Hardware-Enabled Security

Full Title or Meme

Hardware-Enabled Security originated as a government category that includes a variety of implementations like TPM, Secure Enclave, Trusted Execution Environment and many others.

Context

Organizations employ a growing volume of machine identities, often numbering in the thousands or millions per organization. Machine identities, such as secret cryptographic keys, can be used to identify which policies need to be enforced for each machine. Centralized management of machine identities helps streamline policy implementation across devices, workloads, and environments. However, the lack of protection for sensitive data in use (e.g., machine identities in memory) puts it at risk. This report presents an effective approach for overcoming security challenges associated with creating, managing, and protecting machine identities throughout their lifecycle. It describes a proof-of-concept implementation, a prototype, that addresses those challenges by using hardware-based confidential computing. The report is intended to be a blueprint or template that the general security community can use to validate and utilize the described implementation.

Hybrid

Proposals in 2024 for a hybrid approach with a TPM (or SE) in the user's Smartphone and an HSM in the cloud are core to the EUDIW or eIDAS 2.0 proposals.

Reusing HSMs developed for remote signing in HSM-Based EUDI Wallets

2025-10 Several EU member states, including Germany and the Netherlands, are developing HSM-based wallets—wallets where user keys are managed inside a Hardware Security Module (HSM) at the wallet provider. In eIDAS terminology, this HSM is called the Wallet Secure Cryptographic Device (WSCD), and the application directly interacting with it is the Wallet Secure Cryptographic Application (WSCA). The WSCA is preferably software based, e.g. in a container, but can be implemented as bespoke HSM-firmware too. The new eIDAS Implementing Regulation 2024/2981 (Annex IV) requires that the WSCD undergo an Advanced Vulnerability Assessment at level AVA_VAN.5. In plain terms: the HSM must withstand attackers with high attack potential, as defined by the Common Criteria (ISO/IEC 15408).

The simplest—if not the only—way to meet AVA_VAN.5? Use an EAL4+ Common Criteria certified HSM. The “+” indicates the extra advanced vulnerability analysis at level 5. Good news: such HSMs already exist, for example: the Thales Luna HSM7, Utimaco CP5 and I4P Trident. These HSMs are Common Criteria certified under EN 419221-5, a European norm widely used for remote qualified signing. Interestingly, both the Signer Interaction Component (SIC) in remote signing and the EUDI wallet are user-controlled components. This means the user—not the provider—initiates and authorizes critical actions, ensuring strong alignment with eIDAS principles of user consent and control.

Secure Boot

Hardware-Enabled Security can start with protection of the BIOS which should be in a secure chip that cannot be altered except by secure methods.

New RMPocalypse Attack Let Hackers Break AMD SEV-SNP To Exfiltrate Confidential Data reports on ways the hardware can be compromised.

References

• See wiki on Hardware Protection for devices like TPM and HSM protection for keying material.