Upload File

secure-boot on ocp nic…secure-boot on ocp nic prevent supply-chain and cloning attacks yuval itkin...

  • Home
  • Documents
  • Secure-Boot on OCP NIC…Secure-Boot on OCP NIC Prevent Supply-Chain and Cloning Attacks Yuval Itkin –Distinguished Architect Elad Wind –Director, Solutions Engineer Server/Storage/Security
11

Upload: others

Post on 27-Apr-2020

7 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Secure-Boot on OCP NIC…Secure-Boot on OCP NIC Prevent Supply-Chain and Cloning Attacks Yuval Itkin –Distinguished Architect Elad Wind –Director, Solutions Engineer Server/Storage/Security
Page 2: Secure-Boot on OCP NIC…Secure-Boot on OCP NIC Prevent Supply-Chain and Cloning Attacks Yuval Itkin –Distinguished Architect Elad Wind –Director, Solutions Engineer Server/Storage/Security

Secure-Boot on OCP NIC Prevent Supply-Chain and Cloning Attacks

Yuval Itkin – Distinguished ArchitectElad Wind – Director, Solutions Engineer

Server/Storage/Security

Page 3: Secure-Boot on OCP NIC…Secure-Boot on OCP NIC Prevent Supply-Chain and Cloning Attacks Yuval Itkin –Distinguished Architect Elad Wind –Director, Solutions Engineer Server/Storage/Security

• Hardware attacks are part of the datacenters security threat landscape

1. Tampering with supply chain elements2. Cloning devices

• Secure Boot addresses supply chain attacks – but not cloning

• NICs must combine Secure Boot with Cloning Protection to prevent both attack methods

SECURITY

WHITE PAPERS (IN PROCESS)

NICs Are A Target for Attacks

Page 4: Secure-Boot on OCP NIC…Secure-Boot on OCP NIC Prevent Supply-Chain and Cloning Attacks Yuval Itkin –Distinguished Architect Elad Wind –Director, Solutions Engineer Server/Storage/Security

Secure Boot

• NIST Special Publication SP800-193“Platform Firmware Resiliency Guidelines”

• Using Secure-boot assures that only properly signed firmware images can be loaded into a device

• Devices can only authenticate the signature using a pre-provisioned public key

Page 5: Secure-Boot on OCP NIC…Secure-Boot on OCP NIC Prevent Supply-Chain and Cloning Attacks Yuval Itkin –Distinguished Architect Elad Wind –Director, Solutions Engineer Server/Storage/Security

Cloning Protection

• Datacenters may provision different rights per device-ID

• Vendors may enable capabilities using firmware image

• Cloning Protection prevents hardware replicas

• Cloning Protection mandates using an embedded device-unique key

2 Methods to Prevent Cloning

1. Attestation protocol

2. Device-based cloning protection during secure boot

Page 6: Secure-Boot on OCP NIC…Secure-Boot on OCP NIC Prevent Supply-Chain and Cloning Attacks Yuval Itkin –Distinguished Architect Elad Wind –Director, Solutions Engineer Server/Storage/Security

1. Attestation Based Cloning Protection

• Devices are individually provisioned to the systems installed in using its Device-Secret and firmware image

• Device provides firmware measurements based on its Device Secret

* See more information in RIoT Paper

https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/RIoT20Paper-1.1-1.pdf
Page 7: Secure-Boot on OCP NIC…Secure-Boot on OCP NIC Prevent Supply-Chain and Cloning Attacks Yuval Itkin –Distinguished Architect Elad Wind –Director, Solutions Engineer Server/Storage/Security

2. HW RoT Based Cloning Protection

• The device-unique key is inaccessible and invisible to the external world

• Hardware RoT verifies the firmware using a runtime-calculated device-specific signature against an off-chip stored signature

• Note: this method mandates devices to embed the cloning-protection signature during firmware update

Page 8: Secure-Boot on OCP NIC…Secure-Boot on OCP NIC Prevent Supply-Chain and Cloning Attacks Yuval Itkin –Distinguished Architect Elad Wind –Director, Solutions Engineer Server/Storage/Security

Mellanox OCP NIC 3.0 Cards

Page 9: Secure-Boot on OCP NIC…Secure-Boot on OCP NIC Prevent Supply-Chain and Cloning Attacks Yuval Itkin –Distinguished Architect Elad Wind –Director, Solutions Engineer Server/Storage/Security

Mellanox OCP NICs

OCP NIC 3.0 specifications opencompute.org/wiki/Server/Mezz

Mellanox OCP Products mellanox.com/ocp

Mellanox OCP-inspired

opencompute.org/products?query=mellanox

https://www.opencompute.org/wiki/Server/Mezz
http://www.mellanox.com/ocp/
https://www.opencompute.org/products?query=mellanox
Page 10: Secure-Boot on OCP NIC…Secure-Boot on OCP NIC Prevent Supply-Chain and Cloning Attacks Yuval Itkin –Distinguished Architect Elad Wind –Director, Solutions Engineer Server/Storage/Security

Choose NICs combining Secure Boot with Cloning Protection

Call To Action

• Secure Boot alone doesn’t solve hardware attacks

• Cloning Protection using attestation protocol requires keeping a log of device-secrets

• Prefer Device-based Cloning Protection

Project Specification: opencompute.org/wiki/Security

opencompute.org/wiki/Security
Page 11: Secure-Boot on OCP NIC…Secure-Boot on OCP NIC Prevent Supply-Chain and Cloning Attacks Yuval Itkin –Distinguished Architect Elad Wind –Director, Solutions Engineer Server/Storage/Security

Gaelic Mass - OCP | OCP

TE CONNECTIVITY’S SLIVER 2.0 CONNECTOR … … · • GP-GPU • Flash Storage Carrier ... Reference Applications: • OCP pluggable NIC form factor • X16 4C+: supports x8 and

· PDF fileoutline dimensions o model type ocp-25 1050 750 2070 720 320 350 ocp ocp-35 ocp-60 ocp-80 ocp-iio ocp-160 ocp-200 unit: mm ocp-260 ocp-45 s 250

Saints Peter and Paul Gloria - OCP | OCP

fibb bGLe01J6L ocp LlJSIJÈs bunsc- bLOlGIÇG$ ocp ocp ... · fibb bGLe01J6L ocp LlJSIJÈs bunsc- bLOlGIÇG$ ocp ocp p6LgugqG prJL SIJ- ASL bs 2SIJqLS web eow KSIJSI- PSIJq IJJGq

OCP NIC 3.0 Collaboration - Open Compute Project · 2018-05-29 · •Connector placement •Specification quality . 6 OCP NIC 3.0 Milestones 2017 2018 Setup Subgroup Mailing list

11056930 Existing OCP Certificate Enhancement OCP legacy

OUT = 100 MHz NIC = 100 MHz 30 29 28 27 26 25 …...NIC 5 VD3 6 NIC 7 NIC 8 NIC 1 17 GND 18 IF2 19 GND 20 IF1 21 GND 22 NIC 23 NIC 24 25 NIC 26 NIC 27 NIC 28 VD2 29 VD1 30 NIC 31 NIC

Boot Version 10.0 for NIC, iSCSI, and FCoE Protocols User ... · P009813-01A Rev. A Emulex Connects™ Servers, Storage and People Boot Version 10.0 for NIC, iSCSI, and FCoE Protocols

Boot Version 10.6 for NIC, iSCSI, FCoE, and RoCE Protocols ...manuals.ts.fujitsu.com/file/12306/emulex-bootcode-ug-en.pdf · Boot Version 10.6 for NIC, iSCSI, FCoE, and RoCE Protocols

11056930 Existing OCP Certificate Enhancement OCP legacy ...yanmar-computer.info/images/OCJPGOLDEN.pdf · Title: 11056930 Existing OCP Certificate Enhancement_OCP_legacy_live copy

Multi-mode OCP NIC 3.0 card Hardware management...OCP NIC 3.0 over 3 signals called BIF[2:0] 2. OCP NIC 3.0 cards provide card’s capabilities using 4 signals PRSTNT[3:0] on each

OCP-E-TW - Chin Fong · OCP-25 OCP-35 OCP-45 OCP-60 OCP-80 OCP-IIO OCP-160 OCP-200 OCP-260 mm mm mm ton mm mm 5x4 800 260 5x4 7_5x4 800 300 26 335x230 3.6 350035 7_5x4 830 345 63

OCP International Partnership © 2011 OCP-IP Corporate Introduction Ian R. Mackintosh President, OCP-IP

NIC Safe Mode...A need for NIC Safe Mode When badly-configured NIC prevents a server boot, alternatives are limited 1. Allow modifying bad-configuration via the BMC • Not all system

Ucluelet OCP

PREVIEW Gaelic Mass - OCP | OCP

GUITAR - OCP | OCP

Ocp application

OCP - FlyDubai

OCP Overview

OCP BusinessReport

Boot for NIC, iSCSI, and FCoE Protocols User Manual · 2019-04-25 · Boot for NIC, iSCSI, and FCoE Protocols User Manual P008727-01A Rev. A Table of Contents 4 Installing a New Windows

h = ca. 44) Preview - OCP | OCP

Boot Version 10.2 for NIC, iSCSI, FCoE, and RoCE Protocols User … · 2019-04-24 · PXE Boot Process ... Configuring Boot from SAN on Windows (UEFI).....68 Installing a New Windows

Boot Version 10.2 for NIC, iSCSI, FCoE, and RoCE Protocols ...manuals.ts.fujitsu.com/file/11701/emulex-bootcode-ug-en.pdfBoot Version 10.2 for NIC, iSCSI, FCoE, and RoCE Protocols

Canticle of Mary - OCP | OCP

Acclaims - OCP | OCP

10mba019- OCP

OCP NIC 3.0 Power with Intel Products Paul Kappler, Intel

OCP NIC 3.0 Collaboration… · 2018-10-17 · NIC 3.0 Module Sizes. 2.75mm card guide keep out. 2.75mm card guide keep out. subtract 5.5mm from width (card guide) subtract 6mm from

ˆ % /%(%) ˚1 - OCP | OCP

9 GHz to 10 GHz, X-Band, GaAs, MMIC, Low Noise Converter ... · 17 1 3 4 2 9 nic nic lna_vg1 nic 5 6 rfin nic vctrl 7 nic 8 nic 18 nic 19 nic 20 loin 21 nic 22 nic 23 buff_vd 24 nic

sheet OCP music - OCP | OCP

Facebook OCP Server Hardware - circleb.eu · –OCP Mezzanine NIC • Manufactured by WiWynn. Lightning (NVMe in Open Vault) •JBOF storage attach to Open Compute Server over PCIe