A Google-spearheaded project has released details of its efforts to develop an open source design for a silicon root of trust (RoT) chip that is flexible enough to help secure a range of hardware.
The OpenTitan project is managed by non-profit organisation lowRISC and supported by coalition of research and commercial entities, with ETH Zürich, G+D Mobile Security, Nuvoton and Western Digital backing the effort.
Dominic Rizzo, OpenTitan lead at Google Cloud, said that in the wake of the project going public he expects that list of partners to expand significantly.
The OpenTitan project builds on Google’s experience with its internally developed Titan chip.
The company initially detailed its custom-built Titan chip at Google Cloud Next ’17, which it said was being used to establish a hardware root of trust for the servers and even peripherals, such as networking cards, employed in Google's data centres.
“It helps us protect servers from tampering, even at the BIOS level,” Google SVP engineering Urs Hölzle told the 2017 conference. Google was using the chip to help authenticate both hardware and services that it runs on top of that hardware, Hölzle said.
Google’s original Titan was a leap forward but is still a proprietary solution, Rizzo told a press briefing. “We feel that you, as the customer and the user, shouldn't be required to put blind trust in such a foundational security device,” the Google exec added.
“This has been great for us and our customers, but it remains proprietary,” he added. “And when you look around, all of the other roots of trust are also proprietary. We've heard a number of concerns about this from customers, from industry as a whole.”
It’s not just a question of transparency versus opaqueness, however: Rizzo said that current RoT implementations are “inflexible and incomplete”. He said that they are designed for specific devices and platforms from specific vendors, and as a result enterprises with multi-cloud environments can’t benefit from consistent hardware-based security across their infrastructure.
Although OpenTitan started with a “small coalition,” now half of the contributions come from outside Google, Rizzo said.
“What we're launching isn't a proposal; it's not a standard, it's actually an active engineering project with a large team behind it that has been developing engineering collateral to support our goals for many, many months now,” Rizzo said.
Current silicon roots of trust, including Google's Titan, are proprietary. As a result they claim security “but you really have to take a leap of faith and can't verify it for yourself,” Rizzo said.
OpenTitan offers “really radical design transparency”. The design, down to the gate-level chip design, is being released under a permissive open source licence, he said.
“Why might we be doing this?” Rizzo said. “We're responsible for defending huge volumes of data centre equipment; we have a planet-wide network of 19 data centres spread across five continents that power services like search YouTube in Gmail, not to mention our 20 regions for enterprise cloud customers.
“And all of this runs on top of a physical hardware infrastructure, our collection of servers, network cards, storage devices, and other miscellaneous hardware. It’s mission critical to our success and that of our partners and our users that that infrastructure be secure.”
Google’s infrastructure presents a “large attack surface” that “really requires state of the art defences all the way down to the bottom of the stack”.
Silicon-level attacks are a growing concern, he said.
OpenTitan is not ready for production just yet, however: “We are opening up this project mid development for others to inspect contribute to and improve upon the design,” Rizzo said.
In May this year Google revealed that, through its Open Source Programs Office (OSPO), it was “actively engaged in helping seed the open silicon space,” including through its ongoing support for lowRISC. (Rizzo is a member of the organisation’s board.)
LowRisc “has their own experienced engineering team with a lot of expertise in open source, both development and community management,” Rizzo said. “So they are really responsible for maintaining the project’s high technical standards.”