OCP Standards for Third Party Security Reviews of ROM and Firmware.pdf

1、Thordur Bjornsson(Google)Eric Eilertson(Microsoft)Firmware Security AuditsSecurityFirmware Security AuditsFirmware Security AuditsThordur Bjornsson(Google)Eric Eilertson(Microsoft)AgendaUpdates since 2022Firmware Security Audit FrameworkPilot ProgramsCall to Action22-23HibernationGathered initial fe

2、edbackVendorsAuditorsProcess ready for feedback,Pilots in ProgressFramework DocumentCall to Action to followFirmware Security Audit FrameworkPosted to the OCP Security Wiki“soon”CV=Component Vendor,AP=Audit ProviderScaffolding for ensuring collaborationGuard rails for Scope and ReportsGuard rails fo

3、r legal,authorization,and similar hurdlesGuides for initiating audits and settling scopeGuides for timeboxing,re-testing,and final reportsFirmware Security Audit FrameworkSufficiently Interesting Devices/ComponentsNo interest in doing a security audit of a 20M resistorDevices should hit some complex

4、ity highlightsIdentity,ROM,Mutable Code,AttestationNot hard rules but guardrailsA few“dumb but active”components are interestingVoltage Regulators are the prime exampleFirmware Security Audit PillarsDocumentationThreat Models and ActorsCode AssessmentIntegrity and Attestation Manufacturing&Supply Ch

5、ainIdentity,debug,and RMADocumentationThreat ModelsVolatile-Storage statementsCritical Security ParametersIntegritySecure/Measured bootSignature VerificationAnti-RollbackRecoveryDebug EnablementAttestationSPDMCA/Final RespondersConfiguration and state must be included in the attestation responseLogs

6、 v.AttestationManufacturing&Supply ChainField/Datacenter/Owner Entropy for IdentitiesiRoTs,Caliptra,DICE/UDSAttestation and related cryptographic keymaterialSoftware Supply ChainSBOMsLifecycleManufacturing(N/A)Pre-Provisioning(Of interest)P