Trust and Transparency in the Hardware Supply Chain

2

Intel is a sponsor of TechSpective

Organizations invest a lot of resources and effort to secure and protect their devices and IT environment, but there is growing concern over the parts that make up the equipment. The supply chain exposes organizations to risk because counterfeit parts may create safety hazards, cause the failure of critical business applications, or contain malicious code. You might trust the vendor that sold you the finished product, but without visibility into the supply chain behind the equipment you can’t really be sure it is legitimate. Intel understands the concerns organizations have, which is why they developed the Intel Transparent Supply Chain.

The Intel Transparent Supply Chain helps customers manage risk in the end-to-end hardware supply chain. Policies and procedures implemented at the ODM (original design manufacturing) factories enable companies to validate where and when every component in the device was manufactured. Transparent Supply Chain gives customers comprehensive visibility and traceability of hardware components, firmware, and systems on certain Intel Core and Xeon platforms using the Trusted Computing Group’s (TCG) open Trusted Platform Module 2.0 (TPM) standard.

Trusted Platform Module

The Trusted Computing Group was formed in 2003 with the mission to promote trust and security in personal computers. The diverse array of companies that contribute to the Trusted Computing Group worked together to develop the Trusted Platform Module (TPM) standard to provide a vendor agnostic standard for secure hardware using cryptographic keys. Technology has changed dramatically over the past two decades, and security must adapt and evolve to keep pace. TPM 2.0 was recently introduced—ensuring hardware security and integrity while also making the standard more flexible.

Since its inception, the TPM standard has been incorporated into billions of devices, including embedded devices, network equipment, PCs, servers, and more. TPM has been successful, and it’s also important for the standard to evolve to address emerging technology and security concerns. The constantly shifting technology landscape and the explosion of internet-of-things (IoT) devices drove the Trusted Computing Group to develop a new version of the standard.

Recognizing that there is a wide spectrum of devices with varying exposure to risk and inherent security concerns, TPM 2.0 was created using a “library” approach. Rather than a one-size-fits-all solution, TPM 2.0 allows vendors to select aspects of TPM functionality for different implementations and security needs. A paper from the Trusted Computing Group explains, “Each platform can choose the features needed and the level of security or assurance required. In this way, TPM 2.0 is much more flexible than the original TPM specification. That flexibility allows the newest TPMs to be applied to many embedded applications, including automotive, industrial, smart home and many more – and for designers and developers to select with more granularity the appropriate TPM capabilities for the targeted use case.”

There are a number of attributes and capabilities of the TPM 2.0 standard. The list from the Trusted Computing Group, includes:

  • Support for bulk (symmetric) encryption in the platform
  • High quality random numbers
  • Cryptographic services
  • A protected persistent store for small amounts of data, sticky- bits, monotonic counters and extendible registers
  • A protected pseudo-persistent store for unlimited amounts of keys and data
  • An extensive choice of authorization methods to access protected keys and data
  • Platform identities
  • Support for platform privacy
  • Signing and verifying digital signatures (normal, anonymous, pseudonymous)
  • Certifying the properties of keys and data
  • Auditing the usage of keys and data

Traceability, Accountability, and Assurance

The Intel Transparent Supply Chain offers end-customers assurance with an unprecedented level of accountability and traceability. System and component level traceability cryptographically linked to TPM on the hardware platform using the digitally-signed platform certificate, based upon the TCG specifications, attesting to platform authenticity help organizations increase the integrity of the supply chain to mitigate and minimize the associated risk.

In an increasingly complex world with a constantly evolving and expanding threat landscape, hardware integrity and system security are crucial. The Intel Transparent Supply Chain leverages TPM 2.0 to raise the bar and ensure that organizations can have confidence in the authenticity of the hardware they deploy within their computing environments.

Share.

About Author

I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 2 dogs, 5 cats, 2 rabbits, 2 ferrets, a pot-bellied pig, and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@xpective.net. For more from me, you can follow me on Twitter, Facebook, Instagram and LinkedIn.