One area of concern that has been the reoccurance of firmware test keys found in production systems.  These test keys support AMI’s approach to increase efficiency of firmware integration during system development.  The keys are only intended to be used during development and should never remain in place as systems are placed into production.

Adopting a Less Efficient Approach Does Not Fix the Issue

AMI has evaluated its offering of these test keys to its partners.  While understanding the improvements to partner efficiency during development, there is risk that best practices might not be met, creating exposure of these keys in production systems.

The alternative to providing these test keys would be that AMI partners would have the burden of generating the test keys themselves for development.  While this would remove AMI’s exposure to having AMI-generated test keys found in production systems, this would still not remove the need for best practices in the supply chain for having the partner-generated test keys replaced prior to production.

AMI is Committed to an Efficient Approach that Helps Ensure Best Practices are Followed

In order to continue to support the efficient system development of partner systems, AMI has chosen to maintain its approach toward efficient system development.  As such AMI will continue to deliver tools, including test cert keys, to its partners, while committing to efforts that help ensure best practices are followed.  AMI has incrementally added safeguards in its firmware, such as partner alerts when test keys are in use in code builds that include warnings in the BIOS setup screens, notifying the user that test keys are present.

Supporting the transition from development to production, AMI offers the AMI CLEFs firmware signing tool.  This cloud-based service generates the necessary keys for AMI firmware in production, maintaining the private keys in a Cloud HSM.  By providing this service, AMI is assisting its partners in transitioning from the test keys that are used in development to secure keys that are used in production systems.

AMI continues to evaluate how it contributes to efficient system development and best practices.

Security is Paramount at AMI

Additionally, AMI now offers various products and features, such as Tektagon Platform Root of Trust with encryption key management and remote attestation support, ensuring platform firmware resilience for host and peripheral devices.

In the end, ensuring best practices in the supply chain is necessary to avoid issues, like the proliferation of insecure test certs being used in production systems.  Often following the processes associated with these practices is challenging.   AMI understands these challenges but is committed to helping maintain a secure supply chain.  AMI will continue to support this effort, providing the necessary tools and support that help ensure a secure supply chain.

The post An Efficient Approach Toward System Development Requires a Commitment to Best Practices appeared first on AMI.

AMI Tektagon™ XFR Platform Root of Trust (PRoT) Firmware Resilience on Arm-based Platforms

In order to secure platform firmware, the platform-agnostic AMI Tektagon XFR PRoT solution is a perfect fit. This solution leverages the Lattice™ Mach-NX Series, a low-power FPGA Hardware Root of Trust (HRoT) controller to detect, recover and protect against host firmware intrusions for total firmware resiliency. Additionally, for heightened system security, AMI Tektagon XFR delivers firmware attestation to peripheral devices as well as those on the motherboard. This complete PRoT solution is offered across all major platforms including Arm-based systems.

As cloud and on-premises data centers meet greater demands, it is crucial that there are more systems that can support the performance, scalability, and sustainability requirements with greater manageability. Meeting these demands are the Arm-based platforms, such as that provided in the Ampere Altra processor servers. Architected to meet the greatest functionality demands, these Arm-based platforms can provide all the necessary components to support a fully resilient PRoT solution, on the motherboard as well as peripheral devices.

What will be Revealed by AMI and Arm at the OCP Regional Summit?

At the Open Compute Project’s Regional Summit in Prague on April 19th and 20th, AMI and Arm will reveal AMI Tektagon XFR, deployed on a Broadcom PCIe Card connected to an Arm-based, Ampere Alta processor platform. The solution will show a secure system boot with device attestation using SPDM for active system management.

During the pre-boot phase, Tektagon XFR will initialize with the SPDM device to the Broadcom controller. Once the communication is established, the solution will verify the correct device manufacturer through a certificate exchange. Lastly, Tektagon XFR will run an attestation on signed measurements from the device, comparing it to known “good” values. With a successful attestation, the system will be released to boot. If attestation is unsuccessful, the system will be held at reset.

In addition to the demonstration, AMI and Arm will have a technical presentation about “Secure System Design on Arm using Platform Root of Trust (PRoT).” The session will be held at 9:30 am on April 20th.

Please Join AMI’s Booth Number A15 for the Demo Experience

Interested in viewing this live demo? Participants can find this and other demonstrations in the AMI booth (A15), at the OCP Regional Summit on April 19th and 20th. Stop by and engage with us for further discussions.

About AMI Tektagon XFR

AMI Tektagon XFR is a fully NIST 800-193 compliant integrated PRoT solution that is cost-effective, scalable, compatible, and easy to implement. The solution leverages a Lattice Mach-NX Series, a low-power FPGA controller to deliver pre-verified, PFR-compliant functionality, to a server’s motherboard and peripheral devices. Features of the Tektagon XFR solution include image validation, firmware attestation, and recovery, to deliver full firmware resiliency.

The post Securing Arm®-based Servers with Platform Firmware Resiliency appeared first on AMI.

AMI Tektagon™ Answers the Call

Platform Root of Trust (PRoT) solutions, like AMI Tektagon XFR, enabled by the low-power Lattice™ Mach-NX Hardware Root of Trust FPGA can add platform firmware resiliency. However, the effort to implement a PRoT solution is not trivial.  Combine that with the hurdles of integrating different types of platform firmware with the compatibility necessary to initialize the host silicon.  Additionally, developers might be challenged to scale across multiple silicon and platform vendors. These challenges become more significant when building compatibility across different open-source firmware.

What Does AMI Tektagon XFR Demo on AMD Platform Showcase?

At the Open Compute Project’s Regional Summit in Prague on April 19th and 20th, AMI and AMD will showcase the AMI Tektagon XFR running on AMI Aptio OpenEdition UEFI open-source boot firmware using AMD 4th Gen EPYC™ processor-based platform.  The solution delivers detection of firmware intrusions, protection against ongoing firmware intrusions, and recovery from compromised firmware.

During the demo, OCP attendees will be able to see Tektagon XFR, running on the Lattice Mach-NX FPGA perform CPU attestation using SPDM with AMI Aptio OpenEdition boot firmware.  During the pre-boot phase of the platform bring-up, Tektagon will serve as the SPDM requester and issue commands to receive measurements from AMD’s SoC boot images. If the values received are different from the “known good measurements”, the boot process is halted.  Booting will then be prevented until the firmware image is recovered and a good flash image is reported.

Please join us at AMD Booth Number A4 to Experience the Demo

Interested in viewing this live demo? Participants can find this and many other demonstrations in the AMD booth (A4), at the OCP Regional Summit on April 19th and 20th.  Stop by and engage with members of AMD and AMI for further discussions.

About AMI Tektagon

AMI Tektagon XFR is an integrated PRoT solution that is cost-effective, scalable, compatible, and easy to implement.  The solution leverages a Lattice Mach-NX Series, a low-power FPGA controller to deliver pre-verified, PFR-compliant functionality, to a server’s motherboard and peripheral devices.  Features of the Tektagon XFR solution include image validation, firmware attestation and recovery, to deliver full firmware resiliency.

The post AMI to Showcase Platform Root of Trust CPU Attestation on AMD Platform appeared first on AMI.

ATLANTA, GEORGIA – AMI®, the global leader in Dynamic Firmware for worldwide computing, today announces Tektagon™ BFR as the latest member of its Tektagon family of Platform Root of Trust (PRoT) security solutions. This new member of the Tektagon family leverages Microchip Technology Inc. HRoT and embedded controllers for platform resiliency for cloud service providers, server ODMs and OEMs, central office and edge switching and client and embedded device manufacturers.

The increase in data and devices in today’s IT landscape broadens the playing field for attacks, leading to more vulnerabilities. According to a recent report from Microsoft, 83% of all businesses have experienced a firmware attack in the past two years. Furthermore, the average cost of a data breach has reached an all-time high of $4.35M, according to IBM.  To defend against these firmware attacks, AMI has developed the Tektagon™ family of PRoT products, ensuring security beyond system boot, providing runtime protection to motherboard and peripheral firmware. Tektagon BFR is a new addition to the family, delivering an easily implemented microcontroller solution, expanding platform resiliency to more applications.

“Any Zero Trust strategy must include firmware security,” says Stefano Righi, Senior Vice President for the Global Software and Security Group at AMI. “BIOS, BMC and any other firmware running on the platform must be resilient, and Tektagon BFR platform root of trust provides foundational security and establishes the chain of trust for a wider array of applications.”

AMI’s Tektagon family of products includes Tektagon XFR for enterprise and scale-out servers, Tektagon OpenEdition™ for the open-source community and now Tektagon BFR. Adaptable to all major host silicon vendors, AMI’s Tektagon security solutions are NIST® 800-193-compliant – meeting protection, detection and recovery requirements for platform resiliency.

Tektagon BFR is well-suited for enterprise and entry server, IoT, client and embedded devices, desktop and workstation systems. Utilizing one of the Microchip CEC17x2 & CEC173x HRoT controllers or MEC170x & MEC152x embedded controllers, it provides a microcontroller-based solution for PRoT needs. Tektagon BFR also includes runtime flash protection, flexible recovery integrated with Aptio and MegaRAC, secure updates of recovery images and intrusion detection.

To learn more about our Tektagon BFR PRoT security solution or the Tektagon family of products, please contact us at ami.com/contact.

The post AMI Announces Tektagon™ BFR to Bolster Platform Firmware Security appeared first on AMI.