The National Institute of Standards and Technology (NIST) released the NIST SP 800 193 specification in 2018, which defines a uniform security mechanism known as Platform Firmware Resilience (PFR). PFR, using a hardware-based solution, is a new approach to securing enterprise server firmware that comprehensively prevents attacks on all firmware in a server.
PFR addresses the vulnerability of enterprise servers that contain multiple processing components, each having its own firmware. This firmware can be attacked by hackers who may surreptitiously install malicious code in a component’s flash memory that hides from standard system-level detection methods and leaves the system permanently compromised. The specification is based on three guiding principles:
- Protection – Lattice has demonstrated state machine-based algorithms that offer Nanosecond response time in detecting security breaches into the SPI memory. This prevents unauthorized access to modify any of the firmware in SPI memory. The solution is customizable through simple easy to use databases. Using secure communication with the PFR algorithm, the BMC will be able to authorize modifications to SPI memory to support in-system updates.
- Detection – Elliptic Curve Cryptography (ECC) based measurements made on the firmware stored in each of the SPI memory detects all unauthorized modifications to it. The detection method is independent of the existing firmware security approaches used in that design. Using the integrated board power management function, it is possible to detect any unauthorized modifications to firmware before the board is started up.
- Recovery – If a security breach is detected, Lattice’s implementation provides a customizable recovery mechanism. This mechanism can perform a simple rollback to a previous version of firmware, or a full blown recovery to the latest authorized version of the firmware. The Power Management and Control PLD algorithm can be customized to respond to the nature of the breach to implement the full trusted recovery process for any Board.