A recent article emphasized the threat of firmware-based attacks on server platforms, and explained in detail how a service provider like Cloudflare can defend its platform. It discussed the implementation of a hardware root of trust for code signing critical boot entities, enabling the hardware to become a first line of defense in ensuring server hardware and software integrity can derive trust through cryptographic means – and more importantly, defend customers against such attacks. The article concluded with a look to the future, indicating that while the solution works for the present, there’s always room for improvement as part of a continuous effort to provide industry-best security.
This article continues this discussion by reviewing potentially unaddressed vectors inherent in current platforms and previews an optimal solution for preventing firmware attacks and elevating platform security to the next level, based on Axiado’s trusted control/compute unit (TCU) security processor.
Rooting trust in firmware
The key problem is the implicit assumption of the safety of the root of trust (RoT) in the boot chain. Located at the Unified Extensible Firmware Interface (UEFI) firmware, the assumption is that the RoT is not a potential target for an attack. This assumption has proven dangerous as evidenced by the growth of firmware-based attacks over the years, and in particular, over ten-fold in 2019 as compared to 2010. Hackers have soon realized that by corrupting this firmware, trusted platform module (TPM) measurements for remote attestation purposes could also be corrupted, since the measurements rely on interaction with the firmware to validate such measurements (it is not called “root of trust” for nothing). To ensure platform integrity, it is imperative, then that the UEFI firmware itself is authenticated, that is, a policy of zero trust is enacted at the RoT.
To address this problem, companies have taken the important step of authenticating the UEFI firmware in their servers with Cloudflare using the AMD EPYC processor that supports this authentication. EPYC’s hardware security subsystem named the AMD Secure Processor performs a function named platform secure boot (PSB) that authenticates the first block of UEFI prior to releasing the main CPU from reset. PSB is AMD’s implementation of hardware-rooted boot integrity. It is better than UEFI firmware-based root of trust because it is intended to assert, by a root of trust anchored in the hardware, the integrity and authenticity of the System ROM image before it can execute. It does so by performing the following actions:
- Authenticates the first block of BIOS/UEFI prior to releasing x86 CPUs from reset.
- Authenticates the system read-only memory (ROM) contents on each boot, not just during updates.
- Moves the UEFI secure boot trust chain to immutable hardware.
This is accomplished by the AMD platform security processor (PSP), an ARM Cortex-A5 microcontroller that is an immutable part of the system on chip (SoC).
With this approach, Cloudflare has enabled a solution that appears to address its UEFI firmware authentication needs.
Problems with UEFI secure boot
A common component that sits on nearly every server is a baseboard management controller (BMC). BMCs have multiple connections to the host system, providing the ability to monitor hardware, flash BIOS/ UEFI firmware, give console access via serial or physical/virtual KVM, power cycle the servers, and log events.
As part of the boot chain, the current PSB method of signing does not address signing the BMC, which limits extending the trust boundary to a controller that has many interfaces to system components.
Booting with a platform-specific CPU
Incorporating UEFI firmware authentication within a block that is built into the main CPU of a server introduces logistics issues in the area of stock keeping unit (SKU) management. One such issue involves locking a CPU to a particular platform. With UEFI authentication and related cryptographic keys tied to both the code in the on-board boot flash as well as the AMD EPYC CPU, all must be present on the platform for the server to boot properly. However, this limits the ability to upgrade or change a CPU on that motherboard. This side-effect has been observed in the value-added-reseller market as EPYC devices using the PSB feature cannot be swapped out. Some companies (such as HPE) have recognized this limitation and disabled the PSB feature in their EPYC-based servers, choosing to authenticate their UEFI firmware externally with their in-house silicon solution instead.
Axiado believes that an external coprocessor handling UEFI firmware authentication while allowing for CPU flexibility is ideal for the industry at large.
Challenges with multiple platforms
Another issue related to SKU management pertains to managing platforms with potentially multiple secure boot methodologies. A data center deployment of servers may include a mix of processors, such as Intel, AMD, and Arm, each with their direction of implementing UEFI firmware authentication. This scenario may cause undue burden with managing differing home-grown secure-boot/root-of-trust methodologies from each CPU vendor.
Hence, an external coprocessor for handling UEFI firmware authentication with CPU flexibility is ideal for the industry at large.
A potential one-stop shop for optimal firmware security?
A solution that enables a one-stop shop for security needs, while simultaneously improving firmware security, and not adding components to the bill-of-materials is Axiado’s trusted control/compute unit (TCU) coprocessor. This offers best-in-class UEFI firmware authentication for a uniform secure boot solution across all SKUs, no matter a company’s choice in main CPU vendor, and all without adding components to the platform.
As a coprocessor in a server, Axiado TCU takes on the role of the baseboard management controller (BMC) chip, so additional space on the server is not required for this device. The TCU is responsible for attestation of all components in the system, including itself. It offers an attractive component consolidation solution by supporting all the legacy functionality expected of a BMC device and including additional functionality that allows TCU to take on the role of the trusted platform module (TPM) and complex programmable logic device (CPLD) found on servers.
At the heart of TCU is Axiado’s patented secure vault technology, providing tamper-resistant, immutable hardware-based UEFI firmware authentication and secure boot. Among other things, this technology includes protections against differential power analysis attacks that are used to reverse-engineer cryptographic keys that provide hackers access to encrypted private information.
The TCU includes a secure AI technology featuring a dedicated neural network processor (NNP) subsystem designed to model the normal behavior of the device, and thus, to identify anomalies that might indicate the presence of an attack. This makes it possible to enact any necessary countermeasures to protect the system prior to attacks, including those not formally identified. Furthermore, the NNP has connections to various I/Os of the device, so it can model the normal behavior and identify anomalies of the server platform at large, expanding the TCU’s protective radius against hacking attempts.
By offering a security coprocessor solution, Axiado solves the problems presented in this article with regards to SKU offerings. First, a single solution minimizes the number of attack surfaces that hackers can try to exploit across an entire SKU lineup. One does not need to protect against attacks on AMD, Intel, Arm and other vendors’ security solutions. This also simplifies the management and maintenance of server SKU deployments, minimizing the number of platform software/firmware update variants. Second, by offloading the secure boot subsystem to the TCU, the CPU is no longer locked to the specific server hardware. One can then be free to mix-and-match CPUs across hardware variants and perform upgrades without having to go through the task of configuring the CPU to the specific hardware to which it is installed.
In summary, the TCU coprocessor provides a uniform and secure hardware based UEFI firmware protection solution for all its platforms, with the ability to learn new attacks before they are even formally recognized. This enables a secure network powered by high performance and feature-rich CPU subsystems, along with a network that is easier to manage and maintain.
Derek Chamorro is a security architect at Cloudflare and has over 16 years of experience in designing security frameworks at scale. His main focus is on research and development within infrastructure and cloud security, and he holds multiple patents in the fields of security, key management, and blockchain. Chamorro frequently speaks at events, having given talks at Openstack Austin Summit on self-healing control plane with Kubernetes, Blockchain West Summit on deep inspection of big data on the blockchain, Google NEXT on migrating DDOS defenses to Google cloud, Linux Security Summit 2020 on encrypting memory at scale, and Conference for Defense on building a serverless SIEM.
Gopi Sirineni is the CEO of Axiado, spearheading transformative security technologies with AI in hardware. He is a Silicon Valley veteran with over 25 years of successes in the semiconductor, software and systems industries. Before joining Axiado, Gopi spent eight years as vice president of Qualcomm’s wired/wireless infrastructure business unit where he developed Wi- Fi and Wi-Fi SON, creating the market dominating technology. His career highlights include executive positions at Marvell Semiconductor, AppliedMicro, Cloud Grapes, and Ubicom that was acquired by Qualcomm under his direction. He has chaired IEEE project authorization requests (PARs) and contributed to both Ethernet and Wi-Fi standards. His pioneering foresight into distributed mesh technology created the connected, AI-based home market segment.
- ADLINK brings Ampere Altra SoCs to embedded with COM-HPC modules
- ‘Data diode’ hardens Industry 4.0 network security
- 5G’s biggest challenges for communications service providers
- Firmware Security – Preventing memory corruption and injection attacks
- Software supply chain remains vulnerable