What is open source silicon root of trust? [Q&A]

You may have come across the term 'root of trust', it’s a source, such as a hardware module, that can always be trusted within a cryptographic system. The system trusts the keys and other cryptographic information it receives from the root of trust module as always authentic and authorized.

Mostly this involves being tied into a specific vendor, but OpenTitan has developed an open source silicon root of trust for use in for use in data center servers, storage, peripherals, and more.

We spoke to project director Dominic Rizzo to find out how it works.

BN: In a few sentences, and at a high-level, what is a root of trust (RoT) and why does it matter?

DR: A silicon root of trust (RoT) is the foundation of secure computing. The RoT anchors the chain of trust in the silicon below the operating system, ensuring the overall security and reliability of the computing environment -- just like the roots of a tree hold up the whole trunk.

A system with a silicon RoT can ensure all subsequent operations and processes are verified and considered trustworthy. It can also provide secondary security functions like storing critical secrets and security parameters, providing mathematically certain guarantees of authenticity, or hosting crucial apps.

BN: What are the features and benefits of a silicon RoT?

DR: A silicon RoT refers to a hardware-based implementation integrated directly into the silicon -- the microprocessor or chip -- itself. If you can imagine a chip as a command center, then a silicon RoT is like the safe inside the concrete bunker protecting the most critical of state secrets.

A high quality hardware RoT is designed to be extremely secure, physically and logically tamper-resistant, and able to attest to both its own authenticity and the origin of the software it executes. While all modern devices inherently contain a root of trust, an explicit silicon RoT is used in systems where the trustworthiness of the platform is crucial. These include secure communication systems, critical infrastructure, safety-critical embedded systems, and IoT devices.

Placing the RoT at the hardware level makes it inherently more resistant to attacks than software-based solutions. Silicon RoTs enable cryptography, such as encryption, secure key storage and digital signatures. An overwhelmingly important application is secure boot, ensuring the integrity of the entire software stack that comes after initial start-up.

BN: Why is having an open implementation important?

DR: The transparency inherent in an open source RoT promotes collaboration, flexibility, and trust in its security mechanisms. This transparency is a necessary prerequisite to building truly trustworthy systems.

Open implementations encourage collaboration among experts across different organizations and communities, enabling contributors to work toward a common good while meeting their specific goals. This group effort encourages innovation by sharing best practices and diverse perspectives for collective problem-solving. Secure subsystem use cases and requirements vary widely across industries, but open implementations enable the customization of security solutions to meet specific application needs. A high quality open implementation like OpenTitan can also serve as an industry-relevant research platform, being a demonstrator for the latest secure system design techniques and improvements.

The best way to build a truly secure system is to set it as an explicit goal from the start, and develop the design with the aid of security and cryptography domain experts. That is, following 'secure-by-design' or 'secure-by-default' techniques as a best practice. Another factor, especially for very active open source projects, is the 'many eyes' property of having the design, source code, and documentation publicly available. This enables experts and non-experts alike to scrutinize the implementation for vulnerabilities, and ideally file timely bug reports to increase the overall quality.

Further, the open nature of the implementation (assuming appropriate committer policies like two-person commit sign-off) radically increases the exposure risk to any malicious behaviors. This is one mechanism by which open source implementations can help minimize supply chain security risks.

BN: Can you detail some of the latest milestones in this area?

DR: OpenTitan publicly launched in 2018 as the first open source silicon root of trust -- a major milestone. Since then, OpenTitan has been responsible for the creation of the Silicon Commons, the development of the RISC-V Ibex core, and successful tapeout of the first commercially relevant open source chip, OpenTitan's 'Earl Grey'.

The Silicon Commons is the term we use for the collection of technologies, methodologies and processes we leverage to coordinate the development of the OpenTitan chip and family of design collateral across organizations, time zones and cultures.

A key aspect is our open source design verification methodology, developed to ensure the quality of the OpenTitan design family. Suffice to say, the methodology is quite robust, enabling both random and specific testing over both blocks and the entire chip top-level. OpenTitan regression testing results are posted to a public dashboard on a daily basis.

This sort of sophisticated testing and transparency is one of the ways in which OpenTitan is able to provide principled design value on par with any proprietary chip.

Ibex is an open source 32-bit RISC-V core we developed for OpenTitan, which is freely available for use and follows the same design verification principles. It extends the highly capable ETH Zürich zero-riscy core with both further design verification and additional security features. One benefit of Ibex is its customizability, enabling developers to re-use it in other contexts than OpenTitan to meet their individual specifications. We consider Ibex’s reuse and remixing within the broader open source ecosystem to be a major success of the OpenTitan project and the entire open silicon community.

Most recently, and our biggest milestone to date, was our successful tapeout -- this means the design is at the silicon foundry, producing actual chips -- of the ‘Earl Grey’ discrete root of trust chip. This means that we will have chips in hand in 2023 and available for system integration soon!

BN: What is the future of Open Source Silicon RoT?

DR: The goal is for OpenTitan chips to help secure devices and enable trust in the supply chain, the entire supply chain, a goal rapidly approaching success. In the meantime, project development continues apace.

Starting with the 'Earl Grey' discrete root of trust, we are rapidly developing our first integrated root of trust subsystem, 'Darjeeling.' Once it reaches the required maturity bar, we will publicly launch it for inclusion into larger SoCs.
With the challenges that many organizations are facing in securing IoT devices, it is safe to say that an open source silicon RoT is a new, positive turn in the fight for improved cybersecurity.

Looking further into the future, to threats on the horizon, it is worth mentioning that OpenTitan has been designed with post-quantum security in mind from the start. Our first chip is launching with a post-quantum safe, stateless hash-based (SPHINCS+) secure boot implementation. We accomplished this by collaborating with some of the top cryptography researchers in the world to ensure that OpenTitan remains resilient in the face of future threats and believe that OpenTitan's open nature ensures that we will always be on the cutting edge of cybersecurity defense deep within the silicon.

Photo Credit: Sarawut Aiemsinsuk/Shutterstock

Comments are closed.

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.