Scott Johnson Dominic Rizzo Secure Enclaves Workshop 8/29/2018 Titan silicon root of trust for Google Cloud 1
Cloud Perspective: We need a silicon root of trust Software infrastructure Datacenter equipment Silicon root of trust 2
Chip Requirements Trusted Machine Identity 1 First Instruction Integrity 2 Tamper-evident logging 3 On-chip verified boot Cryptographic identity & secure mfg Boot Firmware signature check + monitor Silicon physical security Transparent development, full-stack Trusted implementation 4 3
Titan system integration PCH / BMC SPI SPI CPU Chipset TITAN Memory subsystem Storage and networking subsystem Reset and power control Boot FW flash 4
What is Titan? Secure low-power microcontroller designed with cloud security as first-class consideration Not just a chip, but the supporting system and security architecture + manufacturing flow 5
Why make our own? Implementation transparency Complete ownership, auditability, build local expertise Agility & velocity Technology changes, new risk vectors arrive No existing solutions Vendor-agnosticity, custom features 6
Titan specifications Titan Debug ports Embedded 32b processor Memory PMU Testability / MFGability jitter RC timer RC Test ports Low speed RC Peripherals 8kB ROM 64kB SRAM EC/RSA crypto USB 1.1 512kB Flash AES/SHA/HMAC UART 1kb OTP (Fuse) Key manager SPI mstr/slv TRNG I2C mstr/slv timers GPIO Defenses Shield Temp sense Volt sense Device state Muxable data ports Muxable data ports Alert resp 7
Interesting subunits Flash 2 banks for code storage, in-field upgrades, partial secret material Fuse Security settings, partial secret material, device state tracking, feature enablement Crypto units AES, SHA/HMAC, big-int accelerator for EC, RSA (microcoded) Key manager Custom control of key generation and storage TRNG Custom analog design, low power, uses ring-oscillator instability Internal clocks Spread-spectrum jittery clock for random behavior, fixed-frequency for communication 8
Verified Boot 9
ROM compare versions + verify + jump BOOT LOADER Flash B SIGN APPLICATION Flash A compare versions + verify + jump SIGN HW Flash A VER BOOT ROM SIGN BIST VER RESET BOOT LOADER VER test + jump SIGN VER Verified boot within Titan APPLICATION Flash B Each stage verifies the next Earlier stages do security settings, lock out further access Permission levels drop at each stage, protecting critical control points Splitting flash code into banks allows two copies: live-updatable Code signing taken seriously; multiple key holders, offline logs, playbooks 10
1 compare versions + verify + jump 3 BOOT LOADER Flash B SIGN VER compare versions + verify + jump SIGN ROM APPLICATION Flash A VER HW BOOT LOADER Flash A SIGN BOOT ROM VER BIST 1. 2. 3. 4. 5. 6. 4 SIGN test + jump RESET 2 VER Verified boot within Titan APPLICATION 6 Flash B 5 Test logic (LBIST) and ROM (MBIST); if fail stay in reset; else jump to ROM Compare bootloader (BL) versions A + B; choose most recent Verify BL signature; if fail, retry with other BL; if fail, freeze Compare firmware application (FW) versions A + B; choose most recent Verify FW signature; if fail, retry with other FW; if fail, freeze Execute successfully verified FW 11
Trusted identity 12
Trusted chip identity TEST PERSONALIZE REGISTER MANUFACTURING SHIP INSTALL ATTEST PRODUCTION Establish trust at manufacturing Each tested device uniquely identified (personalized) Assigned a serial number, unique but not secret Self-generates a cryptographically strong Identity Key Identity registered in off-site secure database Parts shipped, put onto datacenter devices for production Parts available for attestation, proof that they are ours 13
Key manager creates chip identity key Dedicated hardware execution Processor walks FSM commands Keys inaccessible to processor Identity = crypto_hash of partial secrets Each comes from a different silicon technology processor cmd key manager Partial secrets from a variety of silicon technologies key storage Requires attackers to defeat each Export enabled if FSM complete Export disabled after manufacture HASH export 14
Trusted identity (registration) perso FW Remote registry Device Identity message Air gap Tester Offline certificate authority Secure channel Personalization firmware loaded Identities signed by offline certificate authority Chip creates identity message Certificate available for installation Identity exported to registry via secure channel Identity available for later query 15
Life cycle tracking using OTP Fuses After manufacturing, must continue to guarantee authenticity Define six stages, and what is enabled in each stage Raw: no features enabled, deters wafer theft Test: enable test features only, no production features Development: enable production-level features for lab bringup Production: final production features, no testability, unique keys RMA (return for test): re-enable testability, no more production RIP: after RMA or mfg failure, permanently disable device Burnable fuses track life cycle from manufacturing to production Each stage transition a one-way street 16
Life cycle tracking using OTP Fuses Burn fuse RAW MFG Test PROD DEV RMA RIP 17
First instruction integrity 18
First instruction integrity Titan interposes on SPI, between host and system firmware Flash At system reset, does signature check of FW Signature OK enables system Signature fail alerts of failure SPI SPI Device (PCH/BMC) Titan Flash Live monitoring Snoops SPI for illegal activity Unauthorized actions converted to harmless commands Reset control 19
SPI interposition The challenges of SPI interposition Vendor agnostic requires flexibility SPI does not have flow control Passthrough latency must be minimized Chip & board timing a challenge Can affect boot latency Snoop / control logic Safe command Incoming SPI bus from host Outgoing SPI bus to flash 20
Physical and tamper-resistant security 21
Physical security & countermeasures Anti-glitch / anti-tamper mechanisms Attack detection (glitch, laser, thermal, voltage, probe) Fuse, key storage, clock, and memory integrity checks Memory and bus scrambling and protection Register and memory-range address protection and locking TRNG entropy monitoring Boot-time and live-status checks Only internal clocks, internal code 22
Physical security & countermeasures Physical defenses Glitch Voltage Online checks Alert send Alert send Keymgr integrity Alert send Alert send TRNG integrity Alert send Clk integrity Alert send Bus parity Alert responder Light Temperature Alert send Alert send Interrupt NMI Freeze Reset 23
That s a wrap 24 24