Founded in 2009, the Open Compute Project (OCP) is a collaborative community focused on redesigning hardware technology to efficiently support the growing demands on compute infrastructure. More recently, the OCP formed a security working group to tackle the formidable challenges of data security in the cloud, including the increasing sophistication of malicious actors. In conjunction with their tech week, today the OCP announced the version 1.0 Root of Trust (RoT) specification.
The OCP specification starts with the requirement that both the platform (the server being protected) and device must have a hardware RoT. Amongst its many responsibilities, the RoT verifying the device firmware at boot, maintains authenticity during updates, and recovers in the event of corruption. The OCP specification further specifies how a system should boot: each device/peripheral must first boot securely, using the RoT to ensure authenticity of its firmware. It must verify the firmware’s cryptographic signatures using a policy that is defined by the system owner for authorizing only valid firmware signers. Then, the platform RoT is responsible for requiring all devices in the system to attest – to prove in an irrefutable way that the firmware it is running is indeed what is expected. Once the platform RoT has booted the platform successfully, and has attested all devices, the platform is finally considered to be secured. Of note, the first release includes specifications for secure boot, peripheral attestation, and threat scope.
Rambus is pleased to announce our support for this specification, as we have long touted that a hardware root of trust is and must be the foundation of any secure system. OCP’s method of mandating a hardware RoT on every device is a prudent one – each and every device within a system must be secure, and be able to be trusted by every other device in that system. Without a root of trust, this is not possible. Rambus offers a broad portfolio of robust root of trust solutions, ranging from richly featured defense-grade co-processors to highly compact state machines suitable for IoT devices. These solutions provide robust security capabilities including unique identification, security lifecycle management, attestation, secure boot, secure update, anti-rollback, isolation, interaction, secure storage, and cryptographic/trusted services. With a breadth of solutions applicable from the data center to endpoint devices, Rambus has a root of trust solution for almost every application.
During the OCP tech week, there are a number of security-specific sessions Thursday, November 12 and Friday, November 13th. More information on these is available at https://www.opencompute.org/summit/ocp-tech-week