Assuming you use Intel chips, how do you manage to trust the firmware/ME from them? Do you write your own BIOS to ensure that it is safe? Or do you use ARM/PowerPC/other ISA and have an entirely open source stack?
Does the Titan assume no phyiscal access? And if you do assume someone could steal the chip/try to reverse engineer the chip, do you have anything in it to stop an adversery? I would wonder if there would be a private/nation state agency would want access to certain secrets so bad that they would try to alter it physically, rather then through root access.
Both the Titan chip and all software that runs on it are designed entirely in-house, so we have full control over the stack. And we do have physical tampering countermeasures in place.
This looks like a pretty cool project. How much research went into creating Titan? Why did Google decide to create a custom hardware-based solution (Titan) instead of using something off the shelf, like Intel's Secure Boot?
With Titan we know exactly how it is designed and how it'll behave. Titan is also platform-agnostic; it can work in many environments that Secure Boot cannot. Secure Boot also doesn't get us nifty features like tamper-evident logging or hardware root-of-trust.
Edit: See [0] where Titan was first briefly introduced earlier this year, for an image of it attached to one of our custom networking cards.
Great question. We are working on it. LOAS is about server or device credentials that only will be issued if Titan will pass the validation of bios firmware.
When asked about releasing a paper a few months ago at Next, it didn't sound like a high priority, maybe because it wasn't too exciting or not too many people would be interested. I disagree, but perhaps, if enough people ask Niels or whoever else makes the call, something might happen.
> Once Titan has booted its own firmware in a secure fashion, it will turn its attention to the host’s boot firmware flash, and verify its contents using public key cryptography. Titan can gate PCH/BMC access to the boot firmware flash until after it has verified the flash content, at which point it signals readiness to release the rest of the machine from reset
Can I serve a different firmware image after the verification goes through and the PCH starts loading the flash? :)
If the flash chip holding the boot firmware isn't really a flash chip, then indeed this could present an issue. However, since Titan interposes between flash and the PCH/BMC, it can observe the bytes actually being served.
Titan is just one of several measures we take to harden our stack, and helps us be confident in the software we run. It's a good point though, there are no absolutes in security.
I am curious about a couple of things:
Assuming you use Intel chips, how do you manage to trust the firmware/ME from them? Do you write your own BIOS to ensure that it is safe? Or do you use ARM/PowerPC/other ISA and have an entirely open source stack?
Does the Titan assume no phyiscal access? And if you do assume someone could steal the chip/try to reverse engineer the chip, do you have anything in it to stop an adversery? I would wonder if there would be a private/nation state agency would want access to certain secrets so bad that they would try to alter it physically, rather then through root access.