[slsa_for_models] Support directory models (SavedModel)

[mihaimaruseac]

Models that are saved as a directory (e.g., TF's SavedModel) require SLSA changes to record the hash. This is different that what we use for signing, where we can compute a directory hash.

Until we standardize this for SLSA, we won't be able to support these directory models for now. We need to converge on a single scheme for both signing and SLSA.

[MarkLodato]

Could you explain what's wrong with the current approach, where each file is listed individually in the subject?

[mihaimaruseac]

Models beyond a certain size (SavedModel or not) split the weights into multiple files. Each will be listed individually in the subject, but the verification only looks at the hashes, not at the file names. So someone could swap the names of two files (model-0001.pth and model-0042.pth for example), the model will still load but will misbehave (unclear how possible this is and what would be an upper bound on impact). SLSA verification will still pass though, so that's why we need something else.

[mihaimaruseac]

Another issue here is that you can remove a file from the directory, SLSA verification will still pass, but most models will no longer work

[laurentsimon]

Let's implement a Go library (or just create a Go reference implementation) of the existing serialize_v1 https://github.com/google/model-transparency/blob/main/model_signing/serialize.py#L325. slsa-framework/slsa-verifier#730 and slsa-framework/slsa-github-generator#3070 can make use of it. It will avoid duplicating implementations. Overtime we can create ref implementations for other languages in this repo. Wdut?

[mihaimaruseac]

This sounds great! Let's chat about this and plan it

[mihaimaruseac]

We should migrate to using the same hashing scheme as in model signing, but this will require first a standardization and then updating SLSA tooling