Security is a multi-step process. There’s a chain of trust, with each link verified and authenticated by the one that comes before. But eventually, the chain stops somewhere. The pedal meets the metal.
Or, as the case may be, silicon.
Until recently, semiconductor security was more of a theoretical threat than a real one, but attacks on firmware have been increasing.
Earlier this year, the Department of Homeland Security warned that firmware “presents a large and ever-expanding attack surface.”
According to the agency, companies often overlook firmware security, making it one of the stealthiest methods to compromise devices at scale. When they get access to firmware, attackers can subvert operating systems and hypervisors, bypass most security systems, and persist in environments for long periods of time while conducting operations and doing damage.
“Despite its essential role in electronic devices, firmware security has not traditionally been a high priority for manufacturers or users and is not always well protected,” the agency said.
Last spring, Microsoft reported that more than 80% of enterprises have experienced at least one firmware attack in the previous two years.
Protecting against this threat starts with a root of trust – a way to assure that the core systems are what they should be.
According to Nigel Edwards, security engineering fellow and vice president at Hewlett Packard Enterprise, not only should every device have a root of trust, but every subsystem on every device.
If root of trust technology had been in place, botnets like Mirai would have failed, because untrusted code could not have run on those devices.
Root of trust standards include the OCP Security Root of Trust. It’s based on NIST’s Platform Firmware Resiliency Guidelines released in the spring of 2018.
Security from the ground up
One company that’s working to address the problem is Microchip, which announced an update to its Trust Shield root of trust product today.
In addition to ensuring that when servers boot up they start with a guaranteed, secure environment, the new release, the CEC1736 root of trust controller, also supports SPI bus runtime protection that monitors traffic between the CPU and its Flash memory, to ensure that attackers aren’t changing the Flash.
“Chip makers now have some types of security,” said Jeannette Wilson, senior marketing manager at Microchip. “But they don’t all have root of trust. They are starting to add secure boot, but it will be many months, or even years, before we’ll actually see production.”
As a result, some server manufacturers aren’t waiting and turning to third-party providers like Microchip to get their root of trust earlier.
Microchip’s customers aren’t just companies designing motherboards and building servers, she said. “The big cloud vendors are all looking at this.”
One advantage of having a third-party root of trust is that many server manufacturers use chips from different companies. “Now they can add the same root of trust to all their servers,” she said.
The technology can be added to existing hardware. The latest generation, the CEC1736, does need additional code, she said, to do real-time monitoring. “It’s something you can add on,” she said.
Most cyber attacks happen remotely, Wilson said. “That is, by design, what root of trust is designed to protect against.”
But with the real-time SPI monitoring, the system can detect even if, in an unlikely scenario, a Mission Impossible-style attacker – or a malicious insider – has broken into a data center and is physically switching out Flash memory.
Other improvements in the CEC1736 include in-package Flash, where customers can store ‘golden’ images. Microchip has also added a physically unclonable function, which can be used to create secure keys.
“We’ve also added device and firmware attestation, helping to attest the authenticity of other peripherals in the system,” she said. “This is a very critical component in the server and data center world.”
In addition to data centers, other use cases include multi-function printers, telecoms, and industrial infrastructure. Microchip isn’t releasing any customer names at this time, however.
“We’re so early in the process,” Wilson said. “Even though we have clients using it right now, they are still in development and have not announced their products yet.”
The root of trust landscape
The big hyperscale companies are all investing in root of trust technologies.
Google, for example, uses proprietary Titan architecture to ensure platform integrity. In 2019, it launched OpenTitan, an open source root of trust project. Its partners include Taiwanese semiconductor manufacturer Nuvoton, and storage companies Western Digital, Seagate, and Winbond. OpenTitan is also supported by Intrinsic ID, a provider of physical unclonable function security.
Amazon uses the Nitro System for all modern Amazon EC2 instances, which relies on a hardware-based root of trust using the Nitro Security Chip.
Meanwhile, Microsoft has a hardware-based root of trust in its Azure Sphere platform, residing in the Pluton security subsystem. Pluto is about to hit the consumer market for the first time. Microsoft announced the design back in the fall of 2020.
The first consumer computer to use the new security tech was announced earlier this year, the AMD-powered Lenovo ThinkPad X13, which is supposed to hit the market this month, but doesn’t seem to be out yet.
Third-party root of trust
Microchip’s competitors include Kameleon, an Israeli semiconductor startup that’s collaborating with Xilinx, a California-based semiconductor company.
Kameleon’s root of trust works on Intel, AMD, and ARM architectures, and supports peripheral attestation. The company claims to be the first to market with root of trust products fully compliant with the Open Compute Project standard. It’s also compliant with the NIST 800-193 Platform Firmware Resiliency standard.
“We see increasing demand for OCP compliant solutions from the technologically advanced customers, such as hyperscalers and cloud service providers, that need this extra level of security,” said George Wainblat, Kameleon’s VP of product.
But other sectors are starting to show interest as well, he told Data Center Knowledge. These include original equipment manufacturers and original design manufacturers, as well as appliance vendors making hardware security modules, networking, and other devices.
Another root of trust vendor, Lattice Semiconductor, joined the Open Compute Project Foundation in March.
Like Xilinx, Lattice makes field-programmable gate arrays (FPGAs) — integrated circuits designed to be configured by end-customers. Its Lattice Sentry solution stack includes a NIST-compliant, FPGA-based platform firmware resiliency root of trust.
Yet another competitor in this crowded field is Rambus, which offers a catalog of root of trust solutions for everything from IoT devices and sensors, to security co-processors for cloud and AI workloads.
Its most recent root of trust customer announcement is with Kyocera’s Evolution Series multi-function printers.
Silex Insight also offers root of trust technology, primarily in the IoT space, and recently announced a partnership with IoT security company ZAYA, to help secure microcontainers.