Google has announced the first open source silicon root of trust project: OpenTitan. With a brief to deliver open source transparency to a "logically secure" chip design for use in data centre server motherboards, storage devices, network cards and other enterprise-level peripherals, Google hopes to help bring higher security confidence to the world enterprise infrastructure.
Given that you could say - and Royal Hansen, vice president at Google, and Dominic Rizzo, OpenTitan lead at Google Cloud, do indeed say - that "security begins with secure infrastructure," this is no bad thing.
OpenTitan is all about cementing our trust in the root of trust (RoT), and the Google security announcement suggests that a transparent open source chip design process will make it more trustworthy and thus more secure.
Google itself uses a custom-made Titan chip as part of the process to ensure Google data centre machines boot from a known trustworthy state with verified code. This is the Google system silicon root of trust. By verifying that critical system components boot securely with authorised code only, this root of trust helps ensure the hardware infrastructure and the software running upon it remain in a trustworthy state.
The OpenTitan project will be managed by a not-for-profit company called lowRISC CIC, complete with a full-stack engineering team based in Cambridge. Partners include ETH Zurich, G+D Mobile Security, Nuvoton Technology and Western Digital alongside Google itself.
"We are transparently building the logical design of a silicon RoT," Google says, "including an open source microprocessor (the lowRISC Ibex, a RISC-V-based design), cryptographic coprocessors, a hardware random number generator, a sophisticated key hierarchy, memory hierarchies for volatile and non-volatile storage, defensive mechanisms, IO peripherals, secure boot, and more."
While almost everyone accepts that software, ultimately, needs hardware to run on, the same can't be said about the understanding of software security. "All too often the software security conversation ends with the application developer," Tim Mackey, principal security strategist within the Synopsys CyRC (Cybersecurity Research centre), told SC Media UK, "without recognising that to the left of that developer in a proverbial DevOps mobius is some significant hardware engineering."
Which means that a software vulnerability is really nothing more than an ability to exploit a code weakness when the code gets deployed on a specific hardware platform. "It also means that a hardware vulnerability can have significant impact on software security," Mackey points out, "as most software was designed around assumptions present in the hardware and subsequently compiled for a given hardware platform."
The whole secure boot process, the root of trust model, is actually weighed down by the balance that is required between how fast can this boot and how much validation can we do? Speculative execution attacks such as Spectre and Meltdown reveal the weaknesses of getting this balance wrong. "This is more a question of expectations," Mackey says, "speculative execution offered significant benefits to the software world for years before vulnerabilities like Spectre and Meltdown were discovered."
Given the lifespan of a CPU or chip set, attackers armed with tools that we don't yet know about might be able to break the secure enclaves we currently trust. This is the trusting the root of trust conundrum that OpenTitan hopes to solve. "An open source hardware model could potentially identify latent issues quicker by enabling a transparent review of the implementation," Mackey told SC Media UK.
Mackey reckons that a distinct advantage of investing in an open source root of trust is "the attention the implementations will receive from interested parties." However, he also warns that "while successful open source hardware initiatives do exist, there are far fewer examples than for the software world." The promise is certainly there, then, but only time will tell if OpenTitan truly is the answer and whether it gets enough traction as far as being adopted widely is concerned.