服务器平台集中式系统安全中心.pdf

《服务器平台集中式系统安全中心.pdf》由会员分享，可在线阅读，更多相关《服务器平台集中式系统安全中心.pdf（14页珍藏版）》请在三个皮匠报告上搜索。

1、Phanikumar KancharlaCraig BarnerServer HW Security HubServer HW Security HubPhanikumar KancharlaCraig BarnerSecurityRisk:Keys managed by software modules for DRAM,MACSec,PCIe,CXL encryptionCaliptra and L.O.C.K.solving the similar problem for Storage devices(NVMe,SED)Solution ProposalEnhance Caliptra

2、+KMB to generate or receive keys.Develop a secure interconnect b/w Caliptra and SoC Blocks to deliver the keysServer HW Security Hub-RecapImproves NVMe/SED securityPrevents leakage of MEKs via firmware vulnerabilities or side channelsVerifiable cryptographic erase of disk driveOptional configuration

3、 of Caliptra Subsystem 2.1+Caliptra,as KMB,is the sole entity with access to MEKsMEK transfer over HW interface from Caliptra Core to SED encryption engineMCU exposes the software interface Implements a key hierarchy linking with user pin based access locksOCP L.O.C.KL.O.C.K.KMB Storage Device Focus

4、edGenerate,Derive,and StoreTrusted Key DistributionAccess Control Enforcement DRBG to generate MPK Fuse based storage(HEK)KDFs to derive MEK SW/FW can access only encrypted keys Plain keys are written only to Crypto Engines Authorized mailbox communication Defined key usage Multiparty Controlled MEK

5、sLifecycle Management Cryptographically verifiable State.HEK is zeroized to crypto erase disk Ephemeral and Session keys are zeroed after use or cold resetCurrent security design principals+Standard Key Management PoliciesoCKMS Metadata and BindingsStandard Crypto AlgorithmsoSP 800-108,SP 800-56C KD

6、Fs oSP 800-232 ASCONSecure Key delivery to all HW componentsKMB for PlatformProcessor coreMACSec(Ethernet)KeysDRAM ControllerKeysPCIeControllerKeysCrypto AcceleratorKeysKMBOverview of a large SOCIO BridgecorecorecorecorecorecorecorecorecorecorecorecoreDRAMKeysDRAMKeysDRAMKeysDRAMKeysDRAMKeysDRAMKeys