slsa-framework · marcelamelara · May 2, 2024 · May 3, 2024 · May 8, 2024 · May 13, 2024
diff --git a/docs/spec/v1.1/levels.md b/docs/spec/v1.1/levels.md
@@ -26,6 +26,7 @@ tracks without invalidating previous levels.
 | [Build L1]  | Provenance showing how the package was built | Mistakes, documentation
 | [Build L2]  | Signed provenance, generated by a hosted build platform | Tampering after the build
 | [Build L3]  | Hardened build platform | Tampering during the build
+| [Build L4]  | Attested build environment | Tampering before the build
 
 <!-- For comparison: a future Build L4's focus might be reproducibility or
 hermeticity or completeness of provenance -->
@@ -231,14 +232,115 @@ All of [Build L2], plus:
 </dl>
 </section>
 
+<section id="build-l4">
+
+### Build L4: Attested build environment
+
+<dl class="as-table">
+<dt>Summary<dd>
+
+Compromising a build requires exploiting a vulnerability in the build
+platform's supply chain or physical access to the underlying compute
+platform.
+
+In practice, this means that builds are configured to run on a build platform
+that supports hardware capabilities for attesting to the state of the
+compute environment executing builds.
+
+<dt>Intended for<dd>
+
+Software releases needing assurances about the integrity of the environment
+used to create the release (e.g., specific compute platform, pre-build
+tamper detection).
+Build L4 usually requires significant changes to existing build platforms.
-Build L4 usually requires significant changes to existing build platforms.
+Build L4 may require significant changes to existing build platforms.
-Build L4 usually requires significant changes to existing build platforms.
+Build L4 may require significant changes to existing build platforms.
+
+<dt>Requirements<dd>
+
+All of [Build L3], plus:
+
+-   Software producer:
+    -   MUST run builds on a hosted build platform that meets Build L4
+        requirements.
+    -   SHOULD verify the build platform's attestations prior to a build and
+        produce a [verification summary] about the check.
+
+-   Build platform:
+    -   Each build image (i.e., VM or container) made available to software
+        producers MUST be built on a SLSA Build L3+ platform. The generated
+        SLSA Provenance MUST be distributed to allow for independent
+        verification.
+    -   Distribution of SLSA Provenance for pre-installed software within the
+        build image MAY be best-effort.
+    -   The boot process of each build environment MUST be measured and
+        attested using a [TCG-compliant measured boot] mechanism. The
+        attestation MUST be authenticated and distributed for independent
+        verification.
+    -   The initial state of the build environment's disk image MUST be
+        integrity measured and attested. The attestation MUST be
+        authenticated and distributed for independent verification.
+    -   Read-write block devices or file system paths MUST be encrypted
+        with a key that is only accessible within the build image.
+    -   Before launching a new environment based on a build image (i.e., VM
+        or container instance), its SLSA Provenance MUST be verified.
+    -   Before making a build environment available for a build request:
+        -   The boot process and state of disk image MUST be verified, and
+        cryptographically bound to the build image's valid SLSA provenance
+        to establish a verifiable integrity chain between a build image and
+        a build environment.
+        -   A unique immutable build environment identifier (e.g.,
+        cryptographic keypair) MUST be generated and cryptographically bound
+        to the build environment's integrity chain.
+        -   These bindings MUST be authenticated and distributed for
+        independent verification.
+    -   Before executing a tenant's build request (e.g., GHA build job):
+        -   The build environment's integrity chain and uniqueness of its
+        immutable identifier MUST be verified.
+        -   A unique immutable build request identifier (e.g., GHA build job
+        ID) MUST be generated and cryptographically bound to a valid build
+        environment integrity chain.
+    -   All build platform generated attestations and cryptographic bindings
+        MUST be backed by a hardware root of trust (e.g., [TPM] or [trusted
+        execution environment]). Note: Virtual hardware (e.g., vTPM) MAY be
+        used to meet this requirement.
+    -   Runtime changes to the build environment's disk image SHOULD be
+        observable at runtime by the executing build request.
+
+<dt>Benefits<dd>
+
+All of [Build L3], plus:
+
+-   Greatly reduces trust in a hosted build platform by increasing
+    observability into the level of integrity of the build environment.
+-   Provides machine-checkable information about the build image’s provenance
+    beyond self-attestation by the build platform operator.
+-   Provides cryptographic, hardware-rooted evidence about:
+    -   The initial state of the compute environment executing a build, such
+    as its boot settings (e.g., measured boot enabled), the bootloader and
+    kernel image.
+    -   The initial state of the environment's disk image and its
+    configuration.
+    -   The build environment that executed a particular run of a build.
+-   The use of [confidential computing] to meet these
+    requirements provides builds with additional data and code
+    confidentiality and tamper-evidence properties during build execution.
+
+</dl>
+</section>
+
 <!-- Link definitions -->
 
 [build l0]: #build-l0
 [build l1]: #build-l1
 [build l2]: #build-l2
 [build l3]: #build-l3
+[build l4]: #build-l4
+[confidential computing]: https://confidentialcomputing.io/wp-content/uploads/sites/10/2023/03/Common-Terminology-for-Confidential-Computing.pdf
 [future versions]: future-directions.md
 [hosted]: requirements.md#isolation-strength
 [previous version]: ../v0.1/levels.md
 [provenance]: terminology.md
+[TCG-compliant measured boot]: https://trustedcomputinggroup.org/resource/tcg-efi-platform-specification/
+[TPM]: https://trustedcomputinggroup.org/resource/tpm-library-specification/
+[trusted execution environment]: https://csrc.nist.gov/glossary/term/trusted_execution_environment
 [verification]: verifying-artifacts.md
+[verification summary]: verification_summary.md
diff --git a/docs/spec/v1.1/terminology.md b/docs/spec/v1.1/terminology.md
@@ -125,6 +125,38 @@ of build types](/provenance/v1#index-of-build-types).
 
 </details>
 
+### Build environment model
+
+Following the [build model](#build-model), we model a *build environment*
+as a single instance of an execution context that runs a tenant's build
+on a hosted build platform. Specifically, a build environment comprises
+resources from the *compute platform* and a *build image*.
+
+A typical build environment will go through the following lifecycle:
+
+1.  A hosted build platform creates different build images through a separate
+    build process. For SLSA Build L4, the build platform outputs provenance
+    describing this process.
+2.  The hosted build platform provisions resources on the compute platform
+    and a build image launch a new build environment. For SLSA Build L4, the
+    build platform validates the *measurement* of the *boot process*.
+3.  When a new *build request* arrives at the hosted build platform, the
+    platform assigns the request to a pre-provisioned build environment.
+    For SLSA Build L4, the tenant may validate the measurement of the build
+    environment.
+4.  Finally, the build environment executes the tenant's build steps.
+
+| Primary Term | Description
+| --- | ---
+| Build image | The run-time context within a build environment, such as the VM or container image. Individual components of a build image are provided by both the hosted build platform and tenant, and include the build executor, platform-provided pre-installed guest OS and packages, and the tenant’s build steps and external parameters.
+| Build executor | The platform-provided program dedicated to executing the tenant’s build definition, i.e., running the build, within the build image.
+| Build request | The process of assigning a build to a pre-provisioned build environment on a hosted build process.
+| Compute platform | The compute system and infrastructure, i.e., the host system (hypervisor and/or OS) and hardware, underlying a build platform. In practice, the compute platform and the build platform may be managed by the same or distinct organizations.
+| Boot process | In the context of builds, the process of loading and executing the layers of firmware and software needed to start up a build environment.
+| Measurement | The cryptographic hash of some system state in the build environment, including software binaries, configuration, or initialized run-time data. Software layers that are commonly measured include the bootloader, kernel, and kernel cmdline.
+
+TODO: Disambiguate similar terms (e.g., build job, build runner)
+
 ### Package model
 
 Software is distributed in identifiable units called <dfn>packages</dfn>