 Hello everyone, my name is Mark Minier and I work for ARM and part of the infrastructure line of business focused on software ecosystem development with a special interest in security projects. So I basically work with partners to promote security advancements at the edge and in the cloud and I represent ARM at the board of governance at the Confidential Compute Consortium. Today I'm going to talk to you about a CNCF project called PARSECT. If you're not familiar with the CNCF structure, Sandbox project is an early stage project and in the case of PARSECT it's a new project that fits the CNCF mission. It was contributed to the CNCF to remove possible legal and governance obstacles to adoption and to facilitate contribution by other developers in the community. It's a great place to collaborate openly on interesting projects that benefit multiple environments. Our goal with PARSECT is to mature the program and to move it up to the next level of maturity within the CNCF. Now getting back to PARSECT. PARSECT is a security project that provides an abstraction layer between router trust and applications. This abstraction layer provides a set of APIs for security functions such as key management or cryptographic operations, provides this API to the application layer without creating a strong dependency on the security primitives in the system. Let's consider an example to showcase the flexibility that PARSECT brings to a system. For this example we'll take a Raspberry Pi and a need to implement a key exchange between a cloud service and the end device. Now as a developer you can implement this feature directly and be up and running fairly quickly. But then what happens if you need to harden your solution and protect the keys in a hardware router's trust like a TPM? At this point you might decide that it's easier to code to the new security interface to start over from scratch and re-implement the security functions tied to that hardware module. You'll realize that it's a lot of work and it's complicated to implement even a simple function such as key exchange with the TPM interface. Now consider what happens if you need to change the hardware router trust with a different implementation like a HSM module. If you implemented directly against the TPM interface you now need to start over once again and re-implement that security function to work with the new interface, the HSM module. Now here's where PARSECT comes in. PARSECT can provide a standard interface to the application layer that doesn't change with the various backends. So instead you would leverage a modular back-end provider that's part of PARSECT project to match up with the router trust. That simple change would enable your applications to leverage the various routes of trust between these three different examples without changing a line of code in your application. Now this is a simple example but you can imagine how this story evolves and how an abstraction layer could simplify and future-proof your system. Paul Howard joined Robert Wolfe to record an eight-part ARM software developer series that provides a step-by-step tutorial. It explains how to replicate an environment based on PARSECT to support key exchanges as an example of a security function on a Raspberry Pi. Now I will not play the video here as it is quite long but I encourage you to go to this link and see the eight-part video series. Now PARSECT is a collaborative project and interacts with many different projects that already exist. Most implementations today see PARSECT integrated with the Linux distro. In the example that Paul and Robert walked through, you will see how to install the service on a standard Linux distro of your choice without any shortcuts. If you happen to be working with Red Hat Fedora or OpenSUSE, you will find a neatly packaged install that simplifies the setup of PARSECT. And one step further, Fedora IoT now ships with PARSECT pre-installed and we are working with the community to expand this footprint with other distros and would welcome collaboration to bring PARSECT to the distro of your choice. Now PARSECT functionality is continuously evolving. New security functions are implemented on a regular basis. One example is the ability to serve as an arbitrator servicing multiple independent requests for a single rooted trust. This comes up in IoT gateways and edge servers where a need to protect data between multiple applications comes up. Now PARSECT is more than just a library, it's a microservice and it can connect with an ID provider to create independent channels to a single root of trust. It can then verify the trust relationship with the provider and ensure the separation between these channels. This functionality enables a multi-tenancy environment at the edge. Here's another video shoot. This one here showcases two CNCF projects that come together to offer an example of how to create a multi-tenancy environment. Spiffy as the ID provider and PARSECT to verify the ID and implement the independent channels to provide security service on a per application basis. I encourage you to click on the link and explore this video to see how PARSECT can be used to enable this advanced functionality. Now the API that is exposed to the application layers is based on modular blocks that can be created for the language that suits your application. Currently, PARSECT has front-end interfaces in Rust and Go and in C and also supports a very practical command line interface that has proven useful to set up and test the service. The number of backend modules is also growing. Today, it includes interfaces for TPM2.0, PKCS11, embedCrypto, CryptoAuthLib and the team is working through the implementation that will line up with PSA services in Opti. This diagram demonstrates other modular blocks which evolve at their own pace. The services or APIs that are implemented in PARSECT are highlighted in green. It includes key creation, key import, export, sign and verify hash, asymmetrical encryption. And then the next layer of APIs in yellow represent functions that are implemented for either only one or a few of the backends or features that are quite fully completed. Now this completes my presentation and I encourage you to come and meet the team and leverage the great work that's been done to simplify security at the edge in IoT. Thank you.