Key members of the Open Compute Project have come together to create a new open specification for a silicon Root of Trust, called Caliptra, that’s designed to meet the enhanced security requirements of modern edge and confidential computing use cases.
Announced today at the OCP Global Summit in San Jose, California, Caliptra is said to define a reusable drop-in silicon code block for root of trust measurement that can be integrated into any modern application-specific integrated circuit or system-on-chip, including new central processing units, graphics processing units, solid state drives and network interface controllers. The main purpose of Caliptra is to provide verifiable cryptographic assurances of an ASIC’s or SoC’s security configuration, with an in-chip mechanism for ensuring boot code is trusted.
The OCP explains that hardware RoT is a concept that relates to a set of security properties that anchor the security of an SoC into its hardware. In this way, the RoT cryptographically guarantees an SoC’s security configuration and workload protection mechanisms, ensuring that only trusted firmware can execute on the chipset.
RoT therefore serves as a set of primitives that form the foundation of more advanced security features for SoCs. Until now, though, hardware RoT has always been applied inconsistently, the foundation explained, with most solutions kept separate from the SoC itself. With the rise of edge and cloud-based computing, and the demand that has created for confidential computing solutions — where data remains encrypted while being processed — the industry is calling for a higher level of consistency in how RoT security is assured.
OCP members, including Advanced Micro Devices Inc., Google LLC, Microsoft Corp. and Nvidia Corp., say the Caliptra RoT standard they designed is a big improvement over prior standards that were implemented separately from the SoC. They explained that Caliptra provides a strong basis for SoC-embedded RoT security behaviors and application programming interfaces, as well as a more reliable architecture for SoC IP block implementation.
Most importantly, it will enable the industry to standardize the security architecture of cloud-deployed servers while making it much more scalable, providing a way to meet the enhanced security demands of edge and confidential computing. In specific terms, Caliptra will provide uniform functionality and management for Root of Trust processes across data center devices and components.
The Caliptra team stressed that the need for a new standard is quite pressing. While in traditional data centers, physical security measures were always enough to mitigate physical interposers that could compromise security, that’s no longer the case with edge and confidential computing. At the edge, data center operators are faced with new physical threat vectors as these locations are much more difficult to physically secure, and so there’s an urgent need to protect against physical interposers between two discrete packages. At the same time, confidential computing requires package-level and SoC-level attestation to keep pace with the many emerging threats it faces.
Holger Mueller of Constellation Research Inc. said security is key to ensuring privacy for the cloud computing resources that power today’s next-generation applications. “Standards help to advance security faster, and with the OCP’s new Caliptra standard attracting such wide endorsement from the beginning, there’s a good chance it will succeed and see much wider adoption,” the analyst said. “It’s good to see hardware makers like AMD and Nvidia already on board, as well as Azure and Google Cloud.”
“Today marks a major step forward in industry-wide collaboration on security with the release of Caliptra 0.5 specifications by OCP, and availability of Caliptra 0.5 RTL through the CHIPS Alliance,” said Mark Papermaster, AMD’s chief technology officer and executive vice president of technology and engineering. Papermaster, who called the agreement “remarkable,” said he expects other companies to join in the initiative going forward.
The OCP said the Caliptra 0.5 specification is available to download now, setting the foundational principles and technical details of the standard, though it is not quite ready for prime time. Rather, the release is an invitation to the broader OCP community for input, to ensure it meets broader industry needs. In other words, the Caliptra team is hoping to receive community feedback on the work done so far to ensure the final standard will meet everyone’s requirements by the time of its launch, which is scheduled for the first half of next year.
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.