6569 - Centralized System Security Hub for Server Platforms.pdf

《6569 - Centralized System Security Hub for Server Platforms.pdf》由会员分享，可在线阅读，更多相关《6569 - Centralized System Security Hub for Server Platforms.pdf（13页珍藏版）》请在三个皮匠报告上搜索。

1、Phanikumar KancharlaCraig BarnerServer HW Security HubServer HW Security HubPhanikumar KancharlaCraig BarnerCYBER SECURITY&DATA PROTECTIONHardware Platform Security The NeedOCP Security Projects Caliptra and LOCKProposal to Secure ALL Platform KeysBenefits beyond HW Key ManagementCall for ActionAgen

2、daThe physical platform security is the foundation for the rest of the systems securitySW and HW Integrity-Secure Boot,Attestation,UpdatesData Security using authenticated encryptionat rest:HDD,SSD and NVMe in use:DRAM,CXL,Acceleratorsin transit:Network,PCIeCryptography and secure key management are

3、 criticalPlatform SecurityNetworkStorageMemoryAcceleratorPCIe/CXLSW AppsID and AttestKeys are managed by Independent HW-Inconsistent implementation-Compliance complications-Increased attack surface-Lack of central controlKeys are managed by SW Modules-Numerous dependencies-Dynamic Updates-Poses high

4、 risk of key exposureKey-Mgmt Risks We Cant IgnoreCaliptra,an OCP specification for a silicon Root of Trust internal blockProvides RoT services for Identity,Measurement and Image Update,RecoveryManages Keys corresponding to these servicesOpen-Sourced RTL and FW:Ensures Consistency,Transparency and R

5、eusabilityFocus:SoCs and ASICs in the hyperscale/datacenter spaceRoT Keys Managed byAn optional extension to OCP CaliptraIntroduced a HW KMB to securely manage Media Encryption Key and related keys.Protects MEK from SW and Disk Controller FWUses HW Interface to load keys to Encryption EngineSED Keys

6、 Managed by L.O.C.KNetwork Device:MACSec Keys are programmed by a SW SupplicantDRAM:Encryption keys can be programmed by System SWoHW managed keys have operational restrictions for SnapshotsPCIe IDE:Keys are loaded in secure channel by IDE_KM SW Accelerator:SW Applications supply