One thing that makes cybersecurity so difficult is that computing frameworks rely on multiple layers of abstraction — applications and accessories and more applications all running on an operating system balanced on firmware sitting on hardware.
"Everything depends on the trust and resilience of the layers below it," states Neil MacDonald, distinguished research vice president at Gartner. If someone tampers with or replaces the BIOS firmware, for example, the entire system is at risk after boot.
The concept of a "hardware-based root of trust" takes aim at issues like this; it ensures that a computer always boots with legitimate code. As Doug Hascall, senior manager of security and open firmware futures at Hewlett Packard Enterprise (HPE) explains, "A root of trust is ideally based on a hardware-validated boot process that ensures the system can only be started using code from an immutable source."
It's not a new concept. The Trusted Platform Module (TPM), for example — probably sitting inside your laptop computer right now — is one of several things that might be considered the foundation of a hardware root of trust. A TPM is, more accurately, firmware — firmware that is supported by ARM, AMD, and Intel hardware (among others).
However, efforts in the industry are underway to dig the root of trust even deeper into the chipset. Major firmware vulnerabilities like TPM-Fail, Meltdown and Spectre revealed in recent years have pushed them forward.
The DARPA "Secure Silicon" initiative is aiming to make processors even more inherently secure. And a growing number of hardware, infrastructure, and cloud companies — including HPE, Dell, AWS, Microsoft and Google — are engineering more secure systems from deeper roots of trust. The technology is even beginning to appear in some Internet of Things (IoT) devices and industrial control systems.
Beyond the Boot
With RoT technology, "It's possible to gain a high degree of assurance that what's expected to be running is actually running," MacDonald explains.
The technology achieves this level of protection using an encrypted instruction set that is etched into the chip at the time it is manufactured. When the system boots, the chip checks this immutable signature to validate the BIOS. If everything checks out the computer loads the software stack. If there's a problem, it simply won't boot.
Secure silicon doesn't directly protect against all types of threats, but it does ensure that a system is secure at the foundational level. This is critical because attackers who gain access to the BIOS or firmware can potentially bypass the operating system and tamper with encryption and antivirus software, notes Rick Martinez, senior distinguished engineer in the Client Solutions Group Office of the CTO at Dell Technologies.
"It provides a reliable trust anchor for supply chain security for the platform or device," Martinez notes.
Intel has introduced the SGX chip, which bypasses a system's OS and virtual machine (VM) layers while altering the way the system accesses memory. SGX also supports verification of the application and the hardware it is running. As a result, the SGX chip can provide protection from software-based attacks, such as side-channel attacks like Meltdown and Spectre (but not against load value injection attacks). Intel's new vPro processors aim to help defend against ransomware.
Dell's PowerEdge line of servers and HPE's Proliant Gen 10 servers and Greenlake on-premises cloud offering now have silicon roots of trust built inside.
Cloud providers such as AWS, Microsoft, and Google are also getting into the act. For instance, Google's platform, OpenTitan, introduces a secure, low-power open source chip design to boost security within datacenters. Intel's Ice Lake also enhances CPU security specifically for cloud workloads.
In November, Microsoft, AMD, Intel, and Qualcomm Technologies released the Microsoft Pluton security processor. This "chip-to-cloud" technology was pioneered in Microsoft's Azure Sphere environment, which supports a silicon root of trust for IoT and cloud frameworks.
Building Greater Trust
Although secure silicon isn't required for every device and every situation, it makes sense for organizations to migrate to devices enabled with a hardware root of trust, MacDonald says. He suggests asking hardware manufacturers and cloud providers where secure silicon chips were engineered and produced. For example, HPE produces its own chips in the US.
"You want to know that they came from a trusted area of the world and that they haven't been subjected to tampering," he says.
Over the next few years, it's likely that the building blocks of silicon RoT will converge and mature further.
For instance, some systems, including HPE's, are now using the Unified Extensible Firmware Interface (UEFI), which replaces a BIOS and introduces a more modern security framework that supports RoT.
In addition, Intel has announced it will produce secure silicon that supports fully homomorphic encryption.
Martinez predicts that RoT will soon intersect with areas such as asymmetric cryptography, signed firmware, authentication of firmware at boot, attestation, trust chaining, and the use of component identities.
"This will drive alignment across vendors and allow specific implementation to differentiate themselves, but also create some compatibility expectations up the stack," he says.
In fact, HPE and Dell are now collaborating with industry partners — including Intel, AMD, Broadcom, and Qualcomm — to develop the Security Protocol and Data Model (SPDM). This would help overcome a current roadblock involving incompatible RoT technology across vendors. The standard would enable secure chips to exchange messages with an option card to validate the authenticity of the option card firmware. This feature would allow a chip to validate the firmware on storage, network, and accelerator adapters.
To be sure, it's not a question of whether computing devices will transition to secure silicon, but rather when. What's more, the technology will spread to industrial control systems and a wider range of IoT devices over the coming years.
"Security at the silicon level is appealing," MacDonald says. "As security concerns and data privacy requirements grow, the technology is one way to boost system integrity and assurance."