summaryrefslogtreecommitdiff
path: root/Documentation/sbom
diff options
context:
space:
mode:
authorMaximilian Brune <maximilian.brune@9elements.com>2022-10-30 01:00:41 +0200
committerLean Sheng Tan <sheng.tan@9elements.com>2023-03-06 10:02:31 +0000
commit5d9a7cc1383fdf8b4e4b53e1928dcd06ce6885cd (patch)
tree9858d1bf3ba0c0039c8c31751678af280e2adc81 /Documentation/sbom
parent65c456227e191f4dcdc2bbe33379918676cc69ba (diff)
Documentation/sbom: Add SBOM Documentation
Change-Id: I39fbcba60a0fbdbed9f662119ed7692c0a0fd30e Signed-off-by: Maximilian Brune <maximilian.brune@9elements.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/68995 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Lean Sheng Tan <sheng.tan@9elements.com>
Diffstat (limited to 'Documentation/sbom')
-rw-r--r--Documentation/sbom/sbom.md156
-rw-r--r--Documentation/sbom/sbom_generation.plantuml61
-rw-r--r--Documentation/sbom/sbom_generation.svg79
3 files changed, 296 insertions, 0 deletions
diff --git a/Documentation/sbom/sbom.md b/Documentation/sbom/sbom.md
new file mode 100644
index 0000000000..c4984f971b
--- /dev/null
+++ b/Documentation/sbom/sbom.md
@@ -0,0 +1,156 @@
+# Software Bill of Materials (SBOM)
+
+SBOM is a collection of information of each software component
+you are supplying/building. Similar to a package manager on Linux
+based systems, it holds information of as many software parts as
+possible. This information can be a version, name of the software, URL,
+license information and more. A SBOM can be saved in various formats.
+In coreboot it's saved as "uSWID" file. uSWID is not a standard or
+specification but it doesn't need to be, since it's basically just an
+array/list of CoSWID (Concise Software Identification) files which in
+turn are specified by a RFC specification. CoSWID files are saved in a
+CBOR format. CBOR is like JSON if JSON were a binary format. Similar
+to a package manager the CoSWID format can link multiple softwares
+together. For example on most modern Intel systems FSP is included as
+a dependency of coreboot. That kind of relationship between software
+components (among others) can be expressed in an uSWID file. That makes
+firmware/software much more transparent. One could for example create a
+software that takes a coreboot firmware image as input and
+automatically creates a graph with all software components the coreboot
+image contains and their relationship to each other.
+
+
+## SWID/CoSWID
+
+SWID is a standard hidden behind an ISO paywall.
+It generally identifies/describes Software components. Since SWID files
+are written in XML, they can get too large for devices with network and
+storage constraints. CoSWID is basically SWID but in CBOR binary
+format, which makes it far smaller compared to its big brother. Also,
+CoSWID is a RFC specification (so publicly accessible). Therefore
+CoSWID is the standard used in coreboot SBOM. But one CoSWID file/tag
+can only describe one single software, but since software is usually
+composed of multiple parts (especially in firmware with many binary
+blobs) uSWID was born as a container format to hold multiple CoSWID
+files. It also has a magic value, that makes software capable of
+extracting uSWID/CoSWID data without the need to understand the
+underlying format of the binary (in coreboot it's the CBFS and in EDK2
+it's the COFF). To get a simple overview of how a SWID/CoSWID file
+looks like, just take a look at the various "templates" in src/sbom/.
+There are of course other SBOM specifications out there, but most of
+them are rather blown up and don't support a binary format at all.
+
+
+## coreboot implementation
+
+Quick overview of how things are generated:
+
+![Generation of an SBOM File in coreboot][sbom_generation]
+
+[sbom_generation]: sbom_generation.svg
+
+After all SBOM data has been fetched from all the software components,
+the 'goswid' tool links them all together into one sbom.uswid file.
+Therefore the goswid tool is basically a linker that takes multiple
+CoSWID/SWID files and converts them into one uSWID file. Although the
+image shows only Files in JSON format it is also possible to supply
+them in XML or CBOR format.
+
+The final SBOM file is located inside the CBFS.
+For each software component in coreboot SBOM, there is an option in
+Kconfig (usually called `CONFIG_INCLUDE_[software-name]_SBOM`) to either
+include or not include SBOM metadata for the specified software.
+Furthermore there is a `CONFIG_SBOM_[software-name]_PATH` option which
+contains a path to a SWID/CoSWID file in a format of choice
+(being either JSON, XML or CBOR). `CONFIG_SBOM_[software-name]_PATH`
+option usually defaults to a very generic CoSWID file in JSON format
+(which are stored in src/sbom/). That at least gives minimal
+information like the name of the software and maybe a version.
+But it is always preferred, that the `CONFIG_SBOM_[software-name]_PATH`
+is set to a custom CoSWID/SWID file that contains much more information
+(like version/commit-hash, license, URL, dependencies, ...).
+Therefore using the defaults is by any means to be avoided, since they
+hold very little information or even worse wrong information.
+Furthermore some of these Kconfig options have a suboption
+(usually called `CONFIG_SBOM_[software-name]_GENERATE`) to generate
+some basic SBOM data for the specified software component, in order to
+get at least some bit of information about it by analyzing the binary
+(for binary blobs) or querying information via git (for open source
+projects). This is for example currently done for all payloads. For
+each payload the commit hash used in the build is taken and put into
+the SBOM file. For open-source projects (like all payloads) crucial
+information like the current commit-hash of the payload can easily be
+put into the SBOM file. Extracting information out of binary blobs is a
+bit trickier for obvious reasons. For closed source binary blobs it is
+therefore recommended that vendors and software-engineers create a SBOM
+file as part of their build process and add a path to that SBOM file
+via Kconfig options in coreboot (`CONFIG_SBOM_[software-name]_PATH`).
+That way the final SBOM has much more useful and correct data.
+
+
+## Build coreboot with SBOM
+
+Directly under the 'General setup' Kconfig menu is a
+'Software Bill of Materials (SBOM)' submenu where all options are to
+enable/disable SBOM integration in to the corebeoot build.
+Therefore one can just enable/disable them via `make menuconfig`.
+
+
+## What to do as Developer of a binary blob (which is used in coreboot)
+
+1. Generate a SWID/CoSWID/uSWID File in either JSON, XML or CBOR Format
+as part of your software build process
+
+2. Supply that generated File along with your binary blob (preferably
+not inside the blob)
+
+3. To build coreboot: Add `CONFIG_SBOM_[software-name]_PATH` to your
+defconfig pointing to your [software-name] generated File.
+
+
+## What to do as Developer of an open source project (which is used in coreboot)
+
+1. Generate a SWID/CoSWID/uSWID file in either JSON, XML or CBOR format
+as part of your software's build process. For example in form of a
+Makefile target.
+
+2. Change src/sbom/Makefile.inc (in order to know where to find the
+CoSWID/SWID/uSWID file) as well as the Makefile in coreboot which
+builds said software. For example for GRUB2 that could mean to add a
+Makefile target in payloads/external/GRUB2/Makefile.
+
+
+## Problems
+
+What to do if the binary blob that is included in coreboot's build
+already has a SBOM file embedded in the binary? One could supply the
+path of the software binary itself (e.g. me.bin) as SBOM file path for
+the software in question. Which would basically mean to set
+`CONFIG_SBOM_[software-name]_PATH=/path/to/me.bin`. This is possible
+since the 'goswid' tooling is able to extract uSWID information out of
+an unknown binary format because of uSWIDs magic value. But even if
+coreboot can extract the uSWID data there is still the question of what
+to do next. One can do one of the following:
+
+ - Do not include the Software's SBOM data in the final SBOM of
+ coreboot. Data would not be duplicated, but therefore not included
+ in coreboot SBOM file.
+
+ - Extract the uSWID/CoSWID information from the binary and also
+ include it in the coreboot SBOM. That would mean, that SBOM data
+ is duplicated.
+
+The first solution should in general be preferred, since its no
+problem if SBOM data is located at multiple locations/binaries if they
+don't have a direct dependency on each other. It would be good if
+software that cannot run on its own only supplies the SBOM data along
+with it as kind of extra file instead of embedded in an unknown binary
+blob. coreboot can then just take it and include it in its own SBOM
+file. If on the other hand the binary can function on its own (e.g. EC
+or BMC binary), it is generally preferred that the software supplies
+its own SBOM data and coreboot just simply doesn't include it in its
+own SBOM file. That would make a more or less clear distinction and
+avoids duplication in case the BMC or EC is updated (without updating
+coreboot). The distinction is not always easy and this problem is
+currently not considered in the implementation, since none of the
+software components currently create a SBOM file on their own.
diff --git a/Documentation/sbom/sbom_generation.plantuml b/Documentation/sbom/sbom_generation.plantuml
new file mode 100644
index 0000000000..e8d9f1ebbf
--- /dev/null
+++ b/Documentation/sbom/sbom_generation.plantuml
@@ -0,0 +1,61 @@
+@startuml
+
+map "src/sbom/compiler-gcc.json" as gcc {
+ software-name => GCC
+ version => x.y.z
+ ... => ...
+}
+map "src/sbom/intel-me.json" as me {
+ software-name => Intel Mangement Engine
+ ... => ...
+}
+map "src/sbom/intel-microcode.json" as ucode {
+ software-name => Intel Microcode
+ ... => ...
+}
+map "src/sbom/generic-ec.json" as ec {
+ software-name => ecxyz
+ ... => ...
+}
+map "src/sbom/generic-fsp.json" as fsp {
+ software-name => Firmware Support Package
+ version => x.y.z
+ ... => ...
+}
+map "src/sbom/payload-[...].json" as payload {
+ software-name => ...
+ version => x.y.z
+ ... => ...
+}
+map "src/sbom/coreboot.json" as coreboot {
+ software-name => coreboot
+ version => x.y.z
+ url => coreboot.rocks
+ ... => ...
+}
+object "sbom.uswid" as uswid {
+ merged SBOM data in binary format
+}
+object goswid {
+ # ./goswid
+ --compiler gcc.json
+ --parent coreboot.json
+ --requires fsp.json,payload.json
+ intel-me.json
+ intel-ec.json
+ intel-ucode.json
+ --output sbom.uswid
+}
+
+left to right direction
+gcc --> goswid
+me --> goswid
+ucode --> goswid
+goswid <-- ec
+goswid <-- fsp
+goswid <-- payload
+
+coreboot -up> goswid
+goswid -up> uswid
+
+@enduml
diff --git a/Documentation/sbom/sbom_generation.svg b/Documentation/sbom/sbom_generation.svg
new file mode 100644
index 0000000000..2a5e4f57f2
--- /dev/null
+++ b/Documentation/sbom/sbom_generation.svg
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" contentStyleType="text/css" height="401px" preserveAspectRatio="none" style="width:949px;height:401px;background:#FFFFFF;" version="1.1" viewBox="0 0 949 401" width="949px" zoomAndPan="magnify"><defs/><g><g id="elem_gcc"><rect fill="#F1F1F1" height="83.1997" style="stroke:#181818;stroke-width:0.5;" width="187" x="48.5" y="17"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="173" x="55.5" y="32.0059">src/sbom/compiler-gcc.json</text><line style="stroke:#181818;stroke-width:1.0;" x1="48.5" x2="235.5" y1="37.7999" y2="37.7999"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="95" x="53.5" y="52.8059">software-name</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="31" x="158.5" y="52.8059">GCC</text><line style="stroke:#181818;stroke-width:1.0;" x1="153.5" x2="153.5" y1="37.7999" y2="58.5999"/><line style="stroke:#181818;stroke-width:1.0;" x1="48.5" x2="235.5" y1="58.5999" y2="58.5999"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="46" x="78" y="73.6058">version</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="29" x="158.5" y="73.6058">x.y.z</text><line style="stroke:#181818;stroke-width:1.0;" x1="153.5" x2="153.5" y1="58.5999" y2="79.3998"/><line style="stroke:#181818;stroke-width:1.0;" x1="48.5" x2="235.5" y1="79.3998" y2="79.3998"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="12" x="95" y="94.4057">...</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="12" x="158.5" y="94.4057">...</text><line style="stroke:#181818;stroke-width:1.0;" x1="153.5" x2="153.5" y1="79.3998" y2="100.1997"/></g><g id="elem_me"><rect fill="#F1F1F1" height="62.3998" style="stroke:#181818;stroke-width:0.5;" width="270" x="7" y="140"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="143" x="70.5" y="155.0059">src/sbom/intel-me.json</text><line style="stroke:#181818;stroke-width:1.0;" x1="7" x2="277" y1="160.7999" y2="160.7999"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="95" x="12" y="175.8059">software-name</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="155" x="117" y="175.8059">Intel Mangement Engine</text><line style="stroke:#181818;stroke-width:1.0;" x1="112" x2="112" y1="160.7999" y2="181.5999"/><line style="stroke:#181818;stroke-width:1.0;" x1="7" x2="277" y1="181.5999" y2="181.5999"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="12" x="53.5" y="196.6058">...</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="12" x="117" y="196.6058">...</text><line style="stroke:#181818;stroke-width:1.0;" x1="112" x2="112" y1="181.5999" y2="202.3998"/></g><g id="elem_ucode"><rect fill="#F1F1F1" height="62.3998" style="stroke:#181818;stroke-width:0.5;" width="212" x="36" y="243"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="189" x="47.5" y="258.0059">src/sbom/intel-microcode.json</text><line style="stroke:#181818;stroke-width:1.0;" x1="36" x2="248" y1="263.7999" y2="263.7999"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="95" x="41" y="278.8059">software-name</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="97" x="146" y="278.8059">Intel Microcode</text><line style="stroke:#181818;stroke-width:1.0;" x1="141" x2="141" y1="263.7999" y2="284.5999"/><line style="stroke:#181818;stroke-width:1.0;" x1="36" x2="248" y1="284.5999" y2="284.5999"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="12" x="82.5" y="299.6058">...</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="12" x="146" y="299.6058">...</text><line style="stroke:#181818;stroke-width:1.0;" x1="141" x2="141" y1="284.5999" y2="305.3998"/></g><g id="elem_ec"><rect fill="#F1F1F1" height="62.3998" style="stroke:#181818;stroke-width:0.5;" width="173" x="711.5" y="27"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="159" x="718.5" y="42.0059">src/sbom/generic-ec.json</text><line style="stroke:#181818;stroke-width:1.0;" x1="711.5" x2="884.5" y1="47.7999" y2="47.7999"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="95" x="716.5" y="62.8059">software-name</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="36" x="821.5" y="62.8059">ecxyz</text><line style="stroke:#181818;stroke-width:1.0;" x1="816.5" x2="816.5" y1="47.7999" y2="68.5999"/><line style="stroke:#181818;stroke-width:1.0;" x1="711.5" x2="884.5" y1="68.5999" y2="68.5999"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="12" x="758" y="83.6058">...</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="12" x="821.5" y="83.6058">...</text><line style="stroke:#181818;stroke-width:1.0;" x1="816.5" x2="816.5" y1="68.5999" y2="89.3998"/></g><g id="elem_fsp"><rect fill="#F1F1F1" height="83.1997" style="stroke:#181818;stroke-width:0.5;" width="288" x="654" y="130"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="163" x="716.5" y="145.0059">src/sbom/generic-fsp.json</text><line style="stroke:#181818;stroke-width:1.0;" x1="654" x2="942" y1="150.7999" y2="150.7999"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="95" x="659" y="165.8059">software-name</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="173" x="764" y="165.8059">Firmware Support Package</text><line style="stroke:#181818;stroke-width:1.0;" x1="759" x2="759" y1="150.7999" y2="171.5999"/><line style="stroke:#181818;stroke-width:1.0;" x1="654" x2="942" y1="171.5999" y2="171.5999"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="46" x="683.5" y="186.6058">version</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="29" x="764" y="186.6058">x.y.z</text><line style="stroke:#181818;stroke-width:1.0;" x1="759" x2="759" y1="171.5999" y2="192.3998"/><line style="stroke:#181818;stroke-width:1.0;" x1="654" x2="942" y1="192.3998" y2="192.3998"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="12" x="700.5" y="207.4057">...</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="12" x="764" y="207.4057">...</text><line style="stroke:#181818;stroke-width:1.0;" x1="759" x2="759" y1="192.3998" y2="213.1997"/></g><g id="elem_payload"><rect fill="#F1F1F1" height="83.1997" style="stroke:#181818;stroke-width:0.5;" width="181" x="707.5" y="253"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="167" x="714.5" y="268.0059">src/sbom/payload-[...].json</text><line style="stroke:#181818;stroke-width:1.0;" x1="707.5" x2="888.5" y1="273.7999" y2="273.7999"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="95" x="712.5" y="288.8059">software-name</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="12" x="817.5" y="288.8059">...</text><line style="stroke:#181818;stroke-width:1.0;" x1="812.5" x2="812.5" y1="273.7999" y2="294.5999"/><line style="stroke:#181818;stroke-width:1.0;" x1="707.5" x2="888.5" y1="294.5999" y2="294.5999"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="46" x="737" y="309.6058">version</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="29" x="817.5" y="309.6058">x.y.z</text><line style="stroke:#181818;stroke-width:1.0;" x1="812.5" x2="812.5" y1="294.5999" y2="315.3998"/><line style="stroke:#181818;stroke-width:1.0;" x1="707.5" x2="888.5" y1="315.3998" y2="315.3998"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="12" x="754" y="330.4057">...</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="12" x="817.5" y="330.4057">...</text><line style="stroke:#181818;stroke-width:1.0;" x1="812.5" x2="812.5" y1="315.3998" y2="336.1997"/></g><g id="elem_coreboot"><rect fill="#F1F1F1" height="103.9996" style="stroke:#181818;stroke-width:0.5;" width="209" x="361" y="291"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="148" x="391.5" y="306.0059">src/sbom/coreboot.json</text><line style="stroke:#181818;stroke-width:1.0;" x1="361" x2="570" y1="311.7999" y2="311.7999"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="95" x="366" y="326.8059">software-name</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="56" x="471" y="326.8059">coreboot</text><line style="stroke:#181818;stroke-width:1.0;" x1="466" x2="466" y1="311.7999" y2="332.5999"/><line style="stroke:#181818;stroke-width:1.0;" x1="361" x2="570" y1="332.5999" y2="332.5999"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="46" x="390.5" y="347.6058">version</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="29" x="471" y="347.6058">x.y.z</text><line style="stroke:#181818;stroke-width:1.0;" x1="466" x2="466" y1="332.5999" y2="353.3998"/><line style="stroke:#181818;stroke-width:1.0;" x1="361" x2="570" y1="353.3998" y2="353.3998"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="16" x="405.5" y="368.4057">url</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="94" x="471" y="368.4057">coreboot.rocks</text><line style="stroke:#181818;stroke-width:1.0;" x1="466" x2="466" y1="353.3998" y2="374.1997"/><line style="stroke:#181818;stroke-width:1.0;" x1="361" x2="570" y1="374.1997" y2="374.1997"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="12" x="407.5" y="389.2057">...</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="12" x="471" y="389.2057">...</text><line style="stroke:#181818;stroke-width:1.0;" x1="466" x2="466" y1="374.1997" y2="394.9996"/></g><g id="elem_uswid"><rect fill="#F1F1F1" height="45.5999" style="stroke:#181818;stroke-width:0.5;" width="241" x="345" y="7"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="75" x="428" y="22.0059">sbom.uswid</text><line style="stroke:#181818;stroke-width:0.5;" x1="346" x2="585" y1="27.7999" y2="27.7999"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="229" x="351" y="44.8059">merged SBOM data in binary format</text></g><g id="elem_goswid"><rect fill="#F1F1F1" height="163.1993" style="stroke:#181818;stroke-width:0.5;" width="225" x="353" y="88.5"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="44" x="443.5" y="103.5059">goswid</text><line style="stroke:#181818;stroke-width:0.5;" x1="354" x2="577" y1="109.2999" y2="109.2999"/><polygon fill="none" points="364,118.1999,368,122.1999,364,126.1999,360,122.1999" style="stroke:#B38D22;stroke-width:1.0;"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="52" x="373" y="126.3059">./goswid</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="120" x="373" y="143.1058">--compiler gcc.json</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="141" x="373" y="159.9057">--parent coreboot.json</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="199" x="373" y="176.7057">--requires fsp.json,payload.json</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="81" x="373" y="193.5056">intel-me.json</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="76" x="373" y="210.3055">intel-ec.json</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="100" x="373" y="227.1054">intel-ucode.json</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="129" x="373" y="243.9054">--output sbom.uswid</text></g><!--MD5=[4918544efbcb188b8a7757094362b13c]
+link gcc to goswid--><g id="link_gcc_goswid"><path codeLine="50" d="M243.4,92.29 C276.15,103.8 312.8,116.68 346.7,128.6 " fill="none" id="gcc-to-goswid" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="351.12,130.15,343.9558,123.3917,346.4029,128.4919,341.3028,130.939,351.12,130.15" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[4dd9e64dfe99293b397c567cda86ce7e]
+link me to goswid--><g id="link_me_goswid"><path codeLine="51" d="M284.95,170 C305.44,170 326.35,170 346.31,170 " fill="none" id="me-to-goswid" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="351.24,170,342.24,166,346.24,170,342.24,174,351.24,170" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[d7eb729953c89f90ee34d79e977c9d9e]
+link ucode to goswid--><g id="link_ucode_goswid"><path codeLine="52" d="M248.72,239.13 C280.07,229.09 314.61,218.02 346.68,207.75 " fill="none" id="ucode-to-goswid" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="351.2,206.3,341.4078,205.245,346.4397,207.8296,343.8551,212.8615,351.2,206.3" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[7a44b31c2b8314bdd1505531e9a33bbd]
+reverse link goswid to ec--><g id="link_goswid_ec"><path codeLine="53" d="M584.54,129.1 C605.02,122.04 626.12,114.79 646,108 C664.59,101.65 684.48,94.9 703.53,88.46 " fill="none" id="goswid-backto-ec" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="579.92,130.69,589.732,131.5412,584.6475,129.0618,587.1269,123.9773,579.92,130.69" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[fc74783236d55f36e4f8a2c816f5f147]
+reverse link goswid to fsp--><g id="link_goswid_fsp"><path codeLine="54" d="M584.82,170 C604.74,170 625.65,170 646.25,170 " fill="none" id="goswid-backto-fsp" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="579.91,170,588.91,174,584.91,170,588.91,166,579.91,170" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[0bb7778bfeb2bbeecbbe903135b9ed39]
+reverse link goswid to payload--><g id="link_goswid_payload"><path codeLine="55" d="M584.42,213.88 C622.16,227.93 663.49,243.31 699.6,256.75 " fill="none" id="goswid-backto-payload" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="579.81,212.17,586.8509,219.0566,584.4963,213.9131,589.6399,211.5585,579.81,212.17" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[8367c5f05c2f9b7a12d32d677f99f5c7]
+reverse link goswid to coreboot--><g id="link_goswid_coreboot"><path codeLine="57" d="M465.5,258.3 C465.5,267.95 465.5,277.59 465.5,287.23 " fill="none" id="goswid-backto-coreboot" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="465.5,253.48,461.5,262.48,465.5,258.48,469.5,262.48,465.5,253.48" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[1e17c1fe2e3c525269e1ca938c184480]
+reverse link uswid to goswid--><g id="link_uswid_goswid"><path codeLine="58" d="M465.5,59.5 C465.5,69.08 465.5,78.66 465.5,88.24 " fill="none" id="uswid-backto-goswid" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="465.5,54.72,461.5,63.72,465.5,59.72,469.5,63.72,465.5,54.72" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[f035cc917737bdf304dc08c266828a23]
+@startuml
+
+map "src/sbom/compiler-gcc.json" as gcc {
+ software-name => GCC
+ version => x.y.z
+ ... => ...
+}
+map "src/sbom/intel-me.json" as me {
+ software-name => Intel Mangement Engine
+ ... => ...
+}
+map "src/sbom/intel-microcode.json" as ucode {
+ software-name => Intel Microcode
+ ... => ...
+}
+map "src/sbom/generic-ec.json" as ec {
+ software-name => ecxyz
+ ... => ...
+}
+map "src/sbom/generic-fsp.json" as fsp {
+ software-name => Firmware Support Package
+ version => x.y.z
+ ... => ...
+}
+map "src/sbom/payload-[...].json" as payload {
+ software-name => ...
+ version => x.y.z
+ ... => ...
+}
+map "src/sbom/coreboot.json" as coreboot {
+ software-name => coreboot
+ version => x.y.z
+ url => coreboot.rocks
+ ... => ...
+}
+object "sbom.uswid" as uswid {
+ merged SBOM data in binary format
+}
+object goswid {
+ # ./goswid
+ - -compiler gcc.json
+ - -parent coreboot.json
+ - -requires fsp.json,payload.json
+ intel-me.json
+ intel-ec.json
+ intel-ucode.json
+ - -output sbom.uswid
+}
+
+left to right direction
+gcc - -> goswid
+me - -> goswid
+ucode - -> goswid
+goswid <- - ec
+goswid <- - fsp
+goswid <- - payload
+
+coreboot -up> goswid
+goswid -up> uswid
+
+@enduml
+
+PlantUML version 1.2022.7(Mon Aug 22 19:01:30 CEST 2022)
+(GPL source distribution)
+Java Runtime: OpenJDK Runtime Environment
+JVM: OpenJDK 64-Bit Server VM
+Default Encoding: UTF-8
+Language: en
+Country: US
+--></g></svg>