UEFI 2022 Virtual Summit – UEFI Support for Software Bill of Materials (SBOM)

Wed, 28 Sep 2022 16:00:00 +0000

UEFI Support for Software Bill of Materials (SBOM)

Sep 28 2022, 12:00pm EDT
Duration: 45 mins

Presented by

Brian Mullen and Felix Polyudov, AMI

About this talk

Traditionally, capturing a Software Bill of Materials (SBOM) for UEFI firmware has been seen as challenging. Some technical challenges include immutable blobs in the image (e.g., Intel FSP and CPU microcode). Other roadblocks are due to a process where IHVs contribute binary DXE objects to the ODM. Finally, some challenges are due to commercial issues where code might be licensed from the IBV but modified by the ODM.
This talk will focus on the following topics:

How to include accurate SBOM metadata that is compliant with NTIA’s The Minimum Elements For a Software Bill of Materials (SBOM) guidelines in a UEFI firmware project?
What edge conditions and use cases need to be considered when implementing SBOM?
What approaches can enable extracting and consuming SBOM data from one supply chain partner to another?

The talk plans to address several industry-wide items necessary for broader adoption of SBOM in the firmware ecosystem.

The post UEFI 2022 Virtual Summit – UEFI Support for Software Bill of Materials (SBOM) appeared first on AMI.

Securing Supply Chain Firmware Security with SBOM

Mon, 06 Jun 2022 16:00:37 +0000

Brian Mullen

Senior Manager, Global Security Software Group

As supply chains become increasingly complex, so too does the potential for firmware-related attacks. Firmware is the software that controls a device’s hardware. It’s embedded in everything from computers and smartphones to routers and industrial control systems. And because it’s so critical to the functioning of a device, it’s also a prime target for attackers.

Now, imagine that you are the CIO of a large company, and your job is to manage the security of the software supply chain for all of the company’s products. You would need to track not only the dependencies and origins for each component, but also keep tabs on who authored and maintains them, as well as when they were last updated. In addition, you would need to know about any known vulnerabilities and licenses in use. And finally, you would need to be able to authenticate each component.

Fortunately, there is a tool that can help with this: SBOM (Software Bill of Materials). SBOM is a machine-readable file that contains information about the dependencies, origins, authorship, maintenance, and update history.

An SBOM lists all the software components used in a device and their version number and other relevant information. The idea behind SBOM is that by knowing exactly what software is in a product, it will be easier to identify any potential security vulnerabilities. This is especially important for firmware security, as the firmware is often one of the most critical and vulnerable parts of a product. In addition, requiring SBOMs from suppliers can help ensure that they comply with the best security and quality control practices. So, while implementing an SBOM is not a cure-all for the challenges of firmware security, it can help improve your overall security posture. By requiring an SBOM, we can take a big step toward making sure our devices are safe from malicious attacks.

AMI sees the potential for SBOM to make a huge impact on supply chain firmware security and is encouraging the broader community to get behind this initiative. So far, the response has been encouraging, with many firms seeing the value. AMI is excited to be moving into the next phase of our PoC with supply chain partners. We’re looking for enthusiastic and innovative collaborators to help us make this project a success.

If you’re interested in working with us, please contact us at ami.com/contact. We can’t wait to hear from you!