当前位置:首页 > 报告详情

服务器平台集中式系统安全中心.pdf

上传人: 明**** 编号:1011902 2025-12-21 14页 931.42KB

1、Phanikumar KancharlaCraig BarnerServer HW Security HubServer HW Security HubPhanikumar KancharlaCraig BarnerSecurityRisk:Keys managed by software modules for DRAM,MACSec,PCIe,CXL encryptionCaliptra and L.O.C.K.solving the similar problem for Storage devices(NVMe,SED)Solution ProposalEnhance Caliptra

2、+KMB to generate or receive keys.Develop a secure interconnect b/w Caliptra and SoC Blocks to deliver the keysServer HW Security Hub-RecapImproves NVMe/SED securityPrevents leakage of MEKs via firmware vulnerabilities or side channelsVerifiable cryptographic erase of disk driveOptional configuration

3、 of Caliptra Subsystem 2.1+Caliptra,as KMB,is the sole entity with access to MEKsMEK transfer over HW interface from Caliptra Core to SED encryption engineMCU exposes the software interface Implements a key hierarchy linking with user pin based access locksOCP L.O.C.KL.O.C.K.KMB Storage Device Focus

4、edGenerate,Derive,and StoreTrusted Key DistributionAccess Control Enforcement DRBG to generate MPK Fuse based storage(HEK)KDFs to derive MEK SW/FW can access only encrypted keys Plain keys are written only to Crypto Engines Authorized mailbox communication Defined key usage Multiparty Controlled MEK

5、sLifecycle Management Cryptographically verifiable State.HEK is zeroized to crypto erase disk Ephemeral and Session keys are zeroed after use or cold resetCurrent security design principals+Standard Key Management PoliciesoCKMS Metadata and BindingsStandard Crypto AlgorithmsoSP 800-108,SP 800-56C KD

6、Fs oSP 800-232 ASCONSecure Key delivery to all HW componentsKMB for PlatformProcessor coreMACSec(Ethernet)KeysDRAM ControllerKeysPCIeControllerKeysCrypto AcceleratorKeysKMBOverview of a large SOCIO BridgecorecorecorecorecorecorecorecorecorecorecorecoreDRAMKeysDRAMKeysDRAMKeysDRAMKeysDRAMKeysDRAMKeys

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
全文主要围绕服务器硬件安全枢纽(Server HW Security Hub)和关键安全措施展开。以下是关键点: 1. **安全风险与解决方案**:软件模块管理的密钥存在风险,Caliptra和L.O.C.K.解决存储设备(如NVMe、SED)的类似问题。 2. **增强Caliptra + KMB**:生成或接收密钥,开发安全的互连,将密钥从Caliptra核心传输到SED加密引擎。 3. **Server HW Security Hub**:提高NVMe/SED安全性,防止密钥泄露,实现可验证的磁盘擦除。 4. **KMB(Key Management Block)**:专注于存储设备,生成、推导和存储可信密钥,实施访问控制和生命周期管理。 5. **APB Secure Key Transfer Interconnect**:创建虚拟专用总线,使用KMB创建客户端KEK,通过配置总线安全传输密钥。 6. **轻量级加密**:使用ASCON算法,实现轻量级加密,优化面积和性能。 7. **合作与测试**:定义安全的SoC互连,集成硬件组件,设计模拟器进行平台级密钥管理测试。
密钥管理新方案?" L.O.C.K.如何助力?" 虚拟总线如何实现?"
客服
商务合作
小程序
服务号
折叠