Document SLSA adoption and current level (#661)

* Document SLSA adoption and current level
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

CHANGELOG.md

@@ -27,6 +27,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Improve reproducibility by pinning the Kubernetes components.
 - Client verification during `constellation init`
 
+- Release CLI with SLSA Level 3 requirements.
+
 ### Changed
 <!-- For changes in existing functionality.  -->
 <!-- TODO: Remove `/next/` from URL before release -->

README.md

@@ -41,9 +41,11 @@ Encrypting your K8s is good for:
 
 ### 🔍 Everything verifiable
 
+<a href="https://slsa.dev/"><img src="docs/docs/_media/SLSA-Badge-full-level3.svg" align="right" width="225px"></a>
+
 * "Whole cluster" [attestation][cluster-attestation] based on the remote-attestation feature of CVMs
 * Confidential computing-optimized [node images][images]; fully measured and integrity-protected
-* [Supply chain protection][supply-chain] with [sigstore](https://www.sigstore.dev/)
+* [Supply chain protection][supply-chain] with [sigstore](https://www.sigstore.dev/) and [SLSA Level 3](https://slsa.dev/spec/v0.1/#security-levels).
 
 ### 🚀 Performance and scale
 

docs/docs/reference/slsa.md

@@ -0,0 +1,73 @@
+# Supply chain levels for software artifacts (SLSA) adoption
+
+[Supply chain Levels for Software Artifacts, or SLSA (salsa)](https://slsa.dev/) is a framework that provides incremental improvements to a projects build system and engineering processes. SLSA focuses on security improvements for source code storage as well as build system definition, execution, and observation. SLSA is structured in [four levels](https://slsa.dev/spec/v0.1/levels). This page describes the adoption of SLSA for Constellation.
+
+:::info
+SLSA is still in alpha. The presented levels and their requirements might change in the future. We will adopt any changes into our engineering processes, as they get defined.
+:::
+
+## Level 1 - Adopted
+
+**[Build - Scripted](https://slsa.dev/spec/v0.1/requirements#scripted-build)**
+
+All build steps are automated via [CMake](https://github.com/edgelesssys/constellation/blob/main/CMakeLists.txt) and [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github).
+
+**[Provenance - Available](https://slsa.dev/spec/v0.1/requirements#available)**
+
+Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator).
+
+## Level 2 - Adopted
+
+**[Source - Version Controlled](https://slsa.dev/spec/v0.1/requirements#version-controlled)**
+
+Constellation is hosted on GitHub using git.
+
+**[Build - Build Service](https://slsa.dev/spec/v0.1/requirements#build-service)**
+
+All builds are carried out by [GitHub Actions](https://github.com/edgelesssys/constellation/tree/main/.github).
+
+**[Provenance - Authenticated](https://slsa.dev/spec/v0.1/requirements#authenticated)**
+
+Provenance for the CLI is signed using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). Learn [how to verify the CLI](../workflows/verify-cli.md) using the signed provenance, before using it for the first time.
+
+**[Provenance - Service Generated](https://slsa.dev/spec/v0.1/requirements#service-generated)**
+
+Provenance for the CLI is generated using the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) in GitHub Actions.
+
+## Level 3 - Adopted
+
+**[Source - Verified History](https://slsa.dev/spec/v0.1/requirements#verified-history)**
+
+The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization [requires two-factor authentication](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) for all members.
+
+**[Source - Retained Indefinitely](https://slsa.dev/spec/v0.1/requirements#retained-indefinitely)**
+
+Since we use GitHub to host the repository, it's impossible for an external person to delete or modify the history. Before a pull request can be merged, an explicit approval from an [Edgeless Systems](https://github.com/edgelesssys) team member is required.
+
+The same holds true for changes proposed by team members. Each change to main needs to be proposed via a pull request and requires at least one approval.
+
+The [Edgeless Systems](https://github.com/edgelesssys) GitHub organization admins control these settings and are able to make changes to the repository's history should legal requirements necessitate it. These changes require two-party approval following the obliterate policy.
+
+**[Build - Build as Code](https://slsa.dev/spec/v0.1/requirements#build-as-code)**
+
+All build files for Constellation are stored in [the same repository](https://github.com/edgelesssys/constellation/tree/main/.github).
+
+**[Build - Ephemeral Environment](https://slsa.dev/spec/v0.1/requirements#ephemeral-environment)**
+
+All GitHub Action workflows are executed on [GitHub-hosted runners](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners). These runners are only available during workflow.
+
+We currently don't use [self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners).
+
+**[Build - Isolated](https://slsa.dev/spec/v0.1/requirements#isolated)**
+
+As outlined in the previous section, we use GitHub-hosted runners, which provide a new, isolated and ephemeral environment for each build.
+
+Additionally, the [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator#generation-of-provenance) itself is run in an isolated workflow with the artifact hash as defined inputs.
+
+**[Provenance - Non-falsifiable](https://slsa.dev/spec/v0.1/requirements#non-falsifiable)**
+
+As outlined by [SLSA GitHub generator](https://github.com/slsa-framework/slsa-github-generator) it already fulfills the non-falsifiable requirements for SLSA Level 3. The generated provenance is signed using [sigstore](https://sigstore.dev/) with an OIDC based proof of identity.
+
+## Level 4 - In Progress
+
+We strive to adopt certain aspect of SLSA Level 4 that support our engineering process. At the same time, SLSA is still in alpha and the biggest changes to SLSA are expected to be around Level 4.

docs/docs/workflows/verify-cli.md

@@ -42,7 +42,7 @@ Verified OK
 
 ## Verify the provenance
 
-Provenance attests that a software artifact was produced by a specific repository and build system invocation. For more information on provenance visit [slsa.dev](https://slsa.dev/provenance/v0.2).
+Provenance attests that a software artifact was produced by a specific repository and build system invocation. For more information on provenance visit [slsa.dev](https://slsa.dev/provenance/v0.2). We've also detailed our [adoption of SLSA](../reference/slsa.md).
 
 Just as checking the signature on the CLI proves that the CLI wasn't manipulated, checking the provenance proves that the artifact was produced by our build process and hasn't been tampered with.
 

docs/sidebars.js

@@ -243,9 +243,14 @@ const sidebars = {
         },
         {
           type: 'doc',
-          label: 'Configuration Migrations',
+          label: 'Configuration migrations',
           id: 'reference/config-migration',
         },
+        {
+          type: 'doc',
+          label: 'SLSA adoption',
+          id: 'reference/slsa',
+        },
       ],
     },
   ],