Specifications

SBoMs are becoming an important part of software security. That includes the security of firmware that follows the UEFI standard. US Government Executive Order 14028 and documents from the US Department of Commerce NTIA describe why SBoMs are important for security. The UEFI forum has created a SBoM team to develop guidance for the creation and delivery of SBoM data to the firmware ecosystem and end users. A part of this effort is to include SBoM metadata into platform firmware images. This blog contains a proposal for inclusion of such data in those firmware images. It is being posted here to generate discussions and feedback to the SBoM team as it develops its guidance and recommendations.

During the latest UEFI Forum webinar, “The Role of Redfish in UEFI Forum Firmware Specifications,” panelists provided an overview of DMTF’s Redfish®, discussed implementation challenges, and explained how Redfish and UEFI platform firmware interact. In the Q&A following the webinar, panelists answered questions regarding a variety of topics, but weren’t able to get to all the questions in the time we had available. The questions below were asked by webinar attendees and are now answered by the presentation’s panelists.

As you may have heard, the UEFI Forum recently released the UEFI Specification, Version 2.8, which reflects many new and useful technology changes in the platform firmware including added support for REpresentational State Transfer (REST). REST is not an official standard, but rather an architectural style of networked systems consisting of clients and servers, and it defines a set of constraints to be used for creating Web services. RESTful Web services provide interoperability between computer systems on the internet.