Scott Johnson Dominic Rizzo Parthasarathy Ranganathan Jon McCune Richard Ho. Titan: enabling a transparent silicon root of trust for Cloud

Size: px

Start display at page:

Download "Scott Johnson Dominic Rizzo Parthasarathy Ranganathan Jon McCune Richard Ho. Titan: enabling a transparent silicon root of trust for Cloud"

Asher Bryant
5 years ago
Views:

1 Scott Johnson Dominic Rizzo Parthasarathy Ranganathan Jon McCune Richard Ho Titan: enabling a transparent silicon root of trust for Cloud 1

2 Talk outline Motivation and problem statement System View and Integration Chip Architecture Feature Deep Dives Building a community: Open Titan? 2

3 Motivation and architecture 3

4 The problem: 4

5 Example 1: How do we know it is our equipment? 5

6 Solution: Tag and verify every device 6

7 Example 2: Can we trust our boot chain? 7

8 Solution: Sign and verify all boot code 8

9 Cloud Conclusion: We need a silicon root of trust Software infrastructure Datacenter equipment Silicon root of trust 9

10 Cloud security properties Trusted Machine Identity 1 First Instruction Integrity 2 Tamper-evident logging 3 Trusted implementation 4 Every element in the datacenter should be securely identifiable: cryptographic attestation 10

11 Cloud security properties Trusted Machine Identity 1 First Instruction Integrity 2 Tamper-evident logging 3 Trusted implementation 4 The first code executed should be trusted: cryptographically signed and verified firmware, live monitored for protection 11

12 Cloud security properties Trusted Machine Identity 1 First Instruction Integrity 2 Tamper-evident logging 3 Trusted implementation 4 All activities in the datacenter should be monitored and logged in a tamper resistant manner 12

13 Cloud security properties Trusted Machine Identity 1 First Instruction Integrity 2 Tamper-evident logging 3 Trusted implementation 4 Own and/or verify every piece of the stack from transistors up to critical firmware 13

14 Chip Requirements Trusted Machine Identity 1 First Instruction Integrity 2 Tamper-evident logging 3 On-chip verified boot Cryptographic identity & secure mfg Boot Firmware signature check + monitor Silicon physical security Transparent development, full-stack Trusted implementation 4 14

15 System View and Integration 15

16 Titan system integration PCH / BMC SPI SPI CPU Chipset TITAN Memory subsystem Storage and networking subsystem Reset and power control Boot FW flash 16

17 Titan system integration PCH / BMC SPI SPI CPU Chipset TITAN Memory subsystem Storage and networking subsystem Reset and power control Boot FW flash Requests first boot instruction 17

18 Titan system integration PCH / BMC SPI SPI CPU Chipset TITAN Memory subsystem Storage and networking subsystem Reset and power control Boot FW flash Contains (signed) boot code 18

19 Titan system integration PCH / BMC SPI SPI CPU Chipset TITAN Memory subsystem Storage and networking subsystem Reset and power control Boot FW flash Authenticates firmware, releases system reset 19

20 Titan system integration PCH / BMC SPI SPI CPU Chipset TITAN Memory subsystem Storage and networking subsystem Reset and power control Boot FW flash Continuous monitoring for illegal activity 20

21 Titan system integration PCH / BMC SPI SPI CPU Chipset TITAN Memory subsystem Storage and networking subsystem Reset and power control Boot FW flash Available for cryptographic attestation and logging 21

22 Chip architecture 22

23 What is Titan? Secure low-power microcontroller designed with cloud security as first-class consideration Not just a chip, but the supporting system and security architecture + manufacturing flow 23

24 Why make our own? Implementation transparency Complete ownership, auditability, build local expertise Agility & velocity Technology changes, new risk vectors arrive No existing solutions Vendor-agnosticity, custom features 24

25 Glossary: a quick security chip primer AES Symmetric (shared-key) crypto algorithm NMI Non-maskable interrupt alert Security critical event OTP One-time programmable (fuse) memory BIST Built in self test PCH Intel Platform Controller Hub BL Boot loader PMU Power Management Unit CA Certificate authority RC Resistor/capacitor clock circuit device state Temporal state in life cycle of device (test, production, return for test, end of life) RSA Circa 1980s crypto algorithm RTC Real Time Clock SHA Hashing algorithm SPI 4+ pin peripheral interface TRNG True random number generator EC Elliptic curve: modern crypto algorithm HMAC Hash message authentication code I2C Two-pin low-speed peripheral interface key mgr Management of key and secret storage 25

26 Titan specifications Titan Debug ports Embedded 32b processor Memory PMU Testability / MFGability jitter RC timer RC Test ports Low speed RC Peripherals 8kB ROM 64kB SRAM EC/RSA crypto USB kB Flash AES/SHA/HMAC UART 1kb OTP (Fuse) Key manager SPI mstr/slv TRNG I2C mstr/slv timers GPIO Defenses Shield Temp sense Volt sense Device state Muxable data ports Muxable data ports Alert resp 26

27 Titan specifications Titan 32b microcontroller core Debug ports Embedded 32b processor PMU Testability / MFGability jitter RC timer RC Test ports Low speed RC Boot ROM Memory Flash for instr + data Peripherals 8kB ROM SRAM scratchpad One-time programmable fuses 64kB SRAM EC/RSA crypto USB kB Flash AES/SHA/HMAC UART 1kb OTP (Fuse) Key manager SPI mstr/slv TRNG I2C mstr/slv timers GPIO Defenses Shield Temp sense Volt sense Device state Muxable data ports Muxable data ports Alert resp 27

28 Titan specifications Titan Debug ports Cryptographic acceleration Embedded 32b processor Memory Key management + storage PMU Testability / MFGability jitter RC timer RC Test ports Low speed RC Peripherals 8kB ROM Random number generator 64kB SRAM EC/RSA crypto USB kB Flash AES/SHA/HMAC UART 1kb OTP (Fuse) Key manager SPI mstr/slv TRNG I2C mstr/slv timers GPIO Defenses Shield Temp sense Volt sense Device state Muxable data ports Muxable data ports Alert resp 28

29 Titan specifications Titan Debug ports Peripheral controllers Embedded 32b processor Memory PMU Testability / MFGability jitter RC timer RC Test ports Low speed RC Peripherals 8kB ROM Multipurpose IO Custom Google features 64kB SRAM EC/RSA crypto USB kB Flash AES/SHA/HMAC UART 1kb OTP (Fuse) Key manager SPI mstr/slv TRNG I2C mstr/slv timers GPIO Defenses Shield Temp sense Volt sense Device state Muxable data ports Muxable data ports Alert resp 29

30 Titan specifications Titan Debug ports Embedded 32b processor PMU Testability / MFGability jitter RC timer RC Test ports Low speed RC Physical defenses Memory Live status checking Peripherals 8kB ROM Hardware security alert response 64kB SRAM EC/RSA crypto USB kB Flash AES/SHA/HMAC UART 1kb OTP (Fuse) Key manager SPI mstr/slv TRNG I2C mstr/slv timers GPIO Defenses Shield Temp sense Volt sense Device state Muxable data ports Muxable data ports Alert resp 30

31 04 Feature Deep Dives 31

32 Verified Boot 32

33 ROM compare versions + verify + jump BOOT LOADER Flash B SIGN APPLICATION Flash A compare versions + verify + jump SIGN HW Flash A VER BOOT ROM SIGN BIST VER RESET BOOT LOADER VER test + jump SIGN VER Verified boot within Titan APPLICATION Flash B Each stage verifies the next Earlier stages do security settings, lock out further access Permission levels drop at each stage, protecting critical control points Splitting flash code into banks allows two copies: live-updatable Code signing taken seriously; multiple key holders, offline logs, playbooks 33

34 1 compare versions + verify + jump 3 BOOT LOADER Flash B SIGN VER compare versions + verify + jump SIGN ROM APPLICATION Flash A VER HW BOOT LOADER Flash A SIGN BOOT ROM VER BIST SIGN test + jump RESET 2 VER Verified boot within Titan APPLICATION 6 Flash B 5 Test logic (LBIST) and ROM (MBIST); if fail stay in reset; else jump to ROM Compare bootloader (BL) versions A + B; choose most recent Verify BL signature; if fail, retry with other BL; if fail, freeze Compare firmware application (FW) versions A + B; choose most recent Verify FW signature; if fail, retry with other FW; if fail, freeze Execute successfully verified FW 34

35 Trusted identity 35

secret Self-generates a cryptographically strong Identity Key Identity registered in off-site secure database

36 Trusted chip identity TEST PERSONALIZE REGISTER MANUFACTURING SHIP INSTALL ATTEST PRODUCTION Establish trust at manufacturing Each tested device uniquely identified (personalized) Assigned a serial number, unique but not secret Self-generates a cryptographically strong Identity Key Identity registered in off-site secure database Parts shipped, put onto datacenter devices for production Parts available for attestation, proof that they are ours 36

37 Key manager creates chip identity key Dedicated hardware execution Processor walks FSM commands Keys inaccessible to processor Identity = crypto_hash of partial secrets Each comes from a different silicon technology processor cmd key manager Partial secrets from a variety of silicon technologies key storage Requires attackers to defeat each Export enabled if FSM complete Export disabled after manufacture HASH export 37

signed by offline certificate authority Chip creates identity message Certificate available

38 Trusted identity (registration) perso FW Remote registry Device Identity message Air gap Tester Offline certificate authority Secure channel Personalization firmware loaded Identities signed by offline certificate authority Chip creates identity message Certificate available for installation Identity exported to registry via secure channel Identity available for later query 38

Life cycle tracking using OTP Fuses After manufacturing, must continue to guarantee authenticity Define six stages, and what is enabled in each stage Raw: no features enabled, deters wafer theft

39 Life cycle tracking using OTP Fuses After manufacturing, must continue to guarantee authenticity Define six stages, and what is enabled in each stage Raw: no features enabled, deters wafer theft Test: enable test features only, no production features Development: enable production-level features for lab bringup Production: final production features, no testability, unique keys RMA (return for test): re-enable testability, no more production RIP: after RMA or mfg failure, permanently disable device Burnable fuses track life cycle from manufacturing to production Each stage transition a one-way street 39

40 Life cycle tracking using OTP Fuses Burn fuse RAW MFG Test PROD DEV RMA RIP 40

41 First instruction integrity 41

42 First instruction integrity Titan interposes on SPI, between host and system firmware Flash At system reset, does signature check of FW Signature OK enables system Signature fail alerts of failure SPI SPI Device (PCH/BMC) Titan Flash Live monitoring Snoops SPI for illegal activity Unauthorized actions converted to harmless commands Reset control 42

43 SPI interposition The challenges of SPI interposition Vendor agnostic requires flexibility SPI does not have flow control Passthrough latency must be minimized Chip & board timing a challenge Can affect boot latency Snoop / control logic Safe command Incoming SPI bus from host Outgoing SPI bus to flash 43

44 Physical and tamper-resistant security 44

45 Physical security & countermeasures Anti-glitch / anti-tamper mechanisms Attack detection (glitch, laser, thermal, voltage) Fuse, key storage, clock, and memory integrity checks Memory and bus scrambling and protection Register and memory-range address protection and locking TRNG entropy monitoring Boot-time and live-status checks 45

46 Physical security & countermeasures Physical defenses Glitch Voltage Online checks Alert send Alert send Keymgr integrity Alert send Alert send TRNG integrity Alert send Clk integrity Alert send Bus parity Alert responder Light Temperature Alert send Alert send Interrupt NMI Freeze Reset 46

47 Open Titan 47

for open sourcing Evidence Credible open ISAs, our RTL repositories, standard

48 Moving from Titan to Open Titan Thesis The functional security mechanisms, provenance and digital implementation are commodities and thus good candidates for open sourcing Evidence Credible open ISAs, our RTL repositories, standard crypto primitives Outcome An open, transparent implementation of a secure cloud root of trust 48

What would Open Titan look like? Open Debug ports Titan Secure RISC - V 32b core Memory PMU Testability / MFGability jitter RC timer RC Low speed RC Peripherals ROM DMA SRAM EC/RSA crypto USB 1.

49 What would Open Titan look like? Open Debug ports Titan Secure RISC - V 32b core Memory PMU Testability / MFGability jitter RC timer RC Low speed RC Peripherals ROM DMA SRAM EC/RSA crypto USB 1.1 USB ports Flash AES/SHA/HMAC SPI mstr/slv SPI ports OTP (Fuse) Key manager UART rx/tx Muxable data ports TRNG I2C mstr/slv timers GPIO Defenses Shield Test ports Temp sense Volt sense Device state Open source IP Proprietary foundry IP analog IP / digital wrap Muxable data ports Alert resp 49

50 What would Open Titan look like? Open Debug ports Titan Open source digital IP Secure RISC - V 32b core Memory Analog wrappers PMU Testability / MFGability jitter RC timer RC Low speed RC Peripherals ROM DMA SRAM EC/RSA crypto USB 1.1 USB ports Flash AES/SHA/HMAC SPI mstr/slv SPI ports OTP (Fuse) Key manager UART rx/tx Muxable data ports TRNG I2C mstr/slv timers GPIO Defenses Shield Test ports Temp sense Volt sense Device state Open source IP Proprietary foundry IP analog IP / digital wrap Muxable data ports Alert resp 50

51 What would Open Titan look like? Open Debug ports Titan Required vendor collateral: Secure RISC - V 32b core Memory STDCELL, memories, pads, etc. PMU Testability / MFGability jitter RC timer RC Low speed RC Peripherals ROM DMA SRAM EC/RSA crypto USB 1.1 USB ports Flash AES/SHA/HMAC SPI mstr/slv SPI ports OTP (Fuse) Key manager UART rx/tx Muxable data ports TRNG I2C mstr/slv timers GPIO Defenses Shield Test ports Temp sense Volt sense Device state Open source IP Proprietary foundry IP analog IP / digital wrap Muxable data ports Alert resp 51

52 Silicon Transparency Working Group 52

Questions For additional information https://cloudplatform.

53 Questions For additional information m/2017/08/titan-in-depth-security-in -plaintext.html 53

54 That s a wrap 54 54

Titan silicon root of trust for Google Cloud

Scott Johnson Dominic Rizzo Secure Enclaves Workshop 8/29/2018 Titan silicon root of trust for Google Cloud 1 Cloud Perspective: We need a silicon root of trust Software infrastructure Datacenter equipment