This is a proof-of-concept for the OpenSSF SLSA draft Attested Build Environments (BuildEnv) track.
The CLI in this repo implements vTPM-based attestation and integrity checking of a Linux VM image. This repo also provides demo GHA workflows showcasing how to meet SLSA BuildEnv L1 and L2 (WIP).
From a fresh Ubuntu 20+ VM, install the initramfs scripts:
sudo initramfs/install.sh
Generate the initramfs:
sudo mkinitramfs -o image-attestation.img
TODO
Requires Go 1.21+
- Implement DSSE signing for
ref-valuescommand - Modify
verifycommand to use reference value attestations, rather than raw inputs - Document verifier VM attestation flow
- Document private key config and signing attestation
- Add binding attestation + signature for the job id
- Add build image components for container-based build
- Add verification of SLSA Provenance + VSA generation
- Add verification of "boot" in container-based build environment
- Add mock build platform
- Add mock L3 container-based build environment deployment with HW TPM
This project is not ready for production use.