SAN JOSE, California — Security is the “missing piece” of Microsoft’s open hardware project, according to a Microsoft executive at the Open Compute Project (OCP) Summit. The company and other OCP members are currently working to implement Project Cerberus, its open hardware security initiative, and Microsoft hopes it will become an industry standard for platform security.
“We envisioned a leading-edge server design with the flexibility to accommodate a broad variety of workloads for the cloud of today and tomorrow and one that could easily scale to data centers across the globe,” wrote Kushagra Vaid, general manager for Microsoft’s Azure hardware infrastructure, in a November 2017 blog post.
In the same post, Vaid announced Project Cerberus, a NIST 800-193 compliant hardware root of trust designed to provide security for all platform firmware. “It provides a hardware root of trust for firmware on the motherboard (UEFI BIOS, BMC, Options ROMs) as well as on peripheral I/O devices by enforcing strict access control and integrity verification from pre-boot and continuing to runtime,” he wrote.
At the OCP Summit this week, Badriddine Khessib, director in the platform engineering group at Microsoft, provided more details about the open source hardware security specifications.
“There is no firmware security today,” he said. “That’s why we proposed Project Cerberus. We wanted the industry to essentially wake up and take security seriously. The hardware tends to be sitting at the bottom of the stack, but there are a lot of attacks that can be leveled at the hardware, from denial of service to compromised customer data.”
Microsoft contributed an initial draft and specifications for motherboard firmware security to the open source community last year. OCP established a committee to move the project forward, and Microsoft is working with other companies including Intel, Facebook, and Google to implement the security architecture.
Specs Under Development
The complete Project Cerberus specifications are still under development, but Microsoft plans to contribute them to OCP, too.
It can protect platform firmware against unauthorized access and malicious updates, Khessib said. “It does protection, it does detection, and it does recovery,” he said. “It’s tamper proof so you cannot attack it physically.”
It’s also platform agnostic and works with Intel, Arm, AMD, or any other processors, he added.
Also at the OCP Summit, Microsoft announced Project Denali. Its purpose is to create a new standard for solid state device (SSD) storage, specifically targeted for cloud-based workloads. Denali is based on a modular architecture, disaggregating two layers of flash storage.