OCP LOCK 与 Caliptra 2.1.pdf

1、Jeff Andersen,GoogleEmre Karabulut,MicrosoftOCP L.O.C.K.Hardware and Crypto OverviewOCP L.O.C.K.Hardware and Crypto OverviewJeff Andersen,GoogleEmre Karabulut,MicrosoftSECURITYWho we areStorage security:data at restEncrypted user dataStorage security:data at restUser 1User 2Media Encryption Keys(MEK

2、s)Encrypted user dataStorage security:data at restUser 1User 2Media Encryption Keys(MEKs)Encrypted user dataPINUser credentialsStorage security:data at restUser 1User 2Media Encryption Keys(MEKs)Encrypted user dataPINUser credentialsAuditing of cryptographic purgeData access authorization modelEncry

3、ption implementation qualityStorage security:areas of concernSophisticated threat modelsDrive theft;all on-device keys exfiltratedSophisticated threat modelsDrive theft;all on-device keys exfiltratedFirmware compromise;all firmware-visible keys leakedSophisticated threat modelsFirmware compromise;al

4、l firmware-visible keys leakedCompromised customer key managementCustomer infraCloud infraDrive theft;all on-device keys exfiltratedSophisticated threat modelsCompromised customer key managementCustomer infraCloud infraCompromised storage nodesCloud infraDrive theft;all on-device keys exfiltratedFir

5、mware compromise;all firmware-visible keys leakedSophisticated threat modelsDrive theft;all on-device keys exfiltratedCompromised customer key managementCustomer infraCloud infraCompromised storage nodesCloud infraBuggy erase processesCloud infraFirmware compromise;all firmware-visible keys leakedLa

6、yered Open-source Cryptographic Key managementScoped specifically to storage devicesProvides key management services to the drive and hostAn open implementation at CHIPS AllianceNew storage APIs defined by TCG(Trusted Computing Group)1https:/www.opencompute.org/documents/ocp-lock-specification-v1-0-