Hot Chips 2018: Google Titan Live Blog (6pm PT, 1am UTC)
by Ian Cutress on August 20, 2018 8:40 PM EST- Posted in
- CPUs
- Hot Chips
- Trade Shows
- Live Blog
- BIOS
- Root-of-Trust
- Silicon
08:52PM EDT - The second talk on security is on Google's Titan Root-of-Trust silicon that sits between the BIOS and the processor on its custom systems.
08:52PM EDT - We're starting a little early. Amazing, talks are going by and not going over time allocated
08:53PM EDT - All about root of trust hardware
08:53PM EDT - Work between Google hardware and software teams
08:53PM EDT - trust and transparency are key terms throughout
08:54PM EDT - talk about motivation, integration, hardware, and community
08:54PM EDT - Problem: Security about firmware being compromised
08:55PM EDT - How do we know what is our equipment
08:55PM EDT - Solution is to tag every device
08:55PM EDT - Can we trust the boot chains? BIOS through to OS
08:55PM EDT - Solution: all boot code is signed and verified
08:55PM EDT - has to be vendor agnostic
08:56PM EDT - Conclusion: need root of trust
08:56PM EDT - Not the only company that has this conclusion
08:56PM EDT - Cloud security has many properties
08:56PM EDT - Trusted Machine Identity
08:57PM EDT - First Instruction Integrity
08:57PM EDT - Tamper-evident Logging
08:57PM EDT - -> All activities should be monitored
08:57PM EDT - A trusted implementation -> own and verify every piece from silicon to firmware
08:58PM EDT - If the silicon is the root of trust, it must be ground zero
08:58PM EDT - The chip has to have extneded trust through its lifetime
08:58PM EDT - This is all about having a silicon chip in the mix AS the root of trust
08:58PM EDT - Silicon needs physical security
08:58PM EDT - Development needs to be transparent
08:59PM EDT - Titan RoT chip sits between BMC and Boot Flash Firmware
08:59PM EDT - acts on the SPI, monitors all activities
09:00PM EDT - CPU starts with first boot instruction. All code needs to be signed on boot FW flash. Titan will then do firmware signature check. If all is good, then it will apply power to rest of system. Afterwards, will monitor firmware flash from unsigned firmware
09:00PM EDT - Microcontroller
09:00PM EDT - Secure and low power
09:01PM EDT - All about the system and archtiecture around it
09:01PM EDT - Wanted to own our own chip. Allowed better audit
09:01PM EDT - No solutions outside really had everything
09:02PM EDT - 32b microcontroller core, Boot ROM, flash for instructions and data, SRAM scratchpad, one-time programmable fuses
09:03PM EDT - Several crypto accelerators
09:03PM EDT - [this is slide 29 in the talk... my phone just crapped out and lost the photo]
09:04PM EDT - Surrounding the chip has a suite of physical defenses
09:04PM EDT - Livetime execution status checking
09:04PM EDT - Also has hardware alert response mechanisms
09:04PM EDT - Enables verified boot
09:05PM EDT - Principles move in the chain of trust from left to right
09:05PM EDT - Each stage needs to validate the next stage as approved
09:05PM EDT - HW and Boot Rom does most of the security settings. Eeducing the attack surface
09:05PM EDT - Reducing
09:05PM EDT - This is based on permission levels that decrease as you go on
09:05PM EDT - To physical banks of flash
09:06PM EDT - This allows one bank to be run, and an update to be installed into the other
09:06PM EDT - All this code is created and signed by Google
09:06PM EDT - extremely serious process
09:07PM EDT - lock out at any stage if a failure
09:08PM EDT - If both flash fail (shouldn't happen), then hardware is dead
09:08PM EDT - Boot ROM is immutable, set at tape-out time
09:09PM EDT - Trusted chip identity
09:09PM EDT - Each chip has a unique ID (usually a time stamp)
09:10PM EDT - Chip is personalized and registered internally so known in an offline database
09:10PM EDT - Pieces of identity come from the technology on the chip
09:10PM EDT - To subvert key manager, would have to attack lots of parts of the chip at once
09:10PM EDT - Export is disabled after manufacturing is complete
09:11PM EDT - Personalization firmware at manufacture, application firmware then replaces it
09:11PM EDT - Device life-cycle tracking
09:11PM EDT - Designate states for the chip
09:11PM EDT - Six stages
09:13PM EDT - Track states from blowing fuses. One way
09:13PM EDT - Prod and Dev are mutually exclusive states
09:15PM EDT - First Instruction Integrity
09:15PM EDT - snooping every bit on the SPI
09:15PM EDT - Can affect boot latency
09:15PM EDT - Physical countermeasures
09:15PM EDT - Still relevant in the datacenter
09:16PM EDT - Alert responder can do several actions based on alert
09:16PM EDT - Physical defences and online checks
09:16PM EDT - All clocks are generated internally
09:17PM EDT - Special interrupt designation
09:17PM EDT - Don't always trust the processor to respond - do it internally
09:18PM EDT - Open Titan - open sourcing the program
09:18PM EDT - Open ISAs, collaborative communities, RTL repositories, standard crypto (not proprietary)
09:19PM EDT - Using IP that's available today
09:19PM EDT - Providing a digital wrapper around the analog IP
09:19PM EDT - Created STWG
09:19PM EDT - Silicon Transparency Working Group
09:19PM EDT - lowRISC and ETH Zurich
09:20PM EDT - Time for Q&A
09:21PM EDT - Q: Can you provide all the security in one place? A: No. It's distributed security - be secure everywhere.
09:22PM EDT - Q: Is the implementation on a NIC card as per the image? A: It can be applied to a lot of different devices. When its on the device, it's linked to that device.
09:24PM EDT - Q: How does the temp sensing work? A: It depends on the place of the part. It can be configured, but needs to be realistic. In a datacenter, you're probably not at -40 C.
09:24PM EDT - Q: Power? A: 15mW
09:25PM EDT - Q: Does it rely on built-in self-test for security units? A: We use a long suite of manufacturing tests to guarantee the correctness of the chip
09:25PM EDT - A: Chip does the RNG and keys automatically. Manufacturer can't play with it
09:27PM EDT - Q: What would you say the next layer of vulnerability? The fabs? The CPU? A: The software is the weakest link - that's the biggest hammer at this point. If you spend time with security guys you eventually go paranoid !
09:27PM EDT - Q: What is the timer block? A: We have three clocks. Variable frequency for the crypto, Timer clock for talking to the outside world
09:28PM EDT - Q: Is that workgroup public? A: It will be, but not yet. Stay tuned, maybe next yearish
09:29PM EDT - That's a wrap for today. Next Live Blog is tomorrow morning on NVIDIA's NV Switch
8 Comments
View All Comments
Yojimbo - Monday, August 20, 2018 - link
How's your stomach holding up?https://www.google.com/url?sa=t&source=web&...
gsvelto - Tuesday, August 21, 2018 - link
If the lowRISC people are involved then there's a good chance that the controller is a RISC-V design.ABR - Wednesday, August 22, 2018 - link
They are shifting the attack surface around all right and shrinking the window on some vectors, but also increasing the scale of consequences of a root compromise. Whether there's a net gain in security is harder to say.abufrejoval - Friday, August 24, 2018 - link
Googles doesn't trust anyone but themselves.So how is anyone else supposed to trust Google?
Rooting is a right of man!
abufrejoval - Friday, August 24, 2018 - link
Want edit!jeremyshaw - Tuesday, October 9, 2018 - link
Well, this presentation just got a bit more timely, lol.LouisRam - Thursday, July 25, 2019 - link
Thanks for this article, it is very informative!If you want tips to get some Coin Master Spins for free see here: https://coinmasterwealth.com
LouisRam - Thursday, July 16, 2020 - link
This article is very informative. I've found all I wanted here.Read my blog, I do french tutorials about how to get spins in Coin Master https://coinmasterspinsgratuit.com