Microsoft introduces new secure firmware spec via the Open Compute Project
Microsoft is extending its Open Compute Project (OCP) contributions with a new security-focused component.
Microsoft’s “Project Cerberus” is a cryptographic microcontroller that is designed to intercept accesses from the host to flash over the SPI bus, where the firmware is stored. It’s meant to project against unauthorized access and malicious updates, said Microsoft officials in a November 8 blog post.
Cerberus will be able to defend platform firmware from insiders with administrative privilege or access to hardware; hackers and malware exploiting bugs in the OS, app, or hypervisor; supply-chain attacks; and compromised firmware binaries, officials said.
Project Cerberus enables pre-boot, boot-time and runtime integrity for all the firmware components in the system, Microsoft execs said. The specification for Cerberus is CPU and I/O architecture agnostic, so it can be implemented in different ways on a variety of platform types, starting with datacenter servers, and ultimately also on IoT devices.
The specifications for Project Cerberus are still under development. Microsoft says it’s working with Intel on the best implementation models. An initial draft of the Project Cerberus architecture and specifications is available on GitHub.
Last year, Microsoft was working on version 2.0 of its Open CloudServer datacenter-server design for contribution to the OCP. That design is codenamed “Project Olympus.” As of this week, Microsoft officials said the design for Olympus 2.0 is now 100 percent complete and open sourced via OCP contributions. Microsoft itself deploys Project Olympus hardware in Azure with its Fv2 virtual machine family. Microsoft said Project Olympus hardware is now commercially available from various OCP solution providers, including Wiwynn and ZT Systems.
Microsoft officials called Cerberus the next phase of Project Olympus. They noted that Microsoft spends a billion dollars a year on cybersecurity, with much of that going toward securing Azure. The company is taking some of its work around datacenter security, data privacy and encryption, threat detection, and other related work and applying it to its OCP efforts.
Microsoft joined the Open Compute Project (OCP) in 2014, and is a founding member of and contributor to the organization’s Switch Abstraction Interface (SAI) project.The OCP publishes open hardware designs intended to be used to build datacenters relatively cheaply. The OCP has already released specifications for motherboards, chipsets, cabling, and common sockets, connectors, and open networking and switches.
In what may or may not be related to Cerberus, Microsoft researchers are working on ways to secure Internet of Things devices at the microcontroller level with “Project Sopris.”
(Thanks to Tero Alhonen for the heads-up on Twitter about Project Cerberus.)