Hot Chips 2018: Google Titan Live Blog (6pm PT, 1am UTC)

08:52PM EDT - The second talk on security is on Google's Titan Root-of-Trust silicon that sits between the BIOS and the processor on its custom systems.

08:52PM EDT - We're starting a little early. Amazing, talks are going by and not going over time allocated

08:53PM EDT - All about root of trust hardware

08:53PM EDT - Work between Google hardware and software teams

08:53PM EDT - trust and transparency are key terms throughout

08:54PM EDT - talk about motivation, integration, hardware, and community

08:54PM EDT - Problem: Security about firmware being compromised

08:55PM EDT - How do we know what is our equipment

08:55PM EDT - Solution is to tag every device

08:55PM EDT - Can we trust the boot chains? BIOS through to OS

08:55PM EDT - Solution: all boot code is signed and verified

08:55PM EDT - has to be vendor agnostic

08:56PM EDT - Conclusion: need root of trust

08:56PM EDT - Not the only company that has this conclusion

08:56PM EDT - Cloud security has many properties

08:56PM EDT - Trusted Machine Identity

08:57PM EDT - First Instruction Integrity

08:57PM EDT - Tamper-evident Logging

08:57PM EDT - -> All activities should be monitored

08:57PM EDT - A trusted implementation -> own and verify every piece from silicon to firmware

08:58PM EDT - If the silicon is the root of trust, it must be ground zero

08:58PM EDT - The chip has to have extneded trust through its lifetime

08:58PM EDT - This is all about having a silicon chip in the mix AS the root of trust

08:58PM EDT - Silicon needs physical security

08:58PM EDT - Development needs to be transparent

08:59PM EDT - Titan RoT chip sits between BMC and Boot Flash Firmware

08:59PM EDT - acts on the SPI, monitors all activities

09:00PM EDT - CPU starts with first boot instruction. All code needs to be signed on boot FW flash. Titan will then do firmware signature check. If all is good, then it will apply power to rest of system. Afterwards, will monitor firmware flash from unsigned firmware

09:00PM EDT - Microcontroller

09:00PM EDT - Secure and low power

09:01PM EDT - All about the system and archtiecture around it

09:01PM EDT - Wanted to own our own chip. Allowed better audit

09:01PM EDT - No solutions outside really had everything

09:02PM EDT - 32b microcontroller core, Boot ROM, flash for instructions and data, SRAM scratchpad, one-time programmable fuses

09:03PM EDT - Several crypto accelerators

09:03PM EDT - [this is slide 29 in the talk... my phone just crapped out and lost the photo]

09:04PM EDT - Surrounding the chip has a suite of physical defenses

09:04PM EDT - Livetime execution status checking

09:04PM EDT - Also has hardware alert response mechanisms

09:04PM EDT - Enables verified boot

09:05PM EDT - Principles move in the chain of trust from left to right

09:05PM EDT - Each stage needs to validate the next stage as approved

09:05PM EDT - HW and Boot Rom does most of the security settings. Eeducing the attack surface

09:05PM EDT - Reducing

09:05PM EDT - This is based on permission levels that decrease as you go on

09:05PM EDT - To physical banks of flash

09:06PM EDT - This allows one bank to be run, and an update to be installed into the other

09:06PM EDT - All this code is created and signed by Google

09:06PM EDT - extremely serious process

09:07PM EDT - lock out at any stage if a failure

09:08PM EDT - If both flash fail (shouldn't happen), then hardware is dead

09:08PM EDT - Boot ROM is immutable, set at tape-out time

09:09PM EDT - Trusted chip identity

09:09PM EDT - Each chip has a unique ID (usually a time stamp)

09:10PM EDT - Chip is personalized and registered internally so known in an offline database

09:10PM EDT - Pieces of identity come from the technology on the chip

09:10PM EDT - To subvert key manager, would have to attack lots of parts of the chip at once

09:10PM EDT - Export is disabled after manufacturing is complete

09:11PM EDT - Personalization firmware at manufacture, application firmware then replaces it

09:11PM EDT - Device life-cycle tracking

09:11PM EDT - Designate states for the chip

09:11PM EDT - Six stages

09:13PM EDT - Track states from blowing fuses. One way

09:13PM EDT - Prod and Dev are mutually exclusive states

09:15PM EDT - First Instruction Integrity

09:15PM EDT - snooping every bit on the SPI

09:15PM EDT - Can affect boot latency

09:15PM EDT - Physical countermeasures

09:15PM EDT - Still relevant in the datacenter

09:16PM EDT - Alert responder can do several actions based on alert

09:16PM EDT - Physical defences and online checks

09:16PM EDT - All clocks are generated internally

09:17PM EDT - Special interrupt designation

09:17PM EDT - Don't always trust the processor to respond - do it internally

09:18PM EDT - Open Titan - open sourcing the program

09:18PM EDT - Open ISAs, collaborative communities, RTL repositories, standard crypto (not proprietary)

09:19PM EDT - Using IP that's available today

09:19PM EDT - Providing a digital wrapper around the analog IP

09:19PM EDT - Created STWG

09:19PM EDT - Silicon Transparency Working Group

09:19PM EDT - lowRISC and ETH Zurich

09:20PM EDT - Time for Q&A

09:21PM EDT - Q: Can you provide all the security in one place? A: No. It's distributed security - be secure everywhere.

09:22PM EDT - Q: Is the implementation on a NIC card as per the image? A: It can be applied to a lot of different devices. When its on the device, it's linked to that device.

09:24PM EDT - Q: How does the temp sensing work? A: It depends on the place of the part. It can be configured, but needs to be realistic. In a datacenter, you're probably not at -40 C.

09:24PM EDT - Q: Power? A: 15mW

09:25PM EDT - Q: Does it rely on built-in self-test for security units? A: We use a long suite of manufacturing tests to guarantee the correctness of the chip

09:25PM EDT - A: Chip does the RNG and keys automatically. Manufacturer can't play with it

09:27PM EDT - Q: What would you say the next layer of vulnerability? The fabs? The CPU? A: The software is the weakest link - that's the biggest hammer at this point. If you spend time with security guys you eventually go paranoid !

09:27PM EDT - Q: What is the timer block? A: We have three clocks. Variable frequency for the crypto, Timer clock for talking to the outside world

09:28PM EDT - Q: Is that workgroup public? A: It will be, but not yet. Stay tuned, maybe next yearish

09:29PM EDT - That's a wrap for today. Next Live Blog is tomorrow morning on NVIDIA's NV Switch