The initial Caliptra 0.5 contribution release to OCP contains a series of specifications describing architecture, integration, and implementation. An open sourced register-transfer level (RTL) code implementation of Caliptra that can be synthesized into current SoC designs will be made available, along with the cloud-designed firmware written entirely in Rust. With this trusted foundation designed for confidential cloud devices, Caliptra supports the consistent scaling of confidential workloads across distributed systems.

Open source transparency comes to root of trust hardware

Download File: https://urluso.com/2vHivM

Microsoft collaborated with Nuvoton to design a new security-focused BMC, with enhanced hardware security throughout the BMC SoC. The silicon-integrated root of trust supports TCG DICE identity flows with hardware engines for fast cryptographic operations and hardware-managed keys. The RoT has a one-way bridge for activity monitoring and controlling the BMC security configuration, including which internal security peripherals the BMC can assess. This unique feature allows fine-grained BMC interface authorization, enabling scenarios whereby temporary access to a debug interface can be granted to the BMC only after it attests its trustworthiness.

The OpenTitan silicon root of trust is based around our open source Ibex RISC-V processor core, and adds cryptographic coprocessors, a sophisticated key hierarchy, memory hierarchies for volatile and non-volatile storage, IO peripherals, secure boot, and more.The Ibex processor design was originally developed by ETH Zürich as zero-riscy, then contributed to lowRISC where it has seen substantial further development.

Google argues that open source silicon is like open source software and can enhance trust and security through design and implementation transparency. The hope is that it will enable and encourage innovation. An open reference design could also provide implementation choice while preserving a set of common interfaces and software compatibility guarantees.

We and our partners in the OpenTitan project believe in the power and transparency of the open-source development model, in which companies, universities and individuals work together in an open development environment towards a common goal. Western Digital has been a strong proponent and promoter of open source, both in the software domain, where we participate and contribute to development of the Linux kernel in areas related to our storage business, and also through our commitment to open-source hardware, including through the RISC-V Foundation.

Google this week announced OpenTitan, an open source silicon root of trust (RoT) project that can help ensure that both hardware infrastructure and the software running on it remain in a trustworthy state.

OpenTitan aims to deliver a high-quality RoT design and integration guidelines that can be used in data center servers, storage, peripherals, and more, and Google decided to open source it to make it more transparent, trustworthy, and secure.

According to Google, open source silicon can improve trust and security by ensuring the transparency of design and implementation, can encourage innovation through contributions to the open source design, and can offer implementation choice, while preserving a set of common interfaces and software compatibility guarantees.

According to Google, transparency is at the heart of building the logical design of a silicon RoT, including the open source microprocessor, cryptographic coprocessors, a hardware random number generator, a sophisticated key hierarchy, memory hierarchies for volatile and non-volatile storage, defensive mechanisms, IO peripherals, secure boot, and more.

The goal of a hardware root of trust is to verify that the software installed in every component of the hardware is the software that was intended. This way you can verify and know without a doubt whether a machine's hardware or software has been hacked or overwritten by an adversary. In a world of modchips16, supply chain attacks, evil maid attacks7, cloud provider vulnerabilities in hardware components2, and other attack vectors it has become more and more necessary to ensure hardware and software integrity. This is an introduction to a complicated topic; some sections just touch the surface, but the intention is to provide a full picture of the world of secure booting mechanisms.

What happens when we need to patch bugs in Titan's firmware? This is where remediation comes into play. In the event of patching bugs in the Titan firmware, trust can be re-established through remediation. Remediation is based on a strong cryptographic identity. To provide a strong identity, the Titan chip manufacturing process generates unique keying material for each chip. The Titan-based identity system not only verifies the provenance of the chips creating the certificate signing requests (CSRs), but also verifies the firmware running on the chips, as the code identity of the firmware is hashed into the on-chip key hierarchy. This property allows Google to fix bugs in Titan firmware and issue certificates that can only be wielded by patched Titan chips. The Titan-based identity system enables back-end systems to securely provision secrets and keys to individual Titan-enabled machines, or jobs running on those machines. Titan is also able to chain and sign critical audit logs, making those logs tamper-evident. This ensures that audit logs cannot be altered or deleted without detection, even by insiders with root access to the relevant machine.

Matthew Garrett wrote a great post about Boot Guard that highlights the importance of user freedom when it comes to firmware4. The owner of the hardware has a right to own the firmware as well. Boot Guard prevents this. In the security keynote at the 2018 Open Source Firmware Conference6, Trammel Hudson described how he found a vulnerability to bypass Boot Guard, CVE-2018-121693. The bug20 allows an attacker to use unsigned firmware and boot normally, completely negating the purpose of Boot Guard. Because Boot Guard is tied to the CPU, it does not have the control that a custom silicon hardware root of trust has when it comes to other firmware for components in the system.

It is clear that securing the boot process with a hardware root of trust has various implementations throughout the industry. Without open source firmware, the proprietary bits of the boot process are still lacking the visibility and audibility to ensure that our software is secure. Even if we can verify through a hardware root of trust that the hash of proprietary firmware is the hash we know to be true, we need visibility to the source code for the firmware for assurance it does not contain any backdoors. Through this visibility we can also gain ease of use in debugging and fixing problems without relying on a vendor.

According to Royal Hansen, Vice President of Google and Dominic Rizzo, Google Titan Security Lead, open source silicon is the best way to improve the cybersecurity posture of data centers and processes along to the edge, and by opening silicon designs up to the open source community at large, systems utliizing the design will be "more transparent, trustworthy, and ultimately, secure."

The initial stage of the project is the creation of a logical silicon RoT design including an open source microprocessor -- the lowRISC Ibex -- cryptographic processors, a hardware random number generator, key and memory hierarchies for both volatile and non-volatile storage, defensive mechanisms, IO peripherals, and secure boot processes.

"As the volume and value of data continues to grow exponentially, so does the need to keep that data safe and secure," said Dr. Richard New, vice president of research and development at Western Digital. "OpenTitan leverages the power and transparency of the open-source development model to enable root of trust chips that can be fully inspected and verified, thereby providing strong security against malware, physical hardware modifications and other threats."

Caliptra is a new specification for an open source silicon root of trust (RoT) designed to meet the enhanced security requirements of modern edge and confidential computing workloads. CHIPS Alliance will oversee the open source implementation of register-transfer level (RTL) code for Caliptra that can be synthesized into current SoC designs, along with the verification suite and firmware. As part of this architecture, the open source RISC-V core hosted by the CHIPS Alliance and now relaunched as VeeR, is embedded within the Caliptra Root of Trust macro. VeeR is a true open source RISC-V core family with full RTL and verification bench all under Apache 2.0 license ready for anyone to use.

The CHIPS Alliance is an organization which develops and hosts high-quality, open source hardware code (IP cores), interconnect IP (physical and logical protocols), and open source software development tools for design, verification, and more. The primary focus is to provide a barrier-free collaborative environment, to lower the cost of developing IP and tools for hardware development. The CHIPS Alliance is hosted by the Linux Foundation. For more information, visit chipsalliance.org.

Silicon root of trust (RoT) technology is important for embedding security mechanisms at silicon level for a wide range of products from mobile devices to network cards to webscale servers. It is increasingly important as fears about 5G and cloud security rise, but it is also highly proprietary to each equipment vendor. To address that issues, an open source project called OpenTitan says it will produce a reference design and integration guidelines for silicon RoT.

At the Open Compute Project 2022, Caliptra was jointly announced by Microsoft, Google, AMD. Nvidia also joined the project more recently and will begin contributing to the effort. After having spoken to a few engineers about the project at OCP, it seems clear that Microsoft and Google will make it a requirement for all compute, networking, and memory/storage controller chips supplied to their datacenters to implement a Caliptra-based open-source silicon root of trust. 2ff7e9595c