Microsoft released the open source firmware program Cerberus and the project to improve OCP server security
this week, Microsoft released the Cerberus project (project Cerberus) to improve the firmware security of hardware devices, which is another work that will contribute to the annual planned investment of 15.1 billion yuan (OCP) in the open computing program after the Olympus project (project Olympus) launched by Microsoft in October 2016Olympus project is Microsoft's super large cloud hardware design, It belongs to the new mode of open source hardware development, which increases the stretching space (it can be increased to more than 210 meters, just like a branch of open source software, it also allows developers to change their hardware design according to needs. At present, Olympus project has completed the hardware design and opened source through OCP. At the same time, FV cement-based permeable crystalline waterproof material GB 18445 (2) 0012 virtual machine family, which has also been deployed on azure, is the first commercialized Olympus project design on azure.
Cerberus project is Olympus project Next step. If Olympus project is an open source hardware project, then Cerberus is an open source firmware security projectKushagra Vaid, general manager of azure hardware architecture, pointed out that the server hardware has been lack of data security protection, and Cerberus is a project used to protect, detect and recover attacks against firmware. When people process data in the cloud, they can be trusted to run on hardware using secure firmware
cerberus project conforms to the draft specification of NIST's "platform firmware disaster prevention guidelines". It provides a hardware trusted architecture for various firmware on the motherboard and input/output devices. It implements strict access control and integrity verification from hardware pre startup to operation, which will prevent thieves with management rights, and also prevent malicious programs and hackers exploiting vulnerabilities in operating systems, applications or hypervisors, Prevent firmware from being tampered with or attacked from the supply chainThe Cerberus project contains an encrypted microcontroller that runs security code. It can monitor the access from the host to the flash device via SPI bus (storing firmware), so it can continuously measure and verify these accesses to ensure the integrity of the firmware, so as to prevent unauthorized access or malicious updates
because the specification of the project does not lock any CPU or i/o architecture, it has a wide range of applications, most of which enter landfills or environments. The scale can range from large data centers to small IOT devices, and its platform security can also be extended to all i/o devices based on the same architecture principles
Microsoft also cooperates with Intel to explore the best import mode of platform firmware security, and plans to contribute Cerberus project to OCP. At present, the draft specification of Cerberus project only covers the firmware on the motherboard, such as UEFI BIOS, BMC and options ROMs. In the future, it will cooperate with the community to extend the specification to various i/o components, including traditional hard disk, solid-state hard disk, network card, programmable logic device (FPGA) or GPU
Copyright © 2011 JIN SHI