In-Toto: Protecting Software Supply Chain in Cloud Native and Application in Confid... Justin Cappos
![CNCF [Cloud Native Computing Foundation]](http://yt3.ggpht.com/txe66EjpkDQQlx_4jDV0yA0PPsww0rqQrFhMpDqagLWN2-EUBBO65IuIyy5tEFVmpI4_RRduzXc=s48-c-k-c0x00ffffff-no-rj)
HTML-код
- Опубликовано: 28 сен 2024
- In-toto:保护云原生和机密容器中的软件供应链 | In-Toto: Protecting Software Supply Chain in Cloud Native and Application in Confidential Containers - Justin Cappos, NYU
In-toto是一个CNCF孵化项目,旨在确保软件产品从启动到最终用户安装的完整性。它通过向用户透明地展示执行了哪些步骤、由谁执行以及执行顺序来实现这一目标。最重要的是,它展示了软件的内容。In-toto允许用户验证供应链中的每个步骤是否是有意执行的,并且是否由正确的参与者执行。借助这种能力,In-toto可以帮助解决与软件供应链完整性相关的许多问题。Confidential Containers是另一个CNCF项目,旨在利用硬件TEE来处理容器化工作负载。目前,它面临一个问题,即如何提供进入租户TCB的TEE内部系统软件的参考值。In-toto框架将通过提供供应链的可信元数据来解决这个问题。 在本次演讲中,我们将重点介绍In-toto及其适用性,并以Confidential Containers作为示例用例。
In-toto is a CNCF incubator project which aims to ensure the integrity of a software product from initiation to end-user installation. It does so by making it transparent to the user what steps were performed, by whom and in what order. Most importantly, what the software is. In-toto allows the user to verify if a step in the supply chain was intended to be performed and if it was performed by the right actor. With this ability, in-toto could help to resolve a lot of problems related to integrity of a software supply chain. Confidential Containers is another CNCF project aiming to leverage hardware TEE for containerized workloads. Now it is facing a problem how to provide the reference values of the system softwares inside TEE that enter the tenant's TCB. In-toto framework will help this by providing convincing metadata of the supply chain. In this talk we focus on in-toto and its applicability, using Confidential Containers as an example use case.
