Microsoft is designing a hardware chip that will secure server firmware, and it wants an open source community to help it.
The chip will defend firmware from “malicious insiders,” hackers that exploit bugs in the infrastructure stack, compromised binaries, and even attempts to break in when hardware is being manufactured, assembled, or shipped.
To design it, the company is hoping to use the same process it used to design its latest cloud server hardware – by open sourcing the project in its beginning stages and using a communal effort of internal and external contributors. It launched the open source project, called Project Cerberus, today and contributed a first draft.
Microsoft broke new ground when it went the open source route with Project Olympus in October 2016, launching an open source project to develop a server platform. Previous open source data center hardware efforts consisted of companies like Facebook and Microsoft open sourcing complete custom hardware specs, not actually having hardware designed the way a lot of open source software gets created.
The company launched Project Olympus by open sourcing a server design that was about half-way finished. Today, the company announced that it’s been completed, and servers built to the design have been running in Azure data centers, supporting the Microsoft cloud’s fastest VMs yet: the Fv2 Virtual Machine family, powered by Intel Xeon Scalable processors and meant for resource-heavy, large-scale workloads, such as financial modeling, scientific analysis, genomics, and deep learning.
Both Olympus and Cerberus are part of the Open Compute Project, the data center infrastructure design community Facebook launched in 2011.
Similar to Google’s Titan, a proprietary chip the Alphabet subsidiary designed to secure its servers, Cerberus will be a “hardware root of trust specifically designed to provide robust security for all platform firmware.” That includes firmware on the motherboard, such as BIOS and BMC, and peripheral I/O device firmware. The initial draft Microsoft released today covers motherboard firmware.
In a blog post, Kushagra Vaid, GM for Azure hardware infrastructure, wrote:
Project Cerberus consists of a cryptographic microcontroller running secure code which intercepts accesses from the host to flash over the SPI bus (where firmware is stored), so it can continuously measure and attest these accesses to ensure firmware integrity and hence protect against unauthorized access and malicious updates. This enables robust pre-boot, boot-time and runtime integrity for all the firmware components in the system.
The project’s scope extends beyond the data center. Because the spec is CPU and I/O architecture agnostic, it can secure firmware on everything from servers to IoT devices.