<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta />
    <article-meta>
      <title-group>
        <article-title>Setting Hardware Root-of-Trust from Edge to Cloud, and How to Use it</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Florent Chabaud</string-name>
          <email>florent.chabaud@atos.net</email>
          <xref ref-type="aff" rid="aff0">0</xref>
          <xref ref-type="aff" rid="aff1">1</xref>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>Atos Big Data &amp; Cybersecurity</institution>
          ,
          <addr-line>Rue du Gros Caillou - 78340 Les Clayes-sous-Bois -</addr-line>
          <country country="FR">France</country>
        </aff>
        <aff id="aff1">
          <label>1</label>
          <institution>Trusted Computing</institution>
          ,
          <addr-line>Edge Computing, High Performance Computing, Remote Attestation</addr-line>
        </aff>
      </contrib-group>
      <pub-date>
        <year>2022</year>
      </pub-date>
      <fpage>115</fpage>
      <lpage>130</lpage>
      <abstract>
        <p>For decades, Trusted Computing has tried to anchor trust in the hardware, and the existence of Trusted Platform Modules (TPM) in most modern design is evidence that this approach is now well understood. The default behavior of recent Operating Systems like Windows 11 is even to deny booting if this security feature is absent. But this approach is not sufficient in a modern world where one needs to trust remote platforms. To preserve confidence in security, one needs to limit the trusted computing base (TCB) of a system at a level where an assessment can make sense. Trusted Execution Architecture (TEA) is the result of a partnership with ProvenRun to implement a TCB in Atos servers in a consistent way, from Edge to High Performance Computing. This allows to envision security features based on some common Root-of-Trust known to different platforms, at different scales and levels of interaction. Operating System Smart Cards C&amp;ESAR'22: Computer &amp; Electronics Security Application Rendezvous, Nov. 15-16, 2022, Rennes, France</p>
      </abstract>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>1. Introduction</title>
      <p>
        In 1993, the NSA tried to introduce the Clipper Chip to promote Key Escrowed Encryption [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ]. Even
if this attempt failed [
        <xref ref-type="bibr" rid="ref2">2</xref>
        ] and backfired in promoting open-source encryption [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ], it showed the
importance of hardware in computer security, and paved the way to trusted computing. Soon, the
Trusted Computing Platform Alliance, renamed as Trusted Computing Group [
        <xref ref-type="bibr" rid="ref4">4</xref>
        ], will emerge and
promote another piece of hardware, the Trusted Platform Module (TPM), now standardized [
        <xref ref-type="bibr" rid="ref5">5</xref>
        ] and
embedded in most platforms. But this concept is now revisited by another industry consortium, the
Open Compute Project [
        <xref ref-type="bibr" rid="ref6">6</xref>
        ], which adds to the TPM some other security chips. Even if adding security
hardware can make sense, it is always raising the question of how this new hardware can be trusted.
Understanding the alleged improvement in terms of security is also important to assess the security
benefit ratio, and in the end, other options can be envisioned.
      </p>
      <p>In this paper, we will bring a quick survey of the state-of-the-art of trust in hardware in section 2.
We will discuss the rationale of Atos Trusted Execution Architecture (TEA) and the pros and cons of
this software-oriented approach in section 3. We will then detail some aspects of the implementation in
section 4. In the end, section 5 will sketch future innovative security in Atos HPC architectures, as
allowed by the Atos TEA.</p>
    </sec>
    <sec id="sec-2">
      <title>2. Hardware Trust State-of-the-Art Overview 2.1. Smart Cards</title>
      <p>Long before NSA tried to promote its Clipper Chip, the ideas of using small pieces of hardware to
secure secrets arose in several places. Several patents were filed around this invention, but the seminal
industrialization patent was the creation of the first portable support with both a processor and a</p>
      <p>
        2022 Copyright for this paper by its authors.
memory, allowing the small piece of plastic to cryptographically interact with its environment in an
active way. Embedding the processor and the memory in the same single ship came rapidly after this,
innovating the reign of smart cards. It is worth recalling that Michel Ugon, a French engineer of the
Bull company later acquired by Atos was at the core of these inventions[
        <xref ref-type="bibr" rid="ref8">8</xref>
        ][
        <xref ref-type="bibr" rid="ref9">9</xref>
        ][
        <xref ref-type="bibr" rid="ref10">10</xref>
        ].
      </p>
      <p>
        The large dissemination of smart cards makes them a primary target of a new class of cryptographic
attacks: if the secret remains in the chip, maybe the way it is used leaks some information on the secret.
A seminal attack of this kind is due to P. Kocher and al. who invented Differential Power Analysis
(DPA) [
        <xref ref-type="bibr" rid="ref11">11</xref>
        ] which remains one of the threats a cryptoprocessor needs to deal with, among other types
of side channel attacks.
2.2.
      </p>
    </sec>
    <sec id="sec-3">
      <title>Hardware Security Modules</title>
      <p>
        Hardware Security Modules (HSM) are another example of devices which were designed to protect
secrets. HSMs usually embeds features to physically protect their internals, and provide tamper
evidence at physical (labels, screws…) and logical levels (logs, alarms…). Certification standards such
as Common Criteria [
        <xref ref-type="bibr" rid="ref12">12</xref>
        ] or FIPS-140 [
        <xref ref-type="bibr" rid="ref13">13</xref>
        ] are developed with HSM in mind to evaluate the robustness
of these security mechanisms.
      </p>
      <p>
        As usual, it is worth noting that being certified is not a guarantee of security. Depending on the
security model, a certified HSM can be proven vulnerable to threats which are out of its protective
scope. Interestingly, a recent example proved the need for HSMs to be self-protected against firmware
tampering, not only on their crypto processors, but also on their applicative part [
        <xref ref-type="bibr" rid="ref14">14</xref>
        ]. Said differently,
HSMs firmware also needs some Hardware Root-of-Trust!
2.3.
      </p>
    </sec>
    <sec id="sec-4">
      <title>Trusted Platform Module (TPM)</title>
      <p>
        The Trusted Computing Group (TCG) promotes Trusted Computing concepts across personal
computers around the use of a Trusted Platform Module (TPM). It has now become an international
standard [
        <xref ref-type="bibr" rid="ref5">5</xref>
        ] for a secure cryptoprocessor providing several security functions:
- Unique device keys: the TPM embeds some private keys which are normally certified by its
manufacturer.
- Measurement: the TPM securely stores some Platform Configuration Registers (PCR) which are
obtained by chaining the cryptographic hash of several memory areas in a specific order.
Usually, the memory areas are the successive codes used during the booting sequence, therefore
building a chain-of-trust. The PCR values can be locally verified by the operating system to
check that the boot sequence wasn’t tampered.
- Remote attestation: using its unique device keys, the TPM can sign its PCRs to remotely attest
that the boot sequence was not tampered. This signature can be verified against the TPM
manufacturer public key certification infrastructure.
- Key wrapping: using its unique device keys, the TPM can encrypt other cryptographic keys to
ensure their secure storage. This ensures that the locally encrypted keys cannot be decrypted
without the TPM.
- Random number generator: the TPM usually embeds some hardware random number generator
suitable for cryptographic usage.
      </p>
      <p>It is important to understand that the TPM cannot guarantee the security of the CPU booting process
by itself. It must be completed by some bootstrapping process to kick-off the measurements and take
their results in account.
2.4.</p>
    </sec>
    <sec id="sec-5">
      <title>Trusted Execution Environment (TEE)</title>
      <p>
        Following M. Sabt and al. [
        <xref ref-type="bibr" rid="ref15">15</xref>
        ] we take as a definition of a Trusted Execution Environment (TEE)
“a tamper-resistant processing environment that runs on a separation kernel”. It aims at providing on a
single CPU an isolation between a “normal” kernel and a “trusted” one, protected against software and
hardware attacks. Several TEE solutions exist but all of them are based on some hardware technologies
such as Intel TXT [
        <xref ref-type="bibr" rid="ref16">16</xref>
        ] or ARM TrustZone [
        <xref ref-type="bibr" rid="ref17">17</xref>
        ]. The latter is widely used in mobile environments as
stated by M. Sabt and al.
      </p>
      <p>
        The security of a TEE solution results from the hardware technology used, but it depends a lot more
on the usage of this technology at software level. Even if the TEE is fully isolated at hardware level, its
purpose is to exchange data with the normal world and process it in a secured environment. Any
vulnerability in the driver which ensure communication between the two worlds can ruin the overall
security of the TEE [
        <xref ref-type="bibr" rid="ref18">18</xref>
        ][
        <xref ref-type="bibr" rid="ref19">19</xref>
        ].
2.5.
      </p>
    </sec>
    <sec id="sec-6">
      <title>Secure Chips</title>
      <p>
        Other secure chips have been developed in different industries to ensure firmware integrity.
Examples of solution are found in the Set-top-box area where control access system vendors ensure
digital rights management (DRM) on video streams through hardware security features. For instance,
Nagra On-Chip Security (NOCS) “brings the hardware “root of trust” that ensures platform security”
[
        <xref ref-type="bibr" rid="ref20">20</xref>
        ]. Another example is the ARM-based cryptographic embedded controller [
        <xref ref-type="bibr" rid="ref21">21</xref>
        ] which proposes all
the features to implement a TEE.
2.6.
      </p>
    </sec>
    <sec id="sec-7">
      <title>Open Compute Project (OCP)</title>
      <p>
        The Open Compute Project (OCP) is an organization [
        <xref ref-type="bibr" rid="ref6">6</xref>
        ] that shares designs of data center products
and best practices among several companies. It leads several projects around datacenter design. As usual
in those types of organization, a sponsoring program is in place with different levels [
        <xref ref-type="bibr" rid="ref7">7</xref>
        ]. Being able to
claim a product is OCP Inspired™ requires at least a Silver subscription. Curiously, the annual fee is
decreasing from Silver to Platinum level, but this is compensated by the obligation to contribute to
events and overall activity of the project. This may explain why the list of members is roughly split in
two between Community members at lowest rates, and Platinum members. Platinum members
encompass companies such as Alibaba, AMD, ARM, Cisco, Deutsche Telekom, Google, HPE, Huawei,
IBM, Intel, Meta, Microsoft, Nokia, Nvidia, or Schneider Electric, among others.
      </p>
      <p>
        Through its Security project, the objective of the OCP could be summarized as an effort to gather
all previous security technologies like TPM and secure chips in an organized standard able to ensure
secure computing. Also all documentation is shared according to a Creative Commons license [
        <xref ref-type="bibr" rid="ref22">22</xref>
        ]
allowing to share and adapt the material.
      </p>
    </sec>
    <sec id="sec-8">
      <title>2.6.1. OCP Platform Security Overview</title>
      <p>
        The overall organization of the OCP is somehow fuzzy, but two parallel approaches are identified
which should eventually converge:
1. The Datacenter Secure Control Module (DC-SCM) specification [
        <xref ref-type="bibr" rid="ref23">23</xref>
        ].
      </p>
      <p>
        2. The OCP Platform Security Overview [
        <xref ref-type="bibr" rid="ref24">24</xref>
        ].
      </p>
      <p>The main outcome of this last document can be summarized in the excerpted Figure 1. It introduces
a new piece of hardware, the Platform Active Root-of-Trust (PA RoT).</p>
      <p>
        The role of this PA RoT, which could be ensured by the DC-SCM, is aligned with the NIST Platform
Firmware Resiliency Guidelines [
        <xref ref-type="bibr" rid="ref25">25</xref>
        ]. This Special Publication was issued in May 2018, and its
guidelines have soon become a de facto standard of what a platform needs to implement to improve
their resiliency against a variety of known attacks, both at software and/or hardware level. It proposes
a progressive approach with three different platform security levels: Protected, Recoverable, and
Resilient.
      </p>
    </sec>
    <sec id="sec-9">
      <title>2.6.2. Attestation of System Components</title>
      <p>
        The OCP has issued some requirements and recommendations around attestation of system
components [
        <xref ref-type="bibr" rid="ref26">26</xref>
        ]. The document goal is to allow a platform (verifier) to build its platform inventory
containing a list of all security-relevant devices, whether they support authentication and attestation or
not. Attestations are secured by a set of cryptographic keys and protocols which are used in attestation
mechanisms. Cryptographic requirements refer to standard NIST documents.
      </p>
      <p>Because of these requirements, each device must be provided with a set of cryptographic keys:
1. A Unique Device Secret (UDS) which is used to characterize the attester device.
2. A private authentication key unique to each device. The corresponding certificate is allowed
for digital signature usage. This key is intended to be immutable and certified by the
provisioner.
3. A private signature key unique to each device. The corresponding certificate is allowed for
digital signature and content commitment usages. This key is intended to be updated and
certified by the device owner.</p>
      <p>For the provisioner, the specification also requires some key management infrastructure using HSM
to protect:
1. The keys of the Provisioner’s Certificate Authority.
2. The keys of the Updater role.
3. The keys of the Firmware signer role.</p>
      <p>To be noted that there is a notion of ownership transfer that implies that the Updater and Firmware
signer keys can be changed by the Device owner.</p>
      <p>
        Also, the requirement implies the existence of a root of trust within each attester, able to perform
cryptographic operations, including random number generation with sufficient entropy. References to
NIST publications and FIPS 140-3 [
        <xref ref-type="bibr" rid="ref13">13</xref>
        ] at level 2 is recommended.
      </p>
      <p>
        Once this is set, attester devices must be capable of communicating their authentication and
attestation capabilities to the platform, and platforms must be capable of interrogating potential attester
devices and recording their authentication and attestation capabilities. The two references used to
implement the corresponding protocols are described in DMTF’s SPDM [
        <xref ref-type="bibr" rid="ref27">27</xref>
        ] (see 2.3.9) and
Microsoft’s Cerberus [
        <xref ref-type="bibr" rid="ref29">29</xref>
        ]. A sample implementation of the DMTF’s SPDM specification is also a
reference [
        <xref ref-type="bibr" rid="ref28">28</xref>
        ].
      </p>
    </sec>
    <sec id="sec-10">
      <title>3. Atos’ Approach</title>
    </sec>
    <sec id="sec-11">
      <title>3.1. Threat Model</title>
      <p>When dealing with firmware security, the threat model can drastically impact the level of protection
needed. It is indeed a different story to protect the firmware integrity of a server lying in a physically
isolated datacenter, or to address the same problem on a smart card which can be easily replaced by a
copy. Also of importance is the scope of the intended protection. In our case, and in this paper, we focus
on the security of the platform with an agnostic approach of the CPU/GPU components. We aim to
ensure some security independently from the existing technologies at OS level. In particular, and as an
example, the operating system can still use the TPM when it is present and leverage the CPU
technologies to ensure it’s booted in a secured way. This will be further explained in section 4.4. But
we want to ensure a certain level of security of the platform even if none of these security features is
used. So, let’s first identify the type of attack scenario which one would like to prevent in this context.</p>
    </sec>
    <sec id="sec-12">
      <title>3.1.1. Physical RAM Access</title>
      <p>The first scenario of attack is basic. If one has physical access to the server, he or she could leverage
this access to reprogram the memories of the hardware and have the platform firmware execute
unwanted operations. For instance, in the context of an HSM which would protect secret keys,
reprogramming the firmware could be a simple way to get a given secret key copied on an external
interface, hence compromising it.</p>
    </sec>
    <sec id="sec-13">
      <title>3.1.2. Supply Chain Attack</title>
      <p>Physical RAM access may be assumed as limited in time. If the physical access is possible for days,
like during shipment, the attack possibilities in altering firmware are much more important.
Components could be replaced which would try to mimic the behavior of the original ones while
preserving some backdoor, for instance.</p>
    </sec>
    <sec id="sec-14">
      <title>3.1.3. The Persistent Remote Attack</title>
      <p>As the firmware will have some critical vulnerabilities discovered, the security objective is to make
the platform able to recover from such attack and to avoid its persistency. If such an attack can change
every piece of data in the platform memories, then it is pretty clear that the attack can remain, since the
platform relies on its memories to boot. The use of some immutable data seems therefore mandatory to
ensure security.</p>
    </sec>
    <sec id="sec-15">
      <title>3.1.4. Rogue Developer</title>
      <p>The internal threat remains a possibility for any vendor, and whatever the source code tainting
approach. The effects are the same in case of an intrusion on the development infrastructure. Controlling
the code can mitigate this risk only if these controls are not by-passed. A good way to ensure that the
code is controlled at least once is to have it signed with a properly protected cryptographic key. This
ensure as well a resilient posture in case of late discovery of some rogue activity. In this case, the
rootof-trust remains the cryptographic keys which are used to sign the firmware.
3.2.</p>
    </sec>
    <sec id="sec-16">
      <title>Sovereignty Principle</title>
      <p>
        From a security perspective, a platform MUST use a Hardware Root-of-Trust (HW RoT). It is the
only way to ensure some protection against software attacks and to achieve a level of resilience. Without
it, any of the above listed attacks, if successful, would achieve a state where trust would be damaged in
an irreversible way. On the other hand, if the Hardware RoT exists, the platform may be rebuilt from
this basis. This is the approach specified by OCP with its Platform Active Root-of-Trust and promoted
by the NIST Platform Firmware Resiliency Guidelines [
        <xref ref-type="bibr" rid="ref25">25</xref>
        ].
      </p>
      <p>
        But Atos also wanted to limit unknown hardware to increase trust and confidence in the solution.
Even if some of the proposed PA RoT are open source like the Open Titan [
        <xref ref-type="bibr" rid="ref31">31</xref>
        ], adding new hardware
increases the attack surface and the complexity of the server. And one also must take in account the
delays to qualify and stabilize the new hardware [
        <xref ref-type="bibr" rid="ref32">32</xref>
        ]. In the end, the trust in the resulting hardware is
disputable and will eventually come from wide usage, as the story of the TPM told us.
      </p>
      <p>
        We therefore limited the HW RoT to some public cryptographic key anchored in the silicon, whose
corresponding private keys are handled in an HSM developed by Atos: the Trustway Proteccio
netHSM [
        <xref ref-type="bibr" rid="ref30">30</xref>
        ]. This HW RoT is then propagated through a Chain-of-Trust applied to:
1. A secure boot sequence (Chain-of-Trust for Detection – CTD).
2. A secure firmware update (Chain-of-Trust for Upgrade – CTU).
      </p>
      <p>These chains-of-trust will be later detailed in section 4.1.
3.3.</p>
    </sec>
    <sec id="sec-17">
      <title>Baseboard Management Controller</title>
      <p>
        Most of the modern servers have a Baseboard Management Controller (BMC), which is responsible
for the power-on of the main CPUs, and the management of the firmware. From a security perspective,
it is already a piece of the platform you need to trust. And it has already been proven that it can be a
source of weakness for a server [
        <xref ref-type="bibr" rid="ref33">33</xref>
        ].
      </p>
      <p>For the servers developed by Atos, the BMC is hosted in a System-on-Chip (SOC). We decided to
leverage this existing hardware and to elevate it as the Platform Active Root-of-Trust for the platform.
The Figure 2 modifies the original figure from OCP (see Figure 1) to illustrate the approach.</p>
      <p>The server's CPUs are therefore seen as symbiont devices relative to the BMC. The advantage of the
approach is that this hardware is mandatory in all servers, as it is the interface to the management
infrastructure to power-on the platform or upgrade its firmware. It also plays a key role in the overall
integrity of the platform, and its security should be hardened.</p>
      <p>ARM</p>
      <p>M</p>
      <p>B</p>
    </sec>
    <sec id="sec-18">
      <title>Security Implications</title>
      <p>
        The current implementation of the Atos BMC is based on Open BMC [
        <xref ref-type="bibr" rid="ref34">34</xref>
        ], a Linux Foundation
collaborative open-source project whose goal is to produce an open-source implementation of the BMC
Firmware Stack. The Open BMC project has already security in mind with firmware signature
verification during secure boot [
        <xref ref-type="bibr" rid="ref35">35</xref>
        ]. But this doesn’t appear sufficient to reach the security level needed
for a PA RoT. And even hardening Open BMC Linux kernel would not achieve hardware-like security.
But the underlying hardware embeds an ARM core with TrustZone technology [
        <xref ref-type="bibr" rid="ref17">17</xref>
        ]. Leveraging this
technology makes possible to achieve a decent level of security, even without a dedicated security
component. This is the implementation we will detail in section 4. Assuming this technology is
efficiently implemented, what are the impacts on the above threat model:
1. Reprogramming the firmware of the server assumes the possibility to reboot the server with
a rogue firmware. This possibility is prevented as the BMC will verify the signature of
firmware during boot sequence. And the cryptographic keys used for this verification are
out of reach for a standard physical access.
2. Changing components of the platform is the threat covered by the device/peripheral
attestation mechanism. Of course, the security of this mechanism depends on the existence
of the PA RoT, which could be replaced in our case by another BMC. This rogue SoC would
have to implement a backdoor in a way that resist subsequent firmware upgrade of the BMC
using Atos firmware. This seems an acceptable residual risk.
3. The persistent remote attack risk is covered in the same way as the direct reprogramming of
the firmware memories. The BMC will verify the signature of the firmware during boot
sequence. The firmware upgrade feature which is present in the BMC will also verify
signature of the firmware before authorizing the upgrade.
4. The public keys anchored in the hardware make possible to recover from a situation of a
trapped development as long as the private keys are duly protected.
      </p>
      <p>
        Of course, the use of a non-dedicated hardware for security has some drawbacks. For instance, it is
envisioned to implement a firmware TPM in the Atos BMC. This would allow to add this security
feature in HPC environment where no TPM is usually implemented for physical space reason. But it
cannot be claimed the same level of security, since the TPM chips are usually certified at high level of
security (see for instance [
        <xref ref-type="bibr" rid="ref36">36</xref>
        ]). For the threat model we described, dedicated to Platform security and
Firmware integrity, there is no significant change in the risks. However, for cryptographic storage of
user keys, which is one of the key features of a TPM for the end user, the risk assessment would have
to be considered accordingly.
      </p>
    </sec>
    <sec id="sec-19">
      <title>4. Atos’s PA RoT Implementation</title>
    </sec>
    <sec id="sec-20">
      <title>4.1. Ownership Transfer Preparation</title>
      <p>Allowing the change of cryptographic keys to the platform owner is difficult to ensure while
preserving the overall security, since the purpose of anchoring RoT in the hardware is to prevent
software-based attacks which could change the keys used for firmware verification. Even if these keys
are public, their integrity is of utmost importance to the security objectives.</p>
      <p>Signed firmware is used to authenticate firmware before critical functions:
1. CTD: During boot sequence to ensure that the next step of the boot sequence will activate an
authenticated binary code.
2. CTU: During updating process to ensure that the firmware image is authenticated before
flashing it in RAMs.</p>
      <p>These two chains are independent and complementary.</p>
      <p>Three types of keys can therefore be identified to verify the signature of a firmware:
1. At the beginning of the boot sequence, to benefit from Hardware root-of-trust (red key in the</p>
      <p>Figure 3).
2. During boot sequence where a public key embedded in firmware can be used to pursue the
chain-of-trust in a flexible way (orange key in the Figure 3).</p>
      <p>Before flashing, where a public key can be used to verify the signature of the firmware payload.
The corresponding public key can be stored either in a hardware secured part of the SOC, or in
a firmware provided it is protected by another chain-of-trust (see green public key in the Figure
3 as an example).</p>
      <p>Except the root-of-trust key secured at hardware level, all public keys used to verify firmware
integrity and/or boot chain integrity must be part of a signed firmware. This ensures that the
modification of the verification keys is authenticated provided the key store is properly implemented.</p>
      <p>It is important to understand that the hardware secure boot is very limited in practice. It only secures
the first stage of booting, a little program which cannot exceed a few kilobytes of code (63 K for ARM),
because it will be loaded in ARM memory for signature verification. All the other operations of a
chainof-trust for detection (CTD) or chain-of-trust for upgrade (CTU) will exceed this limit and will therefore
rely on software-based security.</p>
      <p>Yet, this also allows ownership transfer provided the customer trusts its vendor, which seems a
legitimate hypothesis. Indeed, at least the CTD key is included in the first stage booting code, which
ensures the possibility to change it, while preserving the overall security of the scheme. Depending on
the needs, CTD and CTU keys may be owned by the vendor or not. Consequently, in theory, the
chainof-trust keys can be changed for each owner provided at least one signature is performed involving the
hardware RoT key owned by Atos.
4.2.</p>
    </sec>
    <sec id="sec-21">
      <title>Firmware Key Management</title>
      <p>The root of trust is the initial public key which must be inserted and secured by hardware security
measures. The root-of-trust must be immutable once the hardware security measure is in place.
Therefore, the corresponding private key is of critical importance in a production environment. Due to
the hardware hardening it is not possible to update a root-of-trust key by firmware upgrade. The only
allowed operation may be to invalidate a compromised key. It is therefore mandatory to anticipate the
compromise of such key by organizational measures and by generating several backup keys that will
be injected in the hardware in case of a compromise (see 4.2.2).</p>
    </sec>
    <sec id="sec-22">
      <title>4.2.1. ARM Secure Boot Specification</title>
      <p>For intellectual property reason, we cannot here reproduce the precise way the ARM Secure Boot is
implemented. We will therefore just sketch the main points to help understanding how the TEA
rootof-trust key is managed.</p>
      <p>By default, secure boot is not enabled. This is mandatory in the design process since initialization
of the ARM component will need to boot the CPU. The usual chicken-and-egg situation mandates the
component to be initially insecure. Several ways to activate secure boot are available. To simplify, let’s
say that we have:
1. A reversible way to activate hardware secure booting through jumpers on hardware pins.
2. An irreversible way to activate hardware secure booting through one-time-programmable
hardware memories in the SoC.</p>
      <p>The first option is intended for development, testing, and qualification. In the end of the production
process, the second option will be used to set the component in secure mode.</p>
      <p>Once set in secure mode, only a signed first stage can be used to boot the SoC (see Figure 3). The
signature will be verified against the keys which have been inserted in the component.</p>
      <p>Consequently, it is possible and recommended to introduce the public keys in the ARM core as soon
as possible in the factory process. It has no immediate impact and no risk to brick the SoC provided the
secure boot is left in reversible mode. It has the advantage to personalize the component early in the
process, making it more difficult to tamper with (see Table 1).</p>
    </sec>
    <sec id="sec-23">
      <title>4.2.2. Secure Boot Spare Keys</title>
      <p>For obvious security reason, the hardware secure boot public keys are also injected through OTP
memories and cannot be changed once in secure mode. For a given component, the same keys will
therefore be in use from day 1 of its production until its end-of-life. If the component is to be used for
ten years, the corresponding private keys must be protected during this time. And on such long period,
one must anticipate risks such as key loss, key compromise, identity usurpation on the firmware signing
chain, etc.</p>
      <p>As a first consequence, HSM should always be used to protect hardware secure boot private keys.
This seems consistent with the sensitivity of keys which cannot be changed in the field if an incident
occurs.</p>
      <p>Secondly, the set of hardware secure boot keys should not be limited to one key. It is therefore
separated in one production key, and several spare keys. Any of these keys could sign a firmware
recognized by the BMC. But the only one in use is the production key. The spare keys are created just
in case something weird happens to the production key. But they must be created at the same time
because their public part will be injected in production. And the protection of their private part is of
utmost importance.</p>
    </sec>
    <sec id="sec-24">
      <title>4.2.3. Private Key Protection</title>
      <p>All the keys used to ensure trust in the platform do not deserve the same level of protection. For
instance, DEV keys are considered insensitive. They will be deactivated in production and are therefore
considered extractable from the HSM. This allows to have some outsourced development without
having to give access to the HSM signature mechanisms.</p>
      <p>
        This is obviously not the case for PROD keys which are generated, stored, and used in an Atos
Trustway Proteccio HSM [
        <xref ref-type="bibr" rid="ref30">30</xref>
        ] configured in RGS mode [
        <xref ref-type="bibr" rid="ref37">37</xref>
        ]. All production keys are saved in backups
protected by a 3-out-of-6 Shamir scheme [
        <xref ref-type="bibr" rid="ref38">38</xref>
        ].
      </p>
      <p>Besides, the access to the signature function is controlled:
- By logical measures for Chain-of-trust keys.
- By the use of a smart card for the HW RoT production key.</p>
      <p>- Using a smart card AND the possession of the key backup for the HW Spare production keys.
4.3.</p>
    </sec>
    <sec id="sec-25">
      <title>Trusted Execution Architecture (TEA)</title>
      <p>
        The System-on-Chip (SoC) used in the BMC embeds the TrustZone technology which is part of its
ARM Core [
        <xref ref-type="bibr" rid="ref17">17</xref>
        ]. This is used to host a hardened Operating System TeaCore provided by ProvenRun to
implement a Trusted Execution Environment (TEE) as seen in section 2.4. The TEE is then used to
secure the two Chains-of-trust related to secure boot and firmware upgrade (see Figure 4).
      </p>
      <p>
        TeaCore is based on the use of a proven operating system ProvenCore which has been certified by
ANSSI at EAL7 level in a different context [
        <xref ref-type="bibr" rid="ref39">39</xref>
        ]. It ensures a better flexibility to later add new security
features such as cryptographic keys secure storage, firmware TPM, and/or flash runtime monitoring.
      </p>
      <p>Together with the HW RoT key anchored in the silicium of the BMC, the TeaCore provides the
architecture to implement a full Platform Active Root-of-Trust as proposed by OCP. As of today, the
chains of trust for development and upgrade are implemented. Next steps could introduce attestation
mechanisms.</p>
      <sec id="sec-25-1">
        <title>TeaCore</title>
        <p>TeaCore Secure Services
TA
TA
TA
Secure Boot
FW upgrade</p>
      </sec>
      <sec id="sec-25-2">
        <title>Crypto</title>
      </sec>
      <sec id="sec-25-3">
        <title>Sec. Storage</title>
      </sec>
      <sec id="sec-25-4">
        <title>Other</title>
      </sec>
      <sec id="sec-25-5">
        <title>Atos BMC (Linux)</title>
      </sec>
      <sec id="sec-25-6">
        <title>Secure Services</title>
      </sec>
      <sec id="sec-25-7">
        <title>Abstraction Layer</title>
        <p>Normal World
TrustZone Secure World
Figure 4 - Trusted Execution Environment of the Chains-of-Trust</p>
      </sec>
    </sec>
    <sec id="sec-26">
      <title>Full Secure Boot Sequence</title>
      <p>We have now all the information to understand the full boot sequence of an Atos server
implementing the new Trusted Execution Architecture.</p>
      <p>
        For this example, we will use the case of a server based on an Intel CPU implementing the TXT
technology [
        <xref ref-type="bibr" rid="ref16">16</xref>
        ]. This technology implements its own RoT which signs the Initial Boot Block (IBB),
the first step of the Intel TXT secure boot sequence. If activated, the Intel RoT will prevent any change
of the IBB which is not properly signed. The secure boot sequence of the CPU can also imply the TPM,
either a physical one if present, or the firmware implementation by Intel [
        <xref ref-type="bibr" rid="ref40">40</xref>
        ], or the one Atos could add
in TEA using the TrustZone technology. This boot process will end at Operating System level. In the
case of Windows 11, BitLocker can use the TPM and check through the measurements that the boot
process was sane.
      </p>
      <p>Atos TEA do not interfere with this process. It only adds at the beginning a preliminary verification
of the IBB. Since the BMC is responsible for powering on the CPU, it will use its TrustZone to perform
a signature verification of the IBB and won’t power-on the CPU in case of a signature error. The whole
sequence will therefore start from the ARM secure boot sequence of the BMC and ensure firmware
integrity through the different existing mechanisms (see Figure 5). The approach would work the same
way for another type of CPU.</p>
    </sec>
    <sec id="sec-27">
      <title>5. Potential Application in HPC</title>
      <p>Now that we have a TEE enabled in our servers, from Edge to Enterprise servers, let’s see the type
of application we could envision in a High Performance Computing (HPC) environment.
5.1.</p>
    </sec>
    <sec id="sec-28">
      <title>How an HPC Could Be a Unique Device</title>
      <p>
        One drawback of the Platform Active Root-of-Trust approach is that the secure component becomes
a single point of failure for the system. This is especially true when comes the definition of the Unique
Device Secret (UDS). As introduced in section 2.6.2, the attestation mechanism assumes the
implementation of some hierarchical certification where each vendor attests the integrity of its product
using some public key infrastructure mechanism. The PA RoT will therefore use all these UDS to
control the authenticity of the platform components with some signature mechanism, and the
verification of the certificates of the public keys. The trusted cryptoprocessor PA RoT is also the
privileged place to store the UDS of the platform itself, allowing it to become attester to the remote
management infrastructure (verifier). But this approach reaches some limits when it comes to big cloud
infrastructure or high-performance computers. As an example, one of the recently deployed Atos HPC
platforms counts 300 000 computing cores shared among roughly 4500 CPUs [
        <xref ref-type="bibr" rid="ref41">41</xref>
        ]. Which one of those
components will host the UDS and identify the HPC in a unique way?
5.2.
      </p>
    </sec>
    <sec id="sec-29">
      <title>An HPC Architecture Overview</title>
      <p>It is not the purpose here to detail the architecture of an HPC installation. Besides, this is an evolving
matter. Schematically, an HPC framework will gather nodes of different types exchanging data through
an Ethernet or Interconnect fast network. Management Nodes or Rack Management Controllers (RMC)
can exist to manage a physical cluster of a hundredth of computing nodes. Each cluster is interconnected
with the other clusters to form the overall HPC (see Figure 6).</p>
      <p>From an operational point of view, the access to the computing power is devoted to some login
nodes, and one of the management software roles is to schedule the job requests submitted to the login
nodes to optimize the computing power. Each job will get allocated some computing nodes and storage
resources for an amount of time, depending on the pre-requisites of the job request. The whole purpose
of the architecture is to avoid latency in messages exchange between the computing nodes and in
input/output writing on the storage nodes, while dealing with astronomically high amount of data. In a
standard attestation approach, a compute node would have to check the attestation status of the storage
node before sending data to it. This would mean data exchange between the nodes consuming the
interconnect bandwidth. Even if it may sound marginal, keep in mind that these machines are pushing
the specifications at their limits, and are subject to some avalanche effects when unwanted events occur.</p>
      <p>On the other hand, all the development framework around HPC has already incorporated error events
because the scale of the HPC makes plausible to encounter errors when the machine is in use. Hardware
faults, hot swaps, are part of the normal use of an HPC computer. This can be a drawback in a classical
platform firmware attestation mechanism, but it can also be turned to our advantage.
5.3.</p>
    </sec>
    <sec id="sec-30">
      <title>The HPC DNA: a Patented Approach</title>
      <p>Under the hypothesis that the Trusted Execution Architecture is implemented, an immediate benefit
arises from it. All nodes will get a TEE through their BMC (see Figure 7). Of course, the same would
occur if each node would come with a TPM or any form of PA RoT secured chip. But the truth is that
adding some secure element in these nodes is not that easy for physical constraints (power alimentation,
cooling, space) while a BMC is mandatory anyway. So now, we have this trusted capacity on all our
nodes, and we can leverage it.</p>
      <p>Like a living body can identify its cells through characteristics determined by the DNA common to
all cells, the idea of a local hardware-secured zone keeping some DNA-like secrets shared by all the
machine nodes, makes possible for each node of the machine to perform the access controls, without
relying on a remote server to determine if a communication is tampered or not. In other words, this
generalizes the notion of Unique Device Secret (UDS) to a global platform such as a High-Performance
Computer (HPC) or a Cloud-based infrastructure.</p>
      <p>Any node of the machine will assume that its counterpart possesses the shared secret. It is therefore
possible to encrypt communication under this assumption. If the counterpart fails to decrypt it, this will
be treated as a glitch or hardware failure using the normal exception mechanisms of HPC development
libraries.
5.4.</p>
    </sec>
    <sec id="sec-31">
      <title>Unique Secret Generation</title>
      <p>The powering-on of an HPC machine is done in several steps. For instance, a rack will be
poweredon before its computing blades can be powered-on. There is no guarantee on the order of the
poweringon. Some computing blades can be powered-on before another rack is powered-on. The hypothesis is
that all nodes will eventually establish a connection through a management network, without guarantee
that all connections are feasible. For simplification, we will assume that a Rack Management Controller
exists, which can be seen as a BMC dedicated to the management of all the BMCs of a rack. We will
also assume that the sequence of initialization starts an RMC before the BMC it manages.</p>
      <p>The process must therefore ensure the following properties:
- If the machine is powered-on, a new secret must be generated by the first powered on RMC.
- If the machine is powered-off, which is an unlikely event, a new secret must be generated on
next power-on by the first RMC that will be powered on.
- If several RMCs are powered-on in parallel, a negotiation mechanism must converge towards
a single secret.</p>
      <p>- Any new RMC or BMC that will be powered on must get the secret in a secure way.</p>
      <p>Generating a secret in the RMC could be a challenge from a cryptographic perspective, since we do
not assume a physical random number generator is available on the BMC. It seems feasible as soon as
a reliable random noise generator is available. One needs to avoid the repeatability of the boot process
which could lead to the generation of the same secret on each boot. To ensure a proper source of noise,
the global entropy must reach at least 256 bits. Fortunately, the RMC is gathering a lot of physical
sensors information which can be leveraged to assembly enough noise in the random number generator
of the device.</p>
      <p>When a new component is added to the management network, it can be of two kinds:
- If it is a BMC, it will get the secret from its RMC.</p>
      <p>- If it is an RMC, it will negotiate its secret against the other RMC as follows.</p>
      <p>One cannot know in advance the order of RMC appearance in the management network. And in the
life of the machine, some racks may be shut down for maintenance, then reconnected. One wants the
secret to stabilize as soon as possible while preserving the history of the used keys. This is a possible
application for blockchain technology and decentralized consensus making.</p>
      <p>If RMCa and RMCb have booted and generated their secrets Sa and Sb, one cannot choose among
these secrets. But a cryptographic mechanism can take place to establish a common secret Sab. This
secret is timestamped in the blockchain and becomes its first block. Two blocks are then added with Sa
and Sb.</p>
      <p>If RMCc joins later with its secret Sc it will have to adopt the secret Sab. And the block Sc is added
to the chain. The block chain length is therefore related to the number of racks whose secrets were
changed so far.</p>
      <p>If two racks exchange two different block chains with the same initial secret Sab, the block chain is
reconciled with the missing blocks.</p>
      <p>If the two initial secrets differ, the longer chain will be privileged. The blocks of the shorter chain
will be added. If the chains have the same length the chain with the smaller hash will be kept.</p>
      <p>If an RMC has to change its secret after negotiation, it has to propagate the new secret to its rack
components. The blocks to add in the blockchain indicate the other RMCs to inform of the secret
change.
5.5.</p>
    </sec>
    <sec id="sec-32">
      <title>Security Discussion</title>
      <p>
        To prevent the secrets from being compromised when a computing blade is extracted, the
corresponding secrets are stored on RAM in an encrypted way. The component extraction powers the
component off by design. This ensures that at least a portion of the encrypted key is erased. The
encryption mechanism can therefore guarantee the disappearance of the key if a sufficient portion of
the key is lost. This security mechanism is prone to cold boot attacks [
        <xref ref-type="bibr" rid="ref42">42</xref>
        ] but this kind of scenario is
mitigated if the secret is updated regularly.
      </p>
      <p>Before delivering the secret to a new component of the machine, it is of course important to
determine if the new component is sane. It is at this step that remote attestation protocol can be used.
The UDS at node level makes perfect sense for this as it is inserted at factory time to build security
upon trusted remote attestation of a component (see 2.6.2).</p>
      <p>This pre-inserted private key should never be exposed outside its security module. Zero-knowledge
protocols can use the key to attest the authenticity of the TPM-like feature remotely. This way, a newly
inserted component can be checked remotely for sanity before providing the secret. And the private key
is needed to decipher the secret, protecting it on first communication.</p>
    </sec>
    <sec id="sec-33">
      <title>6. Conclusion</title>
      <p>Based on well-known concepts of Product Security, Atos has implemented a Trusted Execution
Architecture (TEA), common to all its servers. The trust in this implementation is founded on:
1. Public cryptographic root-of-trust keys anchored in silicon.
2. Private keys protected by an RGS certified Atos Trustway Proteccio HSM.
3. The well-known ARM TrustZone technology embedded in the existing BMC component
of our platforms.
4. The hardened operating system TeaCore developed by ProvenRun on Atos specification
and based on their formally proven and EAL7 certified operating system ProvenCore.</p>
      <p>This TEA is first used to ensure some Platform Firmware Resiliency through firmware signatures
verified at boot time and before any upgrade. Its generalization to all Atos-made platforms makes
possible some innovative security features. As an example, we presented an innovative approach to
device attestation applicable to High-Performance Computing (HPC) environments which generalizes
the notion of Unique Device Secret (UDS) to a global platform such as a HPC or a Cloud-based
infrastructure.</p>
    </sec>
    <sec id="sec-34">
      <title>7. References</title>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          [1]
          <string-name>
            <surname>Howard</surname>
            <given-names>S.</given-names>
          </string-name>
          <string-name>
            <surname>Dakoff</surname>
          </string-name>
          ,
          <source>The Clipper Chip Proposal: Deciphering the Unfounded Fears That Are Wrongfully Derailing Its Implementation</source>
          ,
          <volume>29</volume>
          J. Marshall L.
          <year>Rev</year>
          .
          <volume>475</volume>
          (
          <year>1996</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          [2]
          <string-name>
            <given-names>Y.</given-names>
            <surname>Frankel</surname>
          </string-name>
          and
          <string-name>
            <given-names>M.</given-names>
            <surname>Yung</surname>
          </string-name>
          .
          <source>Escrow Encryption Systems Visited: Attacks, Analysis and Designs. Crypto 95 Proceedings</source>
          ,
          <year>August 1995</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          [3]
          <string-name>
            <given-names>Philip</given-names>
            <surname>Zimmermann - Why</surname>
          </string-name>
          <string-name>
            <surname>I Wrote PGP</surname>
          </string-name>
          (
          <year>June 1991</year>
          - updated
          <year>1999</year>
          ) URL: http://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          [4]
          <string-name>
            <given-names>Trusted</given-names>
            <surname>Computing</surname>
          </string-name>
          <article-title>Group</article-title>
          . URL: https://trustedcomputinggroup.org/
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          [5]
          <string-name>
            <surname>Information</surname>
          </string-name>
          technology - Trusted Platform Module, International Standards Organization ISO/IEC 11889 series (2009-
          <fpage>2015</fpage>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          [6]
          <string-name>
            <given-names>Open</given-names>
            <surname>Compute</surname>
          </string-name>
          <article-title>Project</article-title>
          . URL: https://www.opencompute.org
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          [7]
          <string-name>
            <given-names>OCP</given-names>
            <surname>Membership</surname>
          </string-name>
          <article-title>Tiers</article-title>
          . URL: https://www.opencompute.org/membership
        </mixed-citation>
      </ref>
      <ref id="ref8">
        <mixed-citation>
          [8]
          <string-name>
            <given-names>Michel</given-names>
            <surname>Ugon</surname>
          </string-name>
          .
          <article-title>Support d'information portatif muni d'un microprocesseur et d'une mémoire morte programmable, CII-Honeywell-</article-title>
          <source>Bull patent FR77</source>
          .
          <volume>26107</volume>
          .
          <issue>26</issue>
          /8/1977.
        </mixed-citation>
      </ref>
      <ref id="ref9">
        <mixed-citation>
          [9]
          <string-name>
            <given-names>Michel</given-names>
            <surname>Ugon</surname>
          </string-name>
          .
          <article-title>Portable data carrier including a microprocessor. CII-Honeywell-</article-title>
          <source>Bull patent US4</source>
          .
          <volume>211</volume>
          .
          <year>919A</year>
          .
          <volume>26</volume>
          /8/1977. https://patents.google.com/patent/US4211919A
        </mixed-citation>
      </ref>
      <ref id="ref10">
        <mixed-citation>
          [10]
          <string-name>
            <given-names>Michel</given-names>
            <surname>Ugon</surname>
          </string-name>
          .
          <article-title>Single chip microprocessor with on-chip modifiable memory</article-title>
          ,
          <source>Bull CP8 patent US4.382.279</source>
          .
          <issue>25</issue>
          /4/1978. https://patents.google.com/patent/US4382279A/en?oq=
          <fpage>4</fpage>
          .
          <fpage>382</fpage>
          .279
        </mixed-citation>
      </ref>
      <ref id="ref11">
        <mixed-citation>
          [11]
          <string-name>
            <given-names>P.</given-names>
            <surname>Kocher</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Jaffe</surname>
          </string-name>
          ,
          <string-name>
            <given-names>B.</given-names>
            <surname>Jun</surname>
          </string-name>
          ,
          <article-title>"</article-title>
          <source>Differential Power Analysis" Advances in Cryptology - Crypto 99 Proceedings, Lecture Notes In Computer Science</source>
          Vol.
          <volume>1666</volume>
          , M. Wiener, ed., Springer-Verlag,
          <year>1999</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref12">
        <mixed-citation>
          [12]
          <article-title>Common Criteria for Information Technology Security (ISO/IEC 15408</article-title>
          ) https://www.commoncriteriaportal.org/
        </mixed-citation>
      </ref>
      <ref id="ref13">
        <mixed-citation>
          [13]
          <article-title>Security Requirements for Cryptographic Modules</article-title>
          ,
          <source>Federal Information Processing Standards Publication 140-3, National Institute of Standards and Technology, March</source>
          <volume>22</volume>
          ,
          <year>2019</year>
          . URL: https://doi.org/10.6028/NIST.FIPS.
          <volume>140</volume>
          -
          <fpage>3</fpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref14">
        <mixed-citation>
          [14]
          <string-name>
            <surname>Jean-Baptiste Bédrune</surname>
          </string-name>
          and Gabriel Campana.
          <article-title>Everybody be cool, this is a robbery! SSTIC 2019 Proceedings</article-title>
          ,
          <year>June 2019</year>
          . URL: https://www.sstic.org/media/SSTIC2019/SSTICactes/hsm/SSTIC2019-Article
          <string-name>
            <surname>-</surname>
          </string-name>
          hsm-campana_bedrune_neNSDyL.pdf
        </mixed-citation>
      </ref>
      <ref id="ref15">
        <mixed-citation>
          [15]
          <string-name>
            <given-names>M.</given-names>
            <surname>Sabt</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Achemlal</surname>
          </string-name>
          and
          <string-name>
            <given-names>A.</given-names>
            <surname>Bouabdallah</surname>
          </string-name>
          ,
          <article-title>"Trusted Execution Environment: What It is</article-title>
          , and What It is Not,
          <article-title>"</article-title>
          2015 IEEE Trustcom/BigDataSE/ISPA,
          <year>2015</year>
          , pp.
          <fpage>57</fpage>
          -
          <lpage>64</lpage>
          , doi: 10.1109/Trustcom.
          <year>2015</year>
          .357
        </mixed-citation>
      </ref>
      <ref id="ref16">
        <mixed-citation>
          [16]
          <string-name>
            <given-names>Intel</given-names>
            <surname>Trusted Execution Technology (Intel® TXT) Software Development Guide</surname>
          </string-name>
          ,
          <source>rev. 017.3 March</source>
          <year>2022</year>
          https://www.intel.com/content/dam/www/public/us/en/documents/guides/intel-txt
          <article-title>-softwaredevelopment-guide</article-title>
          .pdf
        </mixed-citation>
      </ref>
      <ref id="ref17">
        <mixed-citation>
          [17] ARMLtd, “
          <article-title>Arm security technology - building a secure system using trustzone technology</article-title>
          ,”
          <string-name>
            <surname>Rev</surname>
          </string-name>
          . C,
          <year>April 2009</year>
          . https://developer.arm.com/documentation/PRD29-GENC-009492/c
        </mixed-citation>
      </ref>
      <ref id="ref18">
        <mixed-citation>
          [18]
          <string-name>
            <given-names>Di</given-names>
            <surname>Shen</surname>
          </string-name>
          . Attacking your “Trusted Core”
          <article-title>- Exploiting TrustZone on Android</article-title>
          .
          <source>BlackHat USA</source>
          <year>2015</year>
          . https://www.blackhat.com/docs/us-15/materials/us-15
          <string-name>
            <surname>-Shen-Attacking-Your-Trusted-CoreExploiting-Trustzone-</surname>
          </string-name>
          On-Android.pdf
        </mixed-citation>
      </ref>
      <ref id="ref19">
        <mixed-citation>
          [19]
          <string-name>
            <surname>Laginimaineb</surname>
          </string-name>
          ,
          <article-title>"Bits, Please!: Full TrustZone exploit for MSM8974" 8 octobre 2015</article-title>
          . https://bitsplease.blogspot.com/
          <year>2015</year>
          /08/full-trustzone
          <article-title>-exploit-for-msm8974</article-title>
          .html
        </mixed-citation>
      </ref>
      <ref id="ref20">
        <mixed-citation>
          [20]
          <string-name>
            <surname>Nagra-Certified Secure</surname>
          </string-name>
          Video/Audio Chipsets Surpass 80 Million Mark,
          <year>2015</year>
          . https://dtv.nagra.
          <article-title>com/nagra-certified-secure-videoaudio-chipsets-</article-title>
          <string-name>
            <surname>surpass-</surname>
          </string-name>
          80
          <string-name>
            <surname>-</surname>
          </string-name>
          million-mark
        </mixed-citation>
      </ref>
      <ref id="ref21">
        <mixed-citation>
          [21]
          <string-name>
            <surname>Microchip CEC1702 Data Sheet</surname>
          </string-name>
          ,
          <year>2019</year>
          . https://www.microchip.com/en-us/product/CEC1702
        </mixed-citation>
      </ref>
      <ref id="ref22">
        <mixed-citation>
          [22]
          <article-title>Attribution-ShareAlike 4.0 International (CC BY-SA 4</article-title>
          .0) https://creativecommons.org/licenses/by-sa/4.0/
        </mixed-citation>
      </ref>
      <ref id="ref23">
        <mixed-citation>
          [23]
          <string-name>
            <given-names>Datacenter</given-names>
            <surname>Secure Control Module (DC-SCM) Specification</surname>
          </string-name>
          (
          <year>2021</year>
          ). URL: https://www.opencompute.org/documents/ocp-dc
          <article-title>-scm-spec-rev-1-0-pdf</article-title>
        </mixed-citation>
      </ref>
      <ref id="ref24">
        <mixed-citation>
          [24]
          <string-name>
            <given-names>OCP</given-names>
            <surname>Platform Security</surname>
          </string-name>
          <article-title>Overview</article-title>
          . URL: https://docs.google.com/document/d/1- bfAF86cEKcn1guF-Qj2C2HhMM2oJ2njNGdHxZeetR0/edit#
        </mixed-citation>
      </ref>
      <ref id="ref25">
        <mixed-citation>
          [25]
          <string-name>
            <given-names>Special</given-names>
            <surname>Publication</surname>
          </string-name>
          800-193
          <string-name>
            <given-names>Platform</given-names>
            <surname>Firmware Resiliency Guidelines</surname>
          </string-name>
          , National Institute of Standards and Technology, May
          <year>2018</year>
          . URL: https://doi.org/10.6028/NIST.SP.
          <volume>800</volume>
          -
          <fpage>193</fpage>
        </mixed-citation>
      </ref>
      <ref id="ref26">
        <mixed-citation>
          <source>[26] Attestation of System Components v1.0 Requirements and Recommendations</source>
          (
          <year>2020</year>
          ) https://www.opencompute.org/documents/attestation-v1-
          <fpage>0</fpage>
          -20201104-pdf
        </mixed-citation>
      </ref>
      <ref id="ref27">
        <mixed-citation>
          [27]
          <string-name>
            <given-names>Security</given-names>
            <surname>Protocol</surname>
          </string-name>
          and
          <article-title>Data Model (SPDM) Specification https</article-title>
          ://www.dmtf.org/sites/default/files/standards/documents/DSP0274_1.0.0.pdf
        </mixed-citation>
      </ref>
      <ref id="ref28">
        <mixed-citation>
          [28]
          <article-title>Libspdm, a sample implementation of the DMTF SPDM specification https://github</article-title>
          .com/DMTF/libspdm
        </mixed-citation>
      </ref>
      <ref id="ref29">
        <mixed-citation>
          [29]
          <string-name>
            <given-names>Project</given-names>
            <surname>Cerberus Firmware</surname>
          </string-name>
          Challenge Specification https://github.com/opencomputeproject/Project_Olympus/tree/master/Project_Cerberus
        </mixed-citation>
      </ref>
      <ref id="ref30">
        <mixed-citation>
          [30]
          <string-name>
            <given-names>Atos</given-names>
            <surname>Trustway</surname>
          </string-name>
          Proteccio netHSM https://atos.net/en/solutions/cyber
          <article-title>-security/data-protection-and-governance/hardware-securitymodule-trustway-proteccio-nethsm</article-title>
        </mixed-citation>
      </ref>
      <ref id="ref31">
        <mixed-citation>
          [31]
          <string-name>
            <surname>Open</surname>
            <given-names>Titan:</given-names>
          </string-name>
          <article-title>the first open source project building a transparent, high-quality reference design and integration guidelines for silicon root of trust (RoT) chips</article-title>
          . https://opentitan.org/
        </mixed-citation>
      </ref>
      <ref id="ref32">
        <mixed-citation>
          [32]
          <string-name>
            <given-names>Dominic</given-names>
            <surname>Rizzo</surname>
          </string-name>
          .
          <article-title>OpenTitan at one year: the open source journey to secure silicon</article-title>
          .
          <source>Google Open Source Blog, 7 December</source>
          <year>2020</year>
          . https://opensource.googleblog.com/
          <year>2020</year>
          /12/opentitan-at
          <article-title>-oneyear-open-source</article-title>
          .html
        </mixed-citation>
      </ref>
      <ref id="ref33">
        <mixed-citation>
          [33]
          <string-name>
            <surname>Fabien</surname>
            <given-names>Périgaud</given-names>
          </string-name>
          , Alexandre Gazet and
          <string-name>
            <given-names>Joffrey</given-names>
            <surname>Czarny</surname>
          </string-name>
          .
          <article-title>Backdooring your server through its BMC: the HPE iLO4 case</article-title>
          .
          <source>SSTIC 2018 proceedings.</source>
        </mixed-citation>
      </ref>
      <ref id="ref34">
        <mixed-citation>
          [34]
          <string-name>
            <surname>Open</surname>
            <given-names>BMC</given-names>
          </string-name>
          :
          <article-title>Defining a Standard Baseboard Management Controller Firmware Stack</article-title>
          . https://www.openbmc.org/
        </mixed-citation>
      </ref>
      <ref id="ref35">
        <mixed-citation>
          [35]
          <string-name>
            <given-names>Joel</given-names>
            <surname>Stanley</surname>
          </string-name>
          .
          <article-title>Securing firmware: Secure and Trusted boot in OpenBMC</article-title>
          .
          <source>January</source>
          <year>2020</year>
          ,
          <string-name>
            <surname>LCA</surname>
          </string-name>
          <year>2020</year>
          . https://archive.org/details/lca2020-Securing_firmware_Secure_and_Trusted_boot_in_OpenBMC
        </mixed-citation>
      </ref>
      <ref id="ref36">
        <mixed-citation>
          <source>[36] Infineon Techologies AG OPTIGA™ Trusted Platform Module SLB9672_2.0 v15.20.15686</source>
          .
          <article-title>00 Common Criteria Part 3 conformant EAL 4 augmented by ALC_FLR.1</article-title>
          and AVA_VAN.4
          <string-name>
            <given-names>Certification</given-names>
            <surname>Report. BSI-DSZ-CC-</surname>
          </string-name>
          1113-
          <year>2021</year>
          . 21 May
          <year>2021</year>
          . https://www.commoncriteriaportal.org/files/epfiles/1113a_pdf.pdf
        </mixed-citation>
      </ref>
      <ref id="ref37">
        <mixed-citation>
          [37]
          <article-title>Arrêté du 13 juin 2014 portant approbation du référentiel général de sécurité et précisant les modalités de mise en oeuvre de la procédure de validation des certificats électroniques</article-title>
          ,
          <source>JORF n°0144 du 24</source>
          juin
          <year>2014</year>
          . https://www.ssi.gouv.fr/entreprise/reglementation/confiancenumerique/le-referentiel-general-de-securite-rgs/
        </mixed-citation>
      </ref>
      <ref id="ref38">
        <mixed-citation>
          [38]
          <string-name>
            <given-names>Adi</given-names>
            <surname>Shamir</surname>
          </string-name>
          .
          <article-title>"How to share a secret"</article-title>
          ,
          <source>Communications of the ACM</source>
          ,
          <volume>22</volume>
          (
          <issue>11</issue>
          ):
          <fpage>612</fpage>
          -
          <lpage>613</lpage>
          ,
          <year>1979</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref39">
        <mixed-citation>
          [39]
          <article-title>ProvenCore secure OS achieves EAL7 Common Criteria certification, 13 September 2019</article-title>
          . https://provenrun.com
          <article-title>/provencore-secure-os-achieves-eal7-common-criteria-certification/</article-title>
        </mixed-citation>
      </ref>
      <ref id="ref40">
        <mixed-citation>
          [40]
          <string-name>
            <given-names>Darek</given-names>
            <surname>Fanton</surname>
          </string-name>
          .
          <source>Intel Platform Trust Technology - TPM for the Masses. 6 July</source>
          <year>2022</year>
          . https://www.onlogic.com/company/io-hub/
          <article-title>intel-platform-trust-technology-ptt-tpm-for-themasses/</article-title>
        </mixed-citation>
      </ref>
      <ref id="ref41">
        <mixed-citation>
          [41]
          <string-name>
            <given-names>Patricia</given-names>
            <surname>Pottier</surname>
          </string-name>
          .
          <source>The NWP systems at Météo-France. 30th ALADIN Wk &amp; HIRLAM ASM</source>
          <year>2020</year>
          . https://www.umr-cnrm.fr/aladin/IMG/pdf/poster-france-wk2020-web.pdf
        </mixed-citation>
      </ref>
      <ref id="ref42">
        <mixed-citation>
          [42]
          <string-name>
            <given-names>Sergei</given-names>
            <surname>Skorobogatov</surname>
          </string-name>
          .
          <article-title>Low temperature data remanence in static RAM</article-title>
          .
          <source>Technical report UCAMCL-TR-536</source>
          . University of Cambridge Computer Laboratory,
          <year>June 2002</year>
          . https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-
          <volume>536</volume>
          .pdf
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>