Difference between revisions of "Hardware Protection"

From MgmtWiki
Jump to: navigation, search
(Context)
(Context)
Line 2: Line 2:
 
[[Hardware Protection]] offered by Hardware Security Modules (HSM see [[FIPS 140]]) or management chips.
 
[[Hardware Protection]] offered by Hardware Security Modules (HSM see [[FIPS 140]]) or management chips.
 
==Context==
 
==Context==
*Latest version as of 2019-05-22 is [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3], version 3.
+
* On 2020-11-17 [https://www.wired.com/story/microsoft-pluton-secure-processor/ Microsoft announced]that they planned to enable the Pluton design on chips from Intel and AMD.
 +
* Both Intel and ARM enable secure enclaves on their Microprocessor to protect security.
 +
* Latest version as of 2019-05-22 is [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3], version 3.
 
* The [https://trustedcomputinggroup.org/resource/trusted-platform-module-tpm-summary/ TPM (Trusted Platform Module)] version 1 was a purely hardware version of protection that was offered only as a stand alone chip. With version 2 defined as software, it can be (and often is) included in any [[Trusted Execution Environment]].
 
* The [https://trustedcomputinggroup.org/resource/trusted-platform-module-tpm-summary/ TPM (Trusted Platform Module)] version 1 was a purely hardware version of protection that was offered only as a stand alone chip. With version 2 defined as software, it can be (and often is) included in any [[Trusted Execution Environment]].
 
* The first Hardware Protection was provided by a product from the Intel Data Security Operation that was built, but never shipped. The DSO was disbanded on 1996-01-11. The devices was based on the i386 design with full memory bus encryption so that it could use the normal memory bus in DMA mode. Paul England made it clear in 2010 that Microsoft fought to prevent Hewlett Packard from implementing a board with the chip installed.
 
* The first Hardware Protection was provided by a product from the Intel Data Security Operation that was built, but never shipped. The DSO was disbanded on 1996-01-11. The devices was based on the i386 design with full memory bus encryption so that it could use the normal memory bus in DMA mode. Paul England made it clear in 2010 that Microsoft fought to prevent Hewlett Packard from implementing a board with the chip installed.

Revision as of 16:47, 25 November 2020

Full Title

Hardware Protection offered by Hardware Security Modules (HSM see FIPS 140) or management chips.

Context

  • On 2020-11-17 Microsoft announcedthat they planned to enable the Pluton design on chips from Intel and AMD.
  • Both Intel and ARM enable secure enclaves on their Microprocessor to protect security.
  • Latest version as of 2019-05-22 is FIPS 140-3, version 3.
  • The TPM (Trusted Platform Module) version 1 was a purely hardware version of protection that was offered only as a stand alone chip. With version 2 defined as software, it can be (and often is) included in any Trusted Execution Environment.
  • The first Hardware Protection was provided by a product from the Intel Data Security Operation that was built, but never shipped. The DSO was disbanded on 1996-01-11. The devices was based on the i386 design with full memory bus encryption so that it could use the normal memory bus in DMA mode. Paul England made it clear in 2010 that Microsoft fought to prevent Hewlett Packard from implementing a board with the chip installed.

Problems

When hardware contains software, and particularly when it contains firmware, it no longer has the same level of protection that a purely hardware solution offers. For example the Apple T2 chip has been hacked and cannot be fixed in the field.[1]

References

  1. Lily Hey Newman, Apple's T2 Security Chip Has an Unfixable Flaw (2020-10-05) https://www.wired.com/story/apple-t2-chip-unfixable-flaw-jailbreak-mac/

Other Material