Universal Platform Firmware Resiliency (PFR) – Servers

NIST SP 800 193 Standard Based Implementation: Robust Security in Hardware, Comprehensive Coverage

The National Institute of Standards and Technology (NIST) released the NIST SP 800 193 specification in 2018, which defines a uniform security mechanism known as Platform Firmware Resilience (PFR). PFR, using a hardware-based solution, is a new approach to securing enterprise server firmware that comprehensively prevents attacks on all firmware in a server.

PFR addresses the vulnerability of enterprise servers that contain multiple processing components, each having its own firmware. This firmware can be attacked by hackers who may surreptitiously install malicious code in a component’s flash memory that hides from standard system-level detection methods and leaves the system permanently compromised. The specification is based on three guiding principles:

  1. Protection – Lattice has demonstrated state machine-based algorithms that offer Nanosecond response time in detecting security breaches into the SPI memory. This prevents unauthorized access to modify any of the firmware in SPI memory. The solution is customizable through simple easy to use databases. Using secure communication with the PFR algorithm, the BMC will be able to authorize modifications to SPI memory to support in-system updates.
  2. Detection – Elliptic Curve Cryptography (ECC) based measurements made on the firmware stored in each of the SPI memory detects all unauthorized modifications to it. The detection method is independent of the existing firmware security approaches used in that design. Using the integrated board power management function, it is possible to detect any unauthorized modifications to firmware before the board is started up.
  3. Recovery – If a security breach is detected, Lattice’s implementation provides a customizable recovery mechanism. This mechanism can perform a simple rollback to a previous version of firmware, or a full blown recovery to the latest authorized version of the firmware to full blown recovery to the latest authorized version of the firmware. The Power Management and Control PLD algorithm can be customized to respond to the nature of the breach to implement the full trusted recovery process for any Board.

Implementation Features

  • Scalable – Protect, with nanosecond level response all firmware on the board. The solution can also protect other add-in sub systems through secure communication with the corresponding roots of trust
  • Non-By-passable – As this solution implements the full power sequencing for the server board along with the PFR implementation, it cannot be by passed
  • Self-Protecting – The PFR implementation uses a revolutionary Root-of-Trust FPGA as an anchor. This FPGA can dynamically control its attack surface and protects itself form external attacks
  • Self-Detecting – The Root-of-Trust FPGA can detect any security breach of its configurations by using a non-by-passable cryptographic hardware block.
  • Self-Recovery – The Root-of-Trust FPGA can switch over to the golden image automatically when it discovers a breach to its active configuration

Contact us to get details of the PFR implementation.

ブロックダイアグラム

ビデオ

Platform Firmware Resilience (PFR)Expand Image

ビデオ用のプレースホルダー

ラティスのRoot of Trust FPGAソリューションを使って、あなたのサーバーシステムに新しいNIST SP 800913規格を満たすPFRを実装する方法を紹介します

Like most websites, we use cookies and similar technologies to enhance your user experience. We also allow third parties to place cookies on our website. By continuing to use this website you consent to the use of cookies as described in our Cookie Policy.