Google: Mitigating risk in the hardware supply chain

March 28, 2019 ~ hucktech ~ Leave a comment

Google has a new blog post talking about supply-chain security and their Titan chip.

[…]One area where we’ve put a lot of thought, and which we continue to focus on, is the security of our hardware supply chain. Today, I’d like to go into a few of the things we do specifically in this area.[…]

https://cloud.google.com/blog/products/identity-security/mitigating-risk-in-the-hardware-supply-chain

Google Titan trust paper available

September 30, 2017 ~ hucktech ~ Leave a comment

Google Titan "A Vendor-Agnostic Root of Trust for Measurement" paper: https://t.co/Zpms2Ti56f

— Steve Weis (@sweis) September 29, 2017

A Vendor-Agnostic Root of Trust for Measurement
Jon McCune, Rick Altherr
We report the success of a project that Google performed as a proof-of-concept for increasing confidence in first-instruction integrity across a variety of server and peripheral environments. We begin by motivating the problem of first-instruction integrity and share the lessons learned from our proof-of-concept implementation. Our goal in sharing this information is to increase industry support and engagement for similar designs. Notable features include a vendor-agnostic capability to interpose on the SPI peripheral bus (from which bootstrap firmware is loaded upon power-on in a wide variety of devices today) without negatively impacting the efficacy of any existing vendor- or device-specific integrity mechanisms, thereby providing additional defense-in-depth.

https://research.google.com/pubs/pub46352.html

https://research.google.com/pubs/archive/46352.pdf

Yuriy of Eclypsium has a few comments on the doc, click on below tweet for thread:

As I thought, Titan is interposing on the SPI for system firmware (eg UEFI), BNC firmware, etc. https://t.co/N4e8AKo7xz

— Yuriy Bulygin (@c7zero) September 30, 2017

more on Google Titan

August 24, 2017August 24, 2017 ~ hucktech ~ Leave a comment

These are the slides of our research referenced in Titan firmware security chip for Google's Cloud Platform https://t.co/2iOoELk20G [pdf] https://t.co/jEXRRmnwhG

— Yuriy Bulygin (@c7zero) August 24, 2017

Earlier I pointed out some Google Titan info but didn’t have much info on it:

https://firmwaresecurity.com/2017/08/06/google-titan-secure-microcontroller/

(nobody left a comment, but a few people commented on it on Twitter.)

In the last few days, there’s more info available now:

https://cloudplatform.googleblog.com/2017/08/Titan-in-depth-security-in-plaintext.html

https://www.blog.google/topics/google-cloud/bolstering-security-across-google-cloud/

https://cloud.google.com/security/

probably unrelated?:
https://github.com/GoogleCloudPlatform/titan

Google “Titan” secure microcontroller

August 6, 2017 ~ hucktech ~ Leave a comment

Google Titan Key:
Implemented with Google’s “Titan” secure microcontroller and custom firmware,
the Titan Key is a FIPS-compliant Universal 2nd Factor (U2F) authenticator and hardware root of trust.

http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgnewval.html

If you have some pointers to this hardware, please leave a Comment.