[Technical Initiative Funding Request]: Cloud credits for SLSA BuildEnv track PoC, tests #531
Description
Technical Initiative
SLSA
Lifecycle Phase
Incubating
Funding amount
$300 for 2 quarters of cloud usage
Problem Statement
The SLSA BuildEnv track extends build integrity requirements of the Build track to the compute environment. That is, this new SLSA track (currently in draft) introduces requirements for VM measurement, secure boot and hardware-based attestation. Before moving the track out of draft, the track shepherds would like to validate the current track specification with a PoC built in a realistic deployment scenario.
Who does this affect?
A cloud-based SLSA BuildEnv PoC benefits implementers of the track (i.e., CI/CD services), and helps the track shepherds revise the specification based on practical findings prior to the first initial release.
Have there been previous attempts to resolve the problem?
We have begun implementing a PoC that runs on GHA. However, we are unable to build and test certain hardware integrity requirements of higher levels of the track because the necessary features are not available on GHA today.
Why should it be tackled now and by this TI?
The SLSA BuildEnv track is nearing completion, so having a well-tested PoC is crucial to enable adoption of the track. As most major CI/CD systems are cloud-hosted, we seek to test and demo our SLSA BuildEnv PoC in a cloud environment like Azure and GCP.
Give an idea of what is required to make the funding initiative happen
Currently, our SLSA BuildEnv PoC is being tested using personal credits on Azure. Because higher levels of the BuildEnv track require more visibility and configuration of the compute environment, these funds would allow us to more comprehensively test the PoC and validate the BuildEnv track specification in cloud environments that support the hardware security features used to implement higher levels of the track.
What is going to be needed to deliver this funding initiative?
Cloud credits to deploy and test the SLSA BuildEnv PoC at all three levels of the track.
Are there tools or tech that still need to be produced to facilitate the funding initiative?
No
Give a summary of the requirements that contextualize the costs of the funding initiative
The required funds cover up to two quarters of testing the SLSA BuildEnv PoC in Azure and GCP environments.
Who is responsible for doing the work of this funding initiative?
Pavel Iakovenko (@paveliak), Marcela Melara (@marcelamelara)
Who is accountable for doing the work of this funding initiative?
Pavel Iakovenko (@paveliak), Marcela Melara (@marcelamelara)
If the responsible or accountable parties are no longer available, what is the backup contact or plan?
The SLSA Steering Committee
What license is this funding initiative being used under?
MIT License
Code of Conduct
- I agree to follow the OpenSSF's Code of Conduct
List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.
Our plan is to complete the implementation and testing of our PoC at various stages following this timeline, both on Azure and GCP.
- Q4 2025:
- BuildEnv L2 attestation flow (using vTPM)
- BuildEnv L1 and L2 verification flow
- Q1 2026:
- BuildEnv L3 attestation flow (using e.g., Intel TDX, AMD-SEV SNP)
- BuildEnv L3 verification flow
If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.
N/A