Microsoft, Intel cook kit to secure firmware in servers and beyond

Because everything has firmware and it survives reboots. PLUS: Redmond details HPE-killing cloud servers

By Simon Sharwood, APAC Editor

Posted in Servers, 9th November 2017 07:31 GMT

Microsoft's revealed it is working with Intel on a “cryptographic microcontroller” to secure its cloud servers and the many firmware-using components within.

Redmond's named this effort “Project Cerberus” and says it is “a NIST 800-193 compliant hardware root of trust specifically designed to provide robust security for all platform firmware.”

An Architecture Overview (PDF) explains the problem Microsoft wants to address, namely that servers have “evolved from Central Processing Unit (CPU) being the core instruction execution endpoint, to a fabric of sophisticated devices optimized to accelerate workloads.” Many of those devices have firmware and “If these peripherals do not enforce firmware digital signature authentication, any unprotected firmware update interface could become an attack vector.”

Microsoft therefore feels that “if and when a baremetal system is provisioned or a cloud hardware system is repaved, one must ensure that the system is not compromised”, by making sure the firmware in its components is kosher.

Cerberus therefore “provides a hardware root of trust for firmware on the motherboard (UEFI BIOS, BMC, Options ROMs) as well as on peripheral I/O devices by enforcing strict access control and integrity verification from pre-boot and continuing to runtime.”

Microsoft says the project “consists of a cryptographic microcontroller running secure code which intercepts accesses from the host to flash over the SPI bus (where firmware is stored), so it can continuously measure and attest these accesses to ensure firmware integrity and hence protect against unauthorized access and malicious updates.” Apparently this allows “robust pre-boot, boot-time and runtime integrity for all the firmware components in the system.”

Interestingly, “The specification is CPU and I/O architecture agnostic and is intended to easily integrate into various vendor designs over time, thus enabling more secure firmware implementations on all platform types across the industry, ranging from datacenter to IoT devices.”

“The specification also supports hierarchical root of trust so that platform security can be extended to all I/O peripherals using the same architectural principles.”

Intel's helping Microsoft “to explore optimal implementation models for platform firmware security” and the pair have released a draft spec on the Open Compute Project's GitHub repository.

This draft covers “motherboard firmware (UEFI BIOS, BMC, Options ROMs) and the vision is to work with the OCP community to extend the specifications over time to cover all peripheral I/O components such as HDD, SSD, NIC, FPGA, GPU, etc.”

Microsoft's not alone in identifying this problem: in January 2017 Google revealed custom silicon in its cloud servers that “securely identify and authenticate legitimate Google devices at the hardware level.” Redmond's reveal of Cerberus appeared alongside news that it has new hyperscale servers of its own design working inside Azure. Dubbed “Project Olympus” and revealed in November 2016, the servers are powering Azure's Fv2 virtual machine family, Redmond's fastest cloudy VMs. Microsoft claims they “offer the fastest Intel Xeon Scalable processors in the public cloud” and are the first Redmond-designed servers deployed in Azure.

Which may well explain why HPE had to quit the cloud server market. ®

Sign up to our NewsletterGet IT in your inbox daily

8 Comments

More from The Register

Microsoft adds nested virtualization to Azure

Inception fans can have fun with VMs-inside-VMs inside a cloud, all on Windows Server 2016

VMware preps NSX network virtualization for smaller customers

Q1 2019 beats expectations, full-year guidance raised

Nested virtualization comes to Google's cloud

Not just for Inception fans: This is how you cloudify tricky-to-migrate workloads

Cisco sells data virtualization unit to Tibco

Bought in 2013, disposed of in 2017 due to misalignment with 'long-term focus'

Developer plots server virtualization comeback for XenServer

Plans open source revival of XCP, to go places Citrix won’t

KVM plans big boosts to storage and nested virtualization

Project maintainer Paolo Bonzini details open source hypervisor's future directions

Microsoft finally allows hosted desktops on multi-tenant hardware

Windows 10 enterprise licences to gain virtualization rights, plus roaming to personal devices

Microsoft rolls its own hyperconverged appliance program

'Windows Server Software-Defined' program signs HPE, Lenovo, Fujitsu and Supermicro

Delphix sends database virtualization sailing up the Amazon

AWS RDS instances get virty to cut cloudy storage costs

Microsoft to make Ubuntu a first-class guest under Hyper-V

And loads up the migration cannon to aim at VMware