Chains" could be. And exploring questions such as: What do they need consider with respect to verifying the supply of a CoCo capable cluster? |
A different angle could be to examine the impact of Confidential Computing and the CNCF CoCo project on the existing "Supply Chain Best Practices v2" |
This is just my two cents, but I'd love to have this start more as an
exploratory thought from your group instead of a TAG Security product. I
think people here would be quite interested to know about it, but at least
from my perspective this isn't a super core area for us to put out guidance
on.
I mean, if people want to consider this use case, don't they go to CoCo
anyways for guidance? At least in my view, our role is to help to do
things that are more cross-cutting. We could perhaps refer to this in
other documentation that is broad (like the supply chain best practices),
but for the most part items from our group tend to be general and this
feels to me a little too much like promoting CoCo for supply chains...
…On Thu, Sep 12, 2024 at 11:21 AM James Magowan ***@***.***> wrote:
A different angle could be to examine the impact of Confidential Computing
and the CNCF CoCo project on the existing "Supply Chain Best Practices v2"
—
Reply to this email directly, view it on GitHub
<#1367 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGROD4U3II4F5VBV5QV36DZWGWOFAVCNFSM6AAAAABODNVLE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNBWGU4TINBQGU>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Work on this issue will be discussed in the Supply Chain WG as they complete the updated v2 white paper. |
Description: what's your idea?
After discussion with the Confidential computing project, it seems like there is an opportunity for collaboration to provide guidance for projects to create a confidential supply chain. This could be part of the supply chain whitepaper, or a separate document.
Impact: Describe the customer impact of the problem. Who will this help? How
will it help them?
This will help projects interested in creating a confidential supply chain
Scope: How much effort will this take? ok to provide a range of options if or
"not yet determined" for initial proposals. Feel free to include proposed tasks
below or link a Google doc
Intent to lead:
interested in pursing this work. This statement of intent does not preclude
others from co-leading or becoming lead in my stead.
Proposal to Project:
lead
with call for participation in #tag-security slack channel thread add link
and mailing list email add link
TO DO
Representative
see progress!
The text was updated successfully, but these errors were encountered: