Titan silicon root of trust for Google Cloud

Similar documents
Scott Johnson Dominic Rizzo Parthasarathy Ranganathan Jon McCune Richard Ho. Titan: enabling a transparent silicon root of trust for Cloud

Connecting Securely to the Cloud

AT90SDC10X Summary Datasheet

Provisioning secure Identity for Microcontroller based IoT Devices

Securing IoT devices with STM32 & STSAFE Products family. Fabrice Gendreau Secure MCUs Marketing & Application Managers EMEA Region

CSPN Security Target. HP Sure Start HW Root of Trust NPCE586HA0. December 2016 Reference: HPSSHW v1.3 Version : 1.3

Atmel Trusted Platform Module June, 2014

Secure RISC-V. A FIPS140-2 Compliant Trust Module for Quad 64-bit RISC-V Core Complex

The Next Steps in the Evolution of Embedded Processors

Security in NVMe Enterprise SSDs

AT90SO36 Summary Datasheet

A Developer's Guide to Security on Cortex-M based MCUs

AT90SO72 Summary Datasheet

Trusted Execution Environments (TEE) and the Open Trust Protocol (OTrP) Hannes Tschofenig and Mingliang Pei 16 th July IETF 99 th, Prague

Project Cerberus Hardware Security

Market Trends and Challenges in Vehicle Security

The purpose of this course is to provide an introduction to the RL78's flash features and archectecture including security features, code and data

Building secure devices on the intelligent edge with Azure Sphere. Paul Foster, Microsoft Dr Hassan Harb, E.On

M2351 Trusted Boot. Application Note for 32-bit NuMicro Family

BCM58100B0 Series: BCM58101B0, BCM58102B0, BCM58103B0 Cryptographic Module VC0 Non-Proprietary Security Policy Document Version 0.

M2351 Security Architecture. TrustZone Technology for Armv8-M Architecture

AVR XMEGA Product Line Introduction AVR XMEGA TM. Product Introduction.

6.857 L17. Secure Processors. Srini Devadas

New STM32WB Series MCU with Built-in BLE 5 and IEEE

Delivering High-mix, High-volume Secure Manufacturing in the Distribution Channel

Trusted Platform Modules Automotive applications and differentiation from HSM

Azure Sphere Transformation. Patrick Ward, Principal Solutions Specialist

Beyond TrustZone Security Enclaves Reed Hinkel Senior Manager Embedded Security Market Develop

Chip Lifecycle Security Managing Trust and Complexity

New System Solutions for Laser Printer Applications by Oreste Emanuele Zagano STMicroelectronics

Introduction to ARM LPC2148 Microcontroller

Trojan-tolerant Hardware & Supply Chain Security in Practice

Hello, and welcome to this presentation of the STM32L4 System Configuration Controller.

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

New STM32WB Series MCU with built-in Bluetooth 5 and IEEE

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

Intel Software Guard Extensions

FIPS Security Policy

Ultra Low Power Microcontroller - Design Criteria - June 2017

MS6003 Summary Datasheet

Big and Bright - Security

Smart cards are made of plastic, usually polyvinyl chloride. The card may embed a hologram to prevent counterfeiting. Smart cards provide strong


Zatara Series ARM ASSP High-Performance 32-bit Solution for Secure Transactions

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Hello, and welcome to this presentation of the STM32F7 System Configuration Controller.

ARM TrustZone for ARMv8-M for software engineers

The Future of Security is in Open Silicon Linux Security Summit 2018

The Future of Smart Cards: Bigger, Faster and More Secure

ARM Security Solutions and Numonyx Authenticated Flash

How multi-fault injection. of smart cards. Marc Witteman Riscure. Session ID: RR-201 Session Classification: Advanced

Massively Parallel Hardware Security Platform

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

4. SECURITY ASPECTS IN EMBEDDED SYSTEMS

The Software of Things T Y S O N T U T T L E C E O S I L I C O N L A B S A S P E N C O R E C E O S U M M I T S H E N Z H E N 8 N O V E M B E R 2018

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

OVAL + The Trusted Platform Module

Resilient IoT Security: The end of flat security models

Dawn Song

NuMicro Family M2351 Series Product Brief

Easy Incorporation of OPTIGA TPMs to Support Mission-Critical Applications

TPM v.s. Embedded Board. James Y

AVR XMEGA TM. A New Reference for 8/16-bit Microcontrollers. Ingar Fredriksen AVR Product Marketing Director

Agile Hardware Design: Building Chips with Small Teams

Platform Level Security For IoT Devices. Bob Waskiewicz Applications Engineer

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

IC Testing and Development in Semiconductor Area

Securing IoT devices with Hardware Secure Element. Fabrice Gendreau EMEA Secure MCUs Marketing & Application Manager

Clover Flex Security Policy

Secure automotive on-board networks

Azure Sphere: Fitting Linux Security in 4 MiB of RAM. Ryan Fairfax Principal Software Engineering Lead Microsoft

Cypress PSoC 6 Microcontrollers

MICROPROCESSOR BASED SYSTEM DESIGN

DesignWare IP for IoT SoC Designs

Designing Security & Trust into Connected Devices

CEC1702 clicker. a great idea is just a click away

Designing Security & Trust into Connected Devices

Tamper Resistance - a Cautionary Note Ross Anderson Markus Kuhn

STM32G0 MCU Series Efficiency at its Best

LM961 Bluetooth Dual Mode Module Standalone (With Embedded Bluetooth v4.1 Stack)

AMD Security and Server innovation

Securing IoT with the ARM mbed ecosystem

How Secure is your Server?

UG0725 User Guide PolarFire FPGA Device Power-Up and Resets

How microprobing can attack encrypted memory

CREDENTSYS CARD FAMILY

Rad-Hard Microcontroller For Space Applications

SECURITY CRYPTOGRAPHY Cryptography Overview Brochure. Cryptography Overview

This Security Policy describes how this module complies with the eleven sections of the Standard:

Bluno Mega 2560 (SKU:DFR0323)

Microcontroller Not just a case of you say tomarto and I say tomayto

Surveying the Physical Landscape

ARDUINO MEGA INTRODUCTION

Lecture Embedded System Security Trusted Platform Module

Common Crypto Circuit Card Assembly Rockwell Collins. Commercial Crypto Contract (CCC)

Dolphin DCI 1.2. FIPS Level 3 Validation. Non-Proprietary Security Policy. Version 1.0. DOL.TD DRM Page 1 Version 1.0 Doremi Cinema LLC

Product Technical Brief S3C2412 Rev 2.2, Apr. 2006

Breaking Hardware Wallets

Transcription:

Scott Johnson Dominic Rizzo Secure Enclaves Workshop 8/29/2018 Titan silicon root of trust for Google Cloud 1

Cloud Perspective: We need a silicon root of trust Software infrastructure Datacenter equipment Silicon root of trust 2

Chip Requirements Trusted Machine Identity 1 First Instruction Integrity 2 Tamper-evident logging 3 On-chip verified boot Cryptographic identity & secure mfg Boot Firmware signature check + monitor Silicon physical security Transparent development, full-stack Trusted implementation 4 3

Titan system integration PCH / BMC SPI SPI CPU Chipset TITAN Memory subsystem Storage and networking subsystem Reset and power control Boot FW flash 4

What is Titan? Secure low-power microcontroller designed with cloud security as first-class consideration Not just a chip, but the supporting system and security architecture + manufacturing flow 5

Why make our own? Implementation transparency Complete ownership, auditability, build local expertise Agility & velocity Technology changes, new risk vectors arrive No existing solutions Vendor-agnosticity, custom features 6

Titan specifications Titan Debug ports Embedded 32b processor Memory PMU Testability / MFGability jitter RC timer RC Test ports Low speed RC Peripherals 8kB ROM 64kB SRAM EC/RSA crypto USB 1.1 512kB Flash AES/SHA/HMAC UART 1kb OTP (Fuse) Key manager SPI mstr/slv TRNG I2C mstr/slv timers GPIO Defenses Shield Temp sense Volt sense Device state Muxable data ports Muxable data ports Alert resp 7

Interesting subunits Flash 2 banks for code storage, in-field upgrades, partial secret material Fuse Security settings, partial secret material, device state tracking, feature enablement Crypto units AES, SHA/HMAC, big-int accelerator for EC, RSA (microcoded) Key manager Custom control of key generation and storage TRNG Custom analog design, low power, uses ring-oscillator instability Internal clocks Spread-spectrum jittery clock for random behavior, fixed-frequency for communication 8

Verified Boot 9

ROM compare versions + verify + jump BOOT LOADER Flash B SIGN APPLICATION Flash A compare versions + verify + jump SIGN HW Flash A VER BOOT ROM SIGN BIST VER RESET BOOT LOADER VER test + jump SIGN VER Verified boot within Titan APPLICATION Flash B Each stage verifies the next Earlier stages do security settings, lock out further access Permission levels drop at each stage, protecting critical control points Splitting flash code into banks allows two copies: live-updatable Code signing taken seriously; multiple key holders, offline logs, playbooks 10

1 compare versions + verify + jump 3 BOOT LOADER Flash B SIGN VER compare versions + verify + jump SIGN ROM APPLICATION Flash A VER HW BOOT LOADER Flash A SIGN BOOT ROM VER BIST 1. 2. 3. 4. 5. 6. 4 SIGN test + jump RESET 2 VER Verified boot within Titan APPLICATION 6 Flash B 5 Test logic (LBIST) and ROM (MBIST); if fail stay in reset; else jump to ROM Compare bootloader (BL) versions A + B; choose most recent Verify BL signature; if fail, retry with other BL; if fail, freeze Compare firmware application (FW) versions A + B; choose most recent Verify FW signature; if fail, retry with other FW; if fail, freeze Execute successfully verified FW 11

Trusted identity 12

Trusted chip identity TEST PERSONALIZE REGISTER MANUFACTURING SHIP INSTALL ATTEST PRODUCTION Establish trust at manufacturing Each tested device uniquely identified (personalized) Assigned a serial number, unique but not secret Self-generates a cryptographically strong Identity Key Identity registered in off-site secure database Parts shipped, put onto datacenter devices for production Parts available for attestation, proof that they are ours 13

Key manager creates chip identity key Dedicated hardware execution Processor walks FSM commands Keys inaccessible to processor Identity = crypto_hash of partial secrets Each comes from a different silicon technology processor cmd key manager Partial secrets from a variety of silicon technologies key storage Requires attackers to defeat each Export enabled if FSM complete Export disabled after manufacture HASH export 14

Trusted identity (registration) perso FW Remote registry Device Identity message Air gap Tester Offline certificate authority Secure channel Personalization firmware loaded Identities signed by offline certificate authority Chip creates identity message Certificate available for installation Identity exported to registry via secure channel Identity available for later query 15

Life cycle tracking using OTP Fuses After manufacturing, must continue to guarantee authenticity Define six stages, and what is enabled in each stage Raw: no features enabled, deters wafer theft Test: enable test features only, no production features Development: enable production-level features for lab bringup Production: final production features, no testability, unique keys RMA (return for test): re-enable testability, no more production RIP: after RMA or mfg failure, permanently disable device Burnable fuses track life cycle from manufacturing to production Each stage transition a one-way street 16

Life cycle tracking using OTP Fuses Burn fuse RAW MFG Test PROD DEV RMA RIP 17

First instruction integrity 18

First instruction integrity Titan interposes on SPI, between host and system firmware Flash At system reset, does signature check of FW Signature OK enables system Signature fail alerts of failure SPI SPI Device (PCH/BMC) Titan Flash Live monitoring Snoops SPI for illegal activity Unauthorized actions converted to harmless commands Reset control 19

SPI interposition The challenges of SPI interposition Vendor agnostic requires flexibility SPI does not have flow control Passthrough latency must be minimized Chip & board timing a challenge Can affect boot latency Snoop / control logic Safe command Incoming SPI bus from host Outgoing SPI bus to flash 20

Physical and tamper-resistant security 21

Physical security & countermeasures Anti-glitch / anti-tamper mechanisms Attack detection (glitch, laser, thermal, voltage, probe) Fuse, key storage, clock, and memory integrity checks Memory and bus scrambling and protection Register and memory-range address protection and locking TRNG entropy monitoring Boot-time and live-status checks Only internal clocks, internal code 22

Physical security & countermeasures Physical defenses Glitch Voltage Online checks Alert send Alert send Keymgr integrity Alert send Alert send TRNG integrity Alert send Clk integrity Alert send Bus parity Alert responder Light Temperature Alert send Alert send Interrupt NMI Freeze Reset 23

That s a wrap 24 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback