Protecting Edge & Confidential Computing Workloads with OCP Caliptra and Synopsys Programmable Root of Trust
As cybersecurity threats continue to evolve in complexity and sophistication, the need for robust, hardware-based security solutions has never been more pressing. Synopsys is at the forefront of addressing these challenges. Our latest endeavor is offering enhanced support for Open Compute Project Foundation (OCP) Caliptra use cases with the Synopsys tRoot hardware secure module IP, further augmented by Synopsys physical unclonable function (PUF) technology, to help protect the security of data center and high-performance computing (HPC) SoCs.??
The programmable tRoot HSM, pre-integrated with Caliptra software and PUF technology, is designed to support out-of-the-box Caliptra Root of Trust for Measurement (RTM) functions including attestation, secure boot, and device identification, to deliver a robust and versatile end-to-end security solution. This security framework provides a secure foundation for data center, AI, and HPC applications, helping to ensure that devices are protected against sophisticated cyber threats.??
Root of Trust Measurement and Attestation Solution?
Synopsys' tRoot HSM for Caliptra provides a root of trust for measurement and attestation solution, which includes several critical features. The first feature is the PUF which leverages on-chip SRAM to generate a unique and unclonable device secret so that each device can be uniquely authenticated and securely managed.?
Secondly, tRoot HSM supports firmware signing for boot flow attestation, which helps to ensure secure boot processes, firmware updates, and platform configuration register attestation. The HSM plays a crucial role in maintaining the integrity and trustworthiness of the device throughout its lifecycle. Additionally, Device Identifier Composition Engine (DICE) identity and attestation provides device identity within a secure environment, enhancing trust and security.?
The tRoot HSM is designed to easily integrate into SoCs and safeguards against malicious attacks, featuring a Synopsys ARC? security processor with side channel protection, tamper resistance, and hardware isolation for multiple security privilege levels as well as scalable cryptography, helping to ensure resilience against advanced attacks.??
The hardware also includes various interconnects and debug interfaces, such as private APB for PUF, AHB for mailbox and system bus access, and a JTAG interface for debugging. Random number generation is handled by Synopsys’ NIST-compliant True Random Number Generator (TRNG), helping to ensure the generation of secure and unpredictable random numbers.??
领英推荐
Pre-Integrated and Verified?
The entire solution is pre-integrated and verified on Synopsys' internal development platform to accelerate deployment. It includes a bitfile for an FPGA-based software development board (Xilinx Ultrascale, ZCU 10x). The verification process includes rigorous testing to ensure that all components function correctly and securely.?
Comprehensive Software Components?
Synopsys tRoot HSM provides a range of software components to complement the hardware for seamless integration and robust security. The tRoot standard SDK includes platform drivers, libraries, services, and examples, providing developers with the tools they need to integrate and utilize the tRoot HSM effectively. This SDK enables developers to quickly start implementing secure solutions. The PUF standard SDK contains drivers and examples for leveraging PUF technology, enabling developers to generate and manage unique device secrets securely.??
The tRoot Caliptra service/middleware provides libraries and services that enhance the overall functionality of the security solution. The application software includes the Caliptra boot ROM, first mutable code, and runtime software.??
The development and provisioning tools include the Synopsys ARC MetaWare SDK and provisioning tools for firmware signing, key and certificate generation, and more, providing a comprehensive suite of tools for developers to create and provision secure devices.?
Conclusion?
Synopsys' tRoot HSMs with Caliptra RTM support, augmented by SRAM-based PUF, represents a significant advancement for SoC security in data center and HPC applications. By providing a comprehensive and multi-layered security solution, Synopsys is addressing the complex and evolving challenges of cybersecurity in the modern world, including verifiable cryptographic assurances of workload protection mechanisms to ensure the authenticity and integrity of data center SoCs. This integrated approach not only enhances the security of individual devices but also provides a scalable and flexible foundation for securing a wide range of applications across various industries.??