Security has been a growing concern for data centers for several years now. With the evolution of cloud, and with more and more customer data moving to the cloud, the data center has become a major target for hackers, and the level of sophistication demonstrated by the various malicious actors has grown significantly.
One of the more stealthy ways for attackers to get into a system is to compromise it using rogue firmware. Such attacks are very hard to detect, prevent and recover from. Firmware viruses are now seen in the wild, as evident by the discovery of LoJax and the more recent MosaicRegressor BIOS rootkits. OCP recognized the critical need to leverage the power of hardware to secure the foundations of server platforms, and established the OCP Security workgroup in January 2018.
Back in 2018, NIST published a Special Publication 800-193 titled Platform Firmware Resiliency Guidelines, which outlined three main principles that are required to keep firmware secure:
-
Protection - Mechanisms for ensuring that platform firmware code and critical data remain in a state of integrity and are protected from corruption or intentional compromise.
-
Detection - Mechanisms for detecting when platform firmware code and critical data have been corrupted or otherwise changed from an authorized state.
-
Recovery - Mechanisms for restoring platform firmware code and critical data to a state of integrity in the event that any such firmware code or critical data are detected to have been corrupted, or when forced to recover through an authorized mechanism.
The OCP Security Group was formed to tackle this challenge and define a set of specifications for open compute hardware, which will make systems compliant with the NIST requirements. To help get this effort started, a group of major cloud providers and industry device manufacturers have teamed up, and together they have defined a set of standard specifications and requirements that will ensure future OCP servers and data center equipment can be made secure against firmware compromises.
To learn more what the Security Project has been working on over the past few months, please register for OCP Tech Week and attend the security sessions scheduled on November 12–13, 2020 (PST).