OCP spec for silicon security could help reduce vendor lock-in

A new specification from the Open Compute Project could mean more choices for IT pros when it comes time to replace server cards.

The spec defines a block of code that, when used in processors, establishes root of trust (RoT) boot security. Because the spec is open, any chip maker can use it, and it will provide interoperability with chips made by other chip makers that also use it. This can help eliminate being locked into a single vendor because of proprietary RoT code.

By standardizing on OCP hardware, for example, it’s possible to replace a bad smartNIC from one vendor with one from another vendor, says Bill Chen, general manager of server product management at Supermicro, an OCP member.

“This will make it easier to change or upgrade to a new card, and because of that [OCP] standard you can purchase from all different vendors like Mellanox or Broadcom. You will have multiple options,” he said.

Vendors and service providers that have worked on the project, include AMD, Microsoft, Google, and Nvidia. Notably absent is Intel.

The purpose of the spec,called Caliptra, is to provide consistent, verifiable cryptographic assurances of an ASIC’s or SoC’s security configuration across all participating vendors, and make it as a drop-in piece of IP.

RoT is used everywhere, from the data center to the edge to cloud computing, where there is great demand for protecting sensitive data. The specification provides a standard method of creating technologies around secure and confidential computing, which can protect data whether it is stored, in transit, or being processed in the cloud.

Dell defines RoT as the concept of starting “a chain of trust needed to ensure computers boot with legitimate code. If the first piece of code executed has been verified as legitimate, those credentials are trusted by the execution of each subsequent piece of code.” In other words, if the first bit of code is trusted, then the rest is, too.

Root of Trust provides that source within a cryptographic system that can always be trusted and is used for crypto functions such as generating and verifying digital signatures. RoT implementations generally include a hardened hardware module.

The Caliptra 0.5 specification is available to download now. As the 0.5 designation would indicate, the spec isn’t quite done. The 0.5 release is an invitation to the broader OCP community to provide feedback and input, to ensure it meets broader industry needs.