Securing Hardware and Firmware Supply Chains

In the modern cloud data center, ensuring the authenticity, integrity, and security of hardware and firmware is paramount. Firmware is the lowest level software that runs on every chip in a server, e.g., CPU, GPU, storage controller. Since firmware provides programming interfaces that higher-level software builds upon, one could think of the hardware as bedrock and the firmware as the foundation upon which the rest of the stack is built.

 

Microsoft works with industry partners through the Open Compute Project (OCP) to define open hardware and firmware specifications that benefit the entire industry.  One recent example, Caliptra, provides an open and transparent implementation of a Root of Trust for any ASIC.  The Caliptra Root of Trust provides an unforgeable unique identity for each device, as well as a way to validate the authenticity of all the firmware running on the device.  As industry partners start to deliver products with Caliptra as the root of trust next year, their customers will have increased confidence in the security and trustworthiness of the hardware they deploy. 

 

With the Caliptra effort well underway, Microsoft and the OCP security community turned to improving the trustworthiness of the firmware serving as the foundation for the software environment. The result of this effort was the OCP Security Appraisal Framework and Enablement (SAFE) program launched in October of 2023 at the OCP Global Summit. This framework ensures security compliance for cloud hardware and firmware. Simply put, the goal of SAFE is to build a better foundation.

 

OCP SAFE

 

The OCP SAFE program defines a comprehensive framework to standardize security reviews of the code and hardware designs that modern-day computer runs on. The SAFE framework defines 3 scopes, each providing greater assurances while considering increasing sophistication from adversaries. The third level assumes a well-funded adversary with a sophisticated lab.

 

The result of a SAFE review, in addition to more secure firmware and hardware, is a cryptographically signed Short Form Report (SFR). This report, published in OCP’s GitHub, is a JSON document containing hashes of the reviewed firmware, a list of any remaining security issues, and metadata identifying the vendor and review provider. The schema is designed to be easily understood and inspected by both humans and programs. The SFR format allows an organization (a Cloud Service Provider, an enterprise, or an end user) to easily encode their own security policy into a simple program, such as: “only allow firmware that has been security reviewed and contains no security issues of medium or higher severity”. This allows automated and consistent enforcement of security policy at deployment, boot, and runtime.

 

Since the launch of SAFE in 2023 the community has grown.  The SAFE Technical Advisory Committee (TAC) has approved 5 additional Security Review Providers (SRP), bringing the total to eight review providers.  Before being accepted as an SRP, all firms must show their security expertise, independence, and commitment to improving security. All five of the newly added review providers joined at the request of their existing customers.  These customers had already been actively working with security firms to ensure their products were secure.  The SAFE program gives these device vendors a way to publicly demonstrate the security work they have been doing for years, bringing it to a common basis of quality that can be accepted across the industry.

 

“As our industry moves from “one and done” security testing into a state of continuous security validation throughout the full lifecycle of a device, OCP SAFE's holistic and transparent approach uniquely validates device vendors are using secure development and build processes, consistently adhering to regulatory requirements, and by engaging experienced security reviewers and contributors like IOActive, assure the physical device, firmware, drivers, and software components down to its source code have thoroughly met or exceeded OCP SAFE's modern cloud security standards.” Gunter Ollmann, CTO IOActive

 

Security Assurance

 

While Caliptra enabled devices and SAFE reviewed firmware each improve security independently, when combined they improve the transparency and trustworthiness of the system. This is achieved by having cryptographically verifiable measurements (hashes) of each layer of firmware running in the system linked to the attestations made by an open source (and SRP reviewed) silicon root of trust. The combination allows end users to independently verify that the firmware in their computing environment has undergone a rigorous security audit.  This flow is illustrated below.

 

 

Figure 1 Flow for verification of firmware configuration and security assurances

 

There are multiple ways to expose the runtime attestations from a Caliptra enabled device, but the simplest is to share the measurements from an SPDM query, or in the case of Confidential Compute a Trusted Security Manager (TSM) Report. This query returns a listing of the hashes of firmware loaded into the system.

 

After the user has obtained the attestation report they can then compare the hashes in the attestation report with the Reference Integrity Manifest (RIM) file provided by the device vendor.  The RIM file contains measurements for a collection of firmware the vendor has validated as being genuine, suitable for the device, and compatible with the other firmware listed in the RIM file.

 

Once the attestation report has been validated against the RIM file, the user now has confidence that their device is only running firmware developed by the device provider.  The next step is to verify that the runtime measurements match those in the published SAFE short form reports. The report’s authenticity can be verified by checking the cryptographic signature on the report. If the measurements match, the user knows that the firmware they are running on was reviewed by the author of the short form report. The user should review any remaining issues in the published short form report to ensure this meets their own security requirements.  In addition to cryptographically binding the SFR to a specific firmware version, the SFR acts as a secondary signature on the firmware.  This additional layer provides protection against a vendor’s code signing process being compromised.

 

Hardware Supply Chain Provenance

 

The previous flow combined SAFE with Caliptra’s measurement capabilities to improve overall system security.  Microsoft has developed another flow that leverages the cryptographic identity capabilities provided by Caliptra to ensure only authentic hardware is delivered to Azure.  This flow tracks the unique identity of every device through the entire lifecycle, beginning with chip manufacturing and continuing through assembly, system integration, deployment, operation, and secure decommissioning in Azure.

 

Azure manages hardware identities in a management system known as Hardware Key Management Services (HKMS).  At each stage in the manufacturing process HKMS collects the public portion of the device identities which were generated inside Caliptra, these identities are IDEV and LDEV Certificate Signing Requests (CSR).  By collecting the public portion of these cryptographic identities, HKMS can validate the Hardware Bill of Materials (HBOM) as well as verify device provenance and manufacturing records before signing the CSR and endorsing the device as fit for deployment in Azure.   Then throughout the operational life cycle of the device, the LDEV identity is renewed or revoked.  Additional details on Caliptra identities can be found in the Caliptra specification.

 

Figure 2 Hardware Key Management Service

 

The backing store for HKMS is an Azure Confidential Ledger, which leverages the Azure Confidential Computing platform and the Confidential Computing Framework. These technologies ensure the security of the backing store and provide non-repudiation and immutable auditability of HKMS-managed hardware identities.

 

Supply Chain Transparency

 

Recognizing the widespread need for improving supply chain security, Microsoft engaged with industry partners to leverage our experience developing supply chain assurance processes (including the Caliptra and OCP SAFE technologies described above) into a broader framework that could be widely adopted.  The result of this ongoing effort has been captured in the Supply Chain Integrity, Transparency, and Trust (SCITT) Internet Engineering Task Force initiative.  This proposal describes the processes for managing the compliance and transparency of goods and services across supply chains.  SCITT supports the ongoing verification of services and devices, where the authenticity of entities, evidence, policy, and artifacts can be assured and the actions of entities can be guaranteed to be authorized, non-repudiable, immutable, and auditable.

 

Figure 3 SCITT Framework

 

The SCITT framework builds on technologies like Caliptra and OCP SAFE to track devices and firmware throughout their chains of custody – in effect, securing the entire supply chains. By using transparent roots of trust, like Caliptra, and incorporating evidence such as manufacturer SBOMs, Reference Integrity Manifests (RIM), and OCP SAFE audit reports, device integrity can be verified across the hardware supply chain and throughout its operational lifecycle.  The combination of these transparent security technologies ensures that hardware and firmware are always authorized, non-repudiable, and immutably auditable.

 

The Confidential Consortium Framework (CCF) is used to provide the SCITT eNotary immutable ledger.   This is coupled with a confidential signing service that only signs artifacts with valid claims on the ledger can enforce non-repudiable, immutable, and auditable end to end supply chain claims.

 

Figure 4 Hardware Transparency Services

 

The SAFE framework, combined with Caliptra-enabled devices, significantly enhances the security, transparency, and trustworthiness of our systems. By leveraging the cryptographically-signed Short Form Reports of the SAFE framework, organizations can automate and consistently enforce security policies at deployment, boot, and runtime.  Building upon the identity provided by Caliptra we can further secure the entire lifecycle of our devices, from manufacturing to deployment and end of use. As Microsoft continues to innovate and improve our security measures, we remain committed to providing robust and reliable solutions that meet the evolving needs of our customers.