Traditionally, capturing a Software Bill of Materials (SBOM) for UEFI firmware has been seen as challenging. Some technical challenges include immutable blobs in the image (e.g., Intel FSP and CPU microcode). Other roadblocks are due to a process where IHVs contribute binary DXE objects to the ODM. Finally, some challenges are due to commercial issues where code might be licensed from the IBV but modified by the ODM.
This talk will focus on the following topics:
- How to include accurate SBOM metadata that is compliant with NTIA’s The Minimum Elements for a Software Bill of Materials (SBOM) guidelines in a UEFI firmware project?
- What edge conditions and use cases need to be considered when implementing SBOM?
- What approaches can enable extracting and consuming SBOM data from one supply chain partner to another?
The talk plans to address several industry-wide items necessary for the broader adoption of SBOM in the firmware ecosystem.