python-uswid icon indicating copy to clipboard operation
python-uswid copied to clipboard
verified publisher icon hughsie

Add CoSWID signing for validation

Open CodingVoid opened this issue 3 years ago • 2 comments

CoSWID defines a method of validating, that a CoSWID tag is actually created by the party owning the software and not changed along the way. I think that would be great think to add to uswid and goswid. https://tools.ietf.org/id/draft-ietf-sacm-coswid-21.html#name-signed-coswid-tags

there is only one problem, which the specification doesn't cover: "To support signature validation, there is the need to associate the right key with the software provider or party originating the signature in a secure way. This operation is application specific and needs to be addressed by the application or a user of the application; a specific approach for which is out-of-scope for this document."

CodingVoid avatar May 18 '22 12:05 CodingVoid

I'm not sure it's required for UEFI firmware generally, as if you have malicious data in your SPI chip then you have bigger problems than your SBOM being wrong. It's also way underspecificified in my opinion too. I'd say lets get the basics working too, then have a way to verify it as a nice-to-have.

hughsie avatar May 18 '22 12:05 hughsie

I agree, but let's leave the issue open to keep it in mind.

CodingVoid avatar May 18 '22 16:05 CodingVoid