AMI Brings Secure Firmware to the Open Compute Project
The pool of available open source resilient firmware keeps growing. This week, dynamic firmware maker AMI announced the contribution of its Tektagon OpenEdition Platform Root of Trust to the Open Compute Project (OCP). It’s a move the company hopes will provide increased options to organizations that wish to build devices with secure and manageable firmware.
Tektagon OpenEdition is an open source platform root-of-trust with security features designed to detect platform firmware corruption, recover compromised firmware and protect firmware integrity. AMI’s chief product officer Kelly Bryant said in an interview with Security Boulevard that Tektagon OpenEdition’s open source architecture increases firmware code transparency and helps organizations to create better code and increased customizability.
Broadly, within firmware, a platform root-of-trust (PRoT) provides resiliency by offering protection from tampering, the ability to detect corruption and recovery to a known good state.
The contribution of AMI’s Tektagon OpenEdition to the OCP joins the company’s earlier contributions of Aptio OpenEdition UEFI Firmware and MegaRAC OpenEdition BMC Firmware code. According to Bryant, AMI’s open source firmware covers secure boot, secure management and now, with Tektagon, secure PRoT. “We now provide open source options for everything needed in a platform to power, manage and secure connected devices,” said Zachary Bobroff, senior director, product office at AMI.
“We’re very focused on platform security,” added Bryant. “And trying to develop ways in which platform owners can keep the firmware on their platforms safe. This year’s big initiative is developing open source NIST-compliant firmware based on SP800-193, Platform Firmware Resiliency Guidelines. [Tektagon OpenEdition PRoT] will detect whether you have a malicious injection, [such as] if someone’s modified or tampered with your boot code. It’s going to make sure that during the supply chain, nothing has tampered with it. And if it has, it is actually going to quarantine it and let you move it back to a known good state,” explained Bryant.
“As threats to firmware integrity and security increase, AMI’s participation in building up hardware security layers that enable systems builders to more easily deliver open and secure cloud platforms is exactly what the community needs, and at the right time,” said Bijan Nowroozi, CTO at the OCP Foundation.
Firmware attacks are on the rise. A March 2021 study commissioned by Microsoft found that 80% of enterprises experienced at least one firmware attack in the two years before that study. Earlier this year, millions of Lenovo laptops were found to be vulnerable to firmware-level attacks after three flaws provided attackers a straightforward way to infect firmware and remain difficult to identify and remediate. Also, this year, CosmicStrand was exploiting the Unified Extensible Firmware Interface (UEFI) to avoid detection.
Essentially, firmware exists in a space between hardware and software and coordinates activity between the hardware and systems operating system. Because it operates under the operating system, it provides attackers significant access to system resources. That access can be used to gain and maintain attack persistence by remaining unseen.
“Firmware is an attack vector for hackers today. It’s privileged code and is the first code that can run unrestricted,” explained Bryant. “If a hacker gets ahold of it, it can be particularly insidious. So, if you are an owner or you manage critical infrastructure, one of the more proactive things that you can do is make sure that your system or your platform has a hardware root of trust. And if it doesn’t, you should mandate that your vendor provide that.”
The OCP Foundation is a global community of technology leaders collaborating to bring open source to traditionally proprietary IT infrastructure.