Scott Johnson Dominic Rizzo Secure Enclaves Workshop 8/29/2018 Titan silicon root of trust for Google Cloud 1
Cloud Perspective: We need a Software infrastructure silicon root Datacenter of trust equipment Silicon root of trust 2
Chip Requirements Trusted Machine First Instruction Tamper-evident Trusted Identity Integrity logging implementation 1 2 3 4 ● On-chip verified boot ● Cryptographic identity & secure mfg ● Boot Firmware signature check + monitor ● Silicon physical security ● Transparent development, full-stack 3
Titan system integration PCH / BMC SPI SPI Boot FW CPU Chipset TITAN flash Storage and Memory Reset and networking subsystem power control subsystem 4
What is Titan? ● Secure low-power microcontroller designed with cloud security as first-class consideration ● Not just a chip, but the supporting system and security architecture + manufacturing flow 5
Why make our own? Implementation transparency Complete ownership, auditability, build local expertise Agility & velocity Technology changes, new risk vectors arrive No existing solutions Vendor-agnosticity, custom features 6
Titan specifications Titan PMU Testability / MFGability Test ports Embedded 32b Debug ports processor jitter RC timer RC Low speed RC Memory Peripherals 8kB ROM Muxable 64kB SRAM EC/RSA crypto USB 1.1 data ports 512kB Flash AES/SHA/HMAC UART 1kb OTP (Fuse) Key manager SPI mstr/slv TRNG I2C mstr/slv Muxable timers GPIO data ports Defenses Shield Temp sense Volt sense Device state Alert resp 7
Interesting subunits Flash ● 2 banks for code storage, in-field upgrades, partial secret material ○ Fuse ● Security settings, partial secret material, device state tracking, feature enablement ○ Crypto units ● AES, SHA/HMAC, big-int accelerator for EC, RSA (microcoded) ○ Key manager ● Custom control of key generation and storage ○ TRNG ● Custom analog design, low power, uses ring-oscillator instability ○ Internal clocks ● Spread-spectrum jittery clock for random behavior, fixed-frequency for communication ○ 8
Verified Boot 9
Verified boot within Titan SIGN BOOT SIGN VER VER APPLICATION test LOADER + jump BOOT RESET BIST Flash A Flash A ROM SIGN BOOT SIGN HW ROM VER VER APPLICATION LOADER compare compare versions versions + verify + verify Flash B Flash B + jump + jump Each stage verifies the next ● Earlier stages do security settings, lock out further access ● Permission levels drop at each stage, protecting critical control points ● Splitting flash code into banks allows two copies: live-updatable ● Code signing taken seriously; multiple key holders, offline logs, playbooks ● 10
2 Verified boot within Titan 4 SIGN BOOT SIGN VER VER APPLICATION test LOADER + jump BOOT RESET BIST Flash A Flash A ROM SIGN BOOT SIGN HW ROM VER VER APPLICATION LOADER 6 compare compare versions versions 1 + verify + verify Flash B Flash B 3 + jump + jump 5 1. Test logic (LBIST) and ROM (MBIST); if fail ⇒ stay in reset; else jump to ROM 2. Compare bootloader (BL) versions A + B; choose most recent 3. Verify BL signature; if fail, retry with other BL; if fail, freeze 4. Compare firmware application (FW) versions A + B; choose most recent 5. Verify FW signature; if fail, retry with other FW; if fail, freeze 6. Execute successfully verified FW 11
Trusted identity 12
Trusted chip identity TEST PERSONALIZE REGISTER SHIP INSTALL ATTEST MANUFACTURING PRODUCTION ● Establish trust at manufacturing ● Each tested device uniquely identified (personalized) Assigned a serial number, unique but not secret ○ ○ Self-generates a cryptographically strong Identity Key ● Identity registered in off-site secure database ● Parts shipped, put onto datacenter devices for production Parts available for “attestation”, proof that they are ours ● 13
Key manager creates chip identity key ● Dedicated hardware execution processor cmd ● Processor walks FSM commands Keys inaccessible to processor ● key manager ● Identity = crypto_hash of partial secrets Partial secrets from a variety of silicon ○ Each comes from a different silicon technologies key storage technology ○ Requires attackers to defeat each Export enabled if FSM complete ● HASH ● Export disabled after manufacture export 14
Trusted identity (registration) perso FW Offline Remote certificate registry authority Air gap Identity message Device Tester Secure channel ● Personalization firmware loaded ● Identities signed by offline certificate authority ● Chip creates identity message ● Certificate available for installation Identity exported to registry via secure channel Identity available for later query ● ● 15
Life cycle tracking using OTP Fuses ● After manufacturing, must continue to guarantee authenticity Define six stages, and what is enabled in each stage ● Raw: no features enabled, deters wafer theft Test: enable test features only, no production features Development: enable production-level features for lab bringup Production: final production features, no testability, unique keys RMA (return for test): re-enable testability, no more production RIP: after RMA or mfg failure, permanently disable device ● Burnable fuses track life cycle from manufacturing to production Each stage transition a one-way street ● 16
Life cycle tracking using OTP Fuses Burn fuse PROD RAW MFG Test RMA RIP DEV 17
First instruction integrity 18
First instruction integrity ● Titan interposes on SPI, between host and system firmware Flash ● At system reset, does signature check of FW ○ Signature OK ⇒ enables system SPI SPI Signature fail ⇒ alerts of failure ○ Device (PCH/BMC) Titan Flash ● Live monitoring ○ Snoops SPI for illegal activity Reset control ○ Unauthorized actions converted to harmless commands 19
SPI interposition The challenges of SPI interposition Snoop / control logic Vendor agnostic requires flexibility ● ● SPI does not have flow control ● Passthrough latency must be minimized Safe command ● Chip & board timing a challenge Outgoing SPI Can affect boot latency ● bus to flash Incoming SPI bus from host 20
Physical and tamper-resistant security 21
Physical security & countermeasures Anti-glitch / anti-tamper mechanisms Attack detection (glitch, laser, thermal, voltage, probe) ● Fuse, key storage, clock, and memory integrity checks ● ● Memory and bus scrambling and protection ● Register — and memory-range address protection and locking TRNG entropy monitoring ● Boot-time and live-status checks ● ● Only internal clocks, internal code 22
Physical security & countermeasures Physical defenses Online checks Keymgr Glitch Alert Alert send send integrity Alert Alert TRNG Voltage send send integrity Alert responder Clk Alert Alert Light send send integrity Interrupt Bus Alert Alert Temperature parity send send NMI Freeze Reset 23
That’s a wrap 24 24
Recommend
More recommend