This publication describes techniques and apparatuses for an open-source silicon-based Root of Trust (RoT) (a security chip, a RoT chip) solution for supporting supply chain verification of hardware components embedded in or on a circuit board (e.g., motherboard). In aspects, an open-source read-only (RO) Component Verifier, which is part of an RO Firmware, is provided to establish trust at all levels, such as a field-modifiable or read-write (RW) Firmware, an operating system (OS), cloud computing, component manufacturers, and so forth. The security chip includes two classes of non-volatile memory (storage): RO non-volatile memory (e.g., RO NVRAM), which is accessible only by the RO Firmware, and RW non-volatile memory (e.g., NVRAM), which is accessible by the RO Firmware and the RW Firmware. The security chip stores private keys (e.g., EK, AIK) used in for provisioning component Secrets in the RO NVRAM, preventing access to the RW Firmware. Without sharing any details, the RO Component Verifier of the RO Firmware is able to access the contents of the RO NVRAM. Such an intrinsically secure communication channel between the RO Firmware and the RO NVRAM, as well as preventing access to the RO NVRAM by the RW Firmware, is guaranteed by the hardware design of the security chip. This solution enables component manufacturers to use computationally inexpensive common protocols for identity verification (e.g., MARS, DICE) to communicate the Secrets associated with the components, while entrusting the open-source security chip to protect these secret keys.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Sukhomlinov, Vadim; Schilder, Marius; Pronin, Andrey; and Spangler, Randall, "Supply Chain Verification of Hardware Components Using Open-Source Root of Trust", Technical Disclosure Commons, (January 22, 2020)