Monday, May 27, 2024

How Caliptra OCP Bolsters Data Center Chip Security

Caliptra security

At Google, create technology and software that is scalable, secure, and sustainable in order to power services for billions of users. To provide these experiences, they have made open innovation a fundamental principle. CPUs, GPUs, TPUs, NICs, SSDs, and more will work together in an AI-driven future. These chips’ firmware must be transparent and trusted to enable secure solutions at scale.

Greetings from Caliptra 1.0

In order to improve chip security, Google collaborated with AMD, Microsoft, and NVIDIA to create the Caliptra standard at the Open Compute Project (OCP). Caliptra is a hardware root-of-trust (RoT) that helps guarantee that only approved and reliable firmware is permitted to execute production workloads by offering verifiable cryptographic assurances.

Caliptra will eventually cover all chips, with an initial focus on hardware implementations used in secret computing. The team went above and beyond a defined specification to produce an open-source implementation at the CHIPS Alliance in response to the increasingly sophisticated nature of cyberattacks. The end product is an intellectual property (IP) block at the silicon level that can be included into CPUs, GPUs, and SSDs in the future. The block’s firmware and ROM are likewise covered by the Caliptra source code.

Google cloud is happy to announce the completion of the Caliptra definition and the reaching of the revision 1.0 milestone for the open-source hardware and software implementation. With the addition of 9elements, AMI, Antmicro, ASPEED, Axiado, Lubis EDA, ScaleFlux, Marvell, and Nuvoton, the Caliptra community is still expanding and currently consists of organisations with substantial domain experience in SoC design automation, firmware, and verification.

Companies around the ecosystem are currently integrating the Caliptra IP block onto chips that will begin to be sold in 2026. We have gone from the beginning of the project to a complete specification and an open-source implementation of the hardware and software in less than two years.

The group has already begun work on Caliptra 2.0’s next version, which will address quantum cryptography in order to adhere to NIST’s guidelines for stateful hash-based signature schemes and module-lattice-based digital signatures. Visit caliptra.io to view the open source repositories and download the Caliptra 1.0 standard.

Caliptra OCP

OCP Safe and Effective Environment

Additionally, OCP, Microsoft, and Google are working together to improve security assessments through the OCP Security Appraisal Framework for Enablement (OCP S.A.F.E.). Customers of equipment like SSDs can be assured of security conformity with this programme. In order to protect the intellectual property of device vendors, the programme has certified a list of authorised OCP Security Review Providers (SRPs) who perform security conformance reviews to guarantee the provenance, code quality, and software supply chain for firmware releases and patches for devices. Information about OCP’s S.A.F.E. programme.

The S.A.F.E. Programme (OCP Security Appraisal Framework and Enablement)

A vast array of processing (CPU, GPU, FPGA, etc.) and peripheral (network controllers, accelerators, storage devices, etc.) components make up modern data centres. Typically, these devices are powered by firmware, microcode, or updateable software that can be found either outside or inside.

Strong security assurance is needed for the software supply chain, provenance, and code quality of firmware releases and updates that are installed on these devices.

Objectives: The OCP S.A.F.E. Recognition Programme aims to tackle the difficulties that device manufacturers, consumers, and outside security assessment companies are currently facing, such as:

  • Cut down on overhead and duplicate security audits.
  • Give customers of devices an assurance of security conformity.
  • Reduce rival arguments that impede the sharing of source code for thorough, impartial security testing and the publication of results and reports.
  • Expand the number of devices that have their firmware and related updates continuously examined.
  • Refine review areas, testing scopes, and reporting criteria iteratively to gradually improve hardware and firmware component security posture throughout the supply chain.

How to Take Part

OCP S.A.F.E.
Image credit to google cloud

OCP Caliptra

If you belong to the Device Supplier

First Step

  • Enrol in the OCP Solution Provider Programme and become an OCP Member.

Step Two

  • Examine the documentation for the Framework and Review Areas.
  • Select a certified OCP Security Review Provider (SRP) from a list to carry out a security conformance review.

Step Three

  • The OCP SRP will submit the security compliance report to the OCP (sample report link), at which point the device will be placed on the OCP Marketplace and recognised as an OCP S.A.F.E. approved product.
  • The relevant OCP S.A.F.E. logos for usage with the device will be provided by OCP.
  • Use the OCP go-to-market initiatives to your advantage and start marketing the product as OCP S.A.F.E.

If your business wants to become a third-party auditor and an OCP Security Review Provider (SRP) Solution Provider:

First Step

  • Examine the documentation for the SRP Framework and Criteria.
  • To explore submitting an SRP application, get in touch with the OCP Community S.A.F.E. Project Leads.

Step Two

  • Security Project Leads and the OCP Foundation will examine the SRP Criteria Assessment.
  • Sign the appropriate contracts and make the necessary payments.
  • The SRP will be known as an OCP S.A.F.E. SRP if it is authorised.

Step Three

The OCP Membership and Solution Provider (SP) Directories will list SRP.

Range

The following will be the Security Project’s main priorities

  • Standardised hardware interface and protocols to guarantee the integrity of the boot code
  • For specialised security hardware, open-source firmware
  • Security firmware protocols and APIs
  • Ownership transfer of the IT equipment (e.g., resale)
  • Techniques for delivering firmware security
  • Firmware and operating system secure boot
  • Recuperation from a weakened or distrusted state
  • Ensuring the safety and accuracy of any changeable storage, such as flash for microcontrollers, BMCs, BIOS, CPLDs, etc.
  • Safe changes to changeable storage with flexible options for rollback protection

What is about to happen

Caliptra has already established itself as a superior specification and implementation that tackles a challenging issue related to security. Additionally, they building on it with the launch of OCP Layered Open-source Cryptographic Key-management (OCP L.O.C.K.), a new endeavour. A standard for NVM Express (NVMe) key management blocks is defined and implemented by OCP L.O.C.K., which was founded by Google, Microsoft, Samsung, Solidigm, and KIOXIA. This standard protects customer data even in the event that a physical drive is taken from a data centre.

Joining forces with industry experts to produce technologies that will increase the trustworthiness and security of society’s infrastructure is exciting. Open source is used as a means to help hardware, firmware, and software meet the standards’ goals in an open, auditable, and transparent manner. Caliptra, OCP S.A.F.E., and OCP L.O.C.K. are among the topics covered in further detail during this week’s OCP Regional Summit in Lisbon, Portugal. they excited to talk about these technologies and work together to create the future.

Thota nithya
Thota nithya
Thota Nithya has been writing Cloud Computing articles for govindhtech from APR 2023. She was a science graduate. She was an enthusiast of cloud computing.
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Recent Posts

Popular Post

Govindhtech.com Would you like to receive notifications on latest updates? No Yes