Google and a group of partner organizations are launching a new project to build an open-source hardware root of trust, aiming to provide a secure chip for cloud providers, data center operators, and others to use in high-performance environments.
For years, Google has used its own custom-built chip called Titan in the servers that populate its data centers around the world. The Titan chip is a tiny secure microcomputer that serves a number of purposes in Google’s cloud servers, most importantly to ensure that servers boot from a known secure state and that the code they run is cryptographically verified. Google designs and builds its own servers and the Titan chip is built to Google’s own specifications, as well. The company has a version of the chip, called the Titan M, in some of its Pixel Android phones, as well.
The new project that Google launched Tuesday is called OpenTitan and it’s a collaboration with several technology partners, including Western Digital and ETH Zurich, a technical university in Switzerland. The aim is to provide an open source specification for a secure silicon design, and the chip will be based on the Ibex open source processor from ETH Zurich. The project will be managed by lowRISC, a not-for-profit company in the UK that has its own engineering staff that will collaborate with Google and the other OpenTitan partners.
“OpenTitan is an active engineering project staffed by a team of engineers representing a coalition of partners who bring ideas and expertise from many perspectives. We are transparently building the logical design of a silicon RoT, including an open source microprocessor (the lowRISC Ibex, a RISC-V-based design), cryptographic coprocessors, a hardware random number generator, a sophisticated key hierarchy, memory hierarchies for volatile and non-volatile storage, defensive mechanisms, IO peripherals, secure boot, and more. With OpenTitan, a coalition of partners have come together to deliver a more open, transparent, and high-quality RoT,” Royal Hansen, vice president at Google, and Dominic Rizzo OpenTitan lead at Google Cloud, said in a post.
Although software-based attacks are far more prevalent than those targeting hardware, high-level attack groups are known to have capabilities against hardware systems, as well. Some APT groups have been successful in targeting vulnerabilities in specific hardware platforms and processors, and there are other concerns about hardware security as well. The last couple of years have seen a steady string of revelations about side-channel weaknesses such as Spectre and Meltdown in various chipsets that allow attackers to steal secret information through complex attacks.
But perhaps the most difficult problem related to hardware security is supply chain attacks. Hardware devices such as phones and laptops comprise a large number of individual components, which often are designed and built by many different companies and then eventually assembled into their final form. The various suppliers and manufacturers could be in several different countries, and keeping tight control and oversight of the processes and security protocols in all of those facilities can be next to impossible. Compromising one of the links in that chain to insert a small change could allow an adversary to gain access to a target line of devices.
By developing and publishing an open design specification for the OpenTitan chip, Google and its partners are hoping to take some of the concerns about deep-seated security vulnerabilities off the table.
“OpenTitan monitors the computer as it starts up – in what is known as the boot process. Like a newborn baby, a computer requires special protection in the seconds after it is switched on. The 'firmware' – that is, the software that controls the boot process – is active before the antivirus software is operational, for example. Many attacks therefore target these first few seconds and attempt to compromise the firmware,” Luza Benini, a professor at the Institute for Integrated Systems at ETH Zurich, said in an interview on the university’s site.
“If this attempt succeeds, the attackers can take control of the system without being noticed. OpenTitan checks whether the code generated by the firmware matches the expected code. If it doesn’t, the boot process is terminated.”
The OpenTitan project code is available on GitHub now.