On November 5, 2019, the non-profit lowRISC organization, with the participation of Google and other sponsors, introduced the OpenTitan project, which it calls “the first open source project to create an open, high-quality architecture of chips with the root of confidence (RoT) at the hardware level”.
OpenTitan on RISC-V architecture is a special-purpose chip for installation on servers in data centers and in any other equipment where it is necessary to ensure the authenticity of the download, protect the firmware from changes and eliminate the possibility of rootkits: these are motherboards, network cards, routers, IoT devices , mobile gadgets, etc.
Of course, such modules are in modern processors. For example, the Intel Boot Guard hardware module is the root of confidence in Intel processors. It verifies the authenticity of the UEFI BIOS through the trust chain before booting the OS. But the question is, how much can we trust the proprietary roots of trust, given that we do not have guarantees for the absence of bugs in the design, but there is no way to verify it? See the article “Schrödinger Trusted Download. Intel Boot Guard "with a description of" how over the years a cloned bug in the production of several vendors allows a potential attacker to use this technology to create a hidden rootkit in an undeletable (even programmer) system. "
The threat of compromising equipment in the supply chain is surprisingly real: it seems that any amateur electronics engineer can solder a bug into the server motherboard using equipment worth no more than $ 200. Some experts suspect that "organizations with a budget of hundreds of millions of dollars can do this for many years." Although there is no evidence, it is theoretically possible.
“If you can't trust the hardware downloader, the game is over,” says Gavin Ferris, lowRISC board member. – It doesn’t matter what the operating system does – if you were compromised by the time the operating system loads, then the rest is a matter of technology. You are already done. ”
This problem should be solved by the first of its kind open hardware platform OpenTitan (GitHub repository, documentation, hardware specifications). Avoiding proprietary solutions will allow us to change the “sluggish and imperfect RoT industry,” Google said.
Google itself embarked on the development of the Titan, discovering the Minix operating system integrated into the Intel Management Engine (ME) chips. This complex operating system in an unpredictable and uncontrollable way expanded the attack surface. Google tried to get rid of Intel Management Engine (ME), but failed.
What is the root of trust?
Each stage of the system boot process verifies the authenticity of the next stage, thus forming chain of trust.
A Root of Trust (RoT) is a hardware-based authentication that ensures that the source of the first executable instruction in the trust chain cannot be changed. RoT is a basic protection against rootkits. This is a key step in the boot process, which is involved in further system startup – from the BIOS to the OS and applications. He must verify the authenticity of each subsequent download step. For this, at each stage a set of keys with a digital signature is used. One of the most popular standards for hardware key protection is TPM (Trusted Platform Module).
Establishing the root of trust. Above is a five-stage download, which forms a chain of trust and begins with a bootloader located in unchangeable memory. At each stage, a public key is used to authenticate the next downloadable component. Illustration from Perry Lee's IoT Architecture
RoT can be launched in many ways:
- loading the image and root key from the firmware or immutable memory;
- storing the root key in a one-time programmable memory using fuse bits;
- loading code from a protected area of memory into a protected storage.
In different processors, the root of trust is implemented in different ways. Intel and ARM
Support the following technologies:
- ARM TrustZone. ARM sells a proprietary silicon block to chip makers, which provides the root of confidence and other security mechanisms. In this way, the microprocessor is separated from the unsafe core; it runs Trusted OS, a secure operating system with a well-defined interface for interacting with insecure components. Protected resources are in a trusted core and should be as lightweight as possible. The transition between components of different types is done using hardware context switching, which eliminates the need for secure monitoring software.
- Intel Boot Guard – This is a hardware mechanism for authenticating the initial boot block with cryptographic means or using the measurement process. To check the initial block, the manufacturer must generate a 2048-bit key, which consists of two parts: public and private. The public key is printed on the board by "detonating" the fuse bits at the production stage. These bits are one-time and cannot be changed. The private part of the key generates a digital signature for subsequent authentication of the download stage.
The OpenTitan platform reveals the key parts of such a firmware system, as shown in the diagram below.
The development of the OpenTitan platform is under the control of the nonprofit organization lowRISC. The engineering team is based in Cambridge (UK), and the main sponsor is Google. Founding partners include the Swiss Higher Technical School of Zurich, G + D Mobile Security, Nuvoton Technology and Western Digital.
Google has published the announcement of the project in the corporate Google Open Source blog. The company said OpenTitan is committed to “providing high-quality RoT design and integration guidelines for use in data center servers, storage, peripherals and more.”
The root of trust is the first link in the chain of trust at the lowest level in a trusted computing module, which the system always fully trusts.
RoT is critical for applications, including public key infrastructures (PKI). This is the foundation of the security system on which a complex system is based, such as an IoT application or data center. Therefore, it is clear why Google supports this project. She now has 19 data centers on five continents. Data centers, storage, and mission-critical applications represent a vast attack surface, and Google originally developed its own root of trust on the Titan chip to protect this infrastructure.
The proprietary Titan chip for Google data centers was first introduced in March 2017 at the Google Cloud Next conference. “Our computers conduct a cryptographic check of each software package, and then decide whether to give it access to network resources. Titan integrates into this process and offers additional layers of protection, ”said Google representatives at that presentation.
Chip titan in google server
Titan architecture was the property of Google, but is now becoming public domain as part of the open source project.
The first stage of the project is the creation of a RoT logic design at the microcircuit level, including the lowRISC ibex open-source microprocessor, cryptographic processors, a hardware random number generator, key and memory hierarchies for non-volatile and non-volatile storage, security mechanisms, peripheral input / output devices and safe boot processes.
Google says OpenTitan is based on three key principles:
- everyone has the opportunity to test the platform and contribute;
- increased flexibility due to the opening of a logically safe design that is not blocked by the proprietary prohibitions of the supplier;
- quality ensured not only by the design itself, but also by reference firmware and documentation.
“Current chips with the roots of trust are very proprietary. They claim safety, but in reality you take it on faith and you can’t test them yourself, ”said Dominic Rizzo, lead security specialist for the Google Titan project. “Now for the first time, the opportunity arises to provide security without blind faith to the developers of the proprietary design of the roots of trust.” So the foundation is not just solid, it can be checked. ”
Rizzo added that OpenTitan can be considered a “radically transparent design, compared to the current state of things.”
According to the developers, OpenTitan should by no means be regarded as a finished product, because development is not yet complete. They specifically opened specifications and design in the middle of development so that everyone could test it, contribute and improve the system before starting production.
To start manufacturing OpenTitan chips, you need to apply and get certified. Apparently, no royalties are required.