Google announced the introduction of chips based on the OpenTitan open source platform in Chromebook devices. Chromebooks are the first commercially available devices equipped with OpenTitan. Google plans to begin deploying OpenTitan-based server systems in its data centers later this year. Nuvoton is organizing mass production of the chips. Work has also begun on a second version of the chip, which will enable the use of the ML-DSA and ML-KEM post-quantum encryption algorithms for secure boot and attestation. These algorithms implement cryptographic methods based on lattice theory.
The OpenTitan project provides a platform for creating trusted hardware components (RoT, or Root of Trust) used to ensure the integrity of system hardware and software elements. OpenTitan was founded by Google in 2018, but was transferred to the non-profit organization lowRISC in 2019. Since then, companies such as Western Digital, Seagate, Nuvoton Technology, Winbond, Rivos, zeroRISC, and G+D Mobile Security have joined its development. The project's code and hardware component specifications are published under the Apache 2.0 license. The solutions used in OpenTitan are based on technologies already used in Google Titan cryptographic USB tokens and TPM chips for verified boot installed on серверах on Google's infrastructure, as well as on Chromebooks and Pixel devices.
Unlike existing Root of Trust implementations, OpenTitan is developed according to the concept of "security through transparency", which implies the availability of code and schematics, as well as the use of a completely open development process, not tied to specific vendors and chip manufacturers. OpenTitan is the first open Root of Trust implementation to be released to the market, which supports a post-quantum secure boot mechanism based on the use of the SLH-DSA (Sphincs+) digital signature generation algorithm, which is resistant to brute force on quantum computers.
OpenTitan-based chips can be used in server motherboards, network cards, consumer devices, routers, and IoT devices to verify firmware and bootable components (protect critical system parts from modification), generate cryptographically unique system identifiers (protect against hardware tampering), provide security-related services, protect cryptographic keys (isolate keys in the event of an attacker gaining physical access to the equipment), and maintain an isolated audit log that cannot be edited or deleted.
OpenTitan includes logic blocks required in RoT chips, such as an open microprocessor based on the RISC-V architecture (RV32IMCB Ibex), cryptographic coprocessors, a hardware random number generator, a key manager with DICE support, a mechanism for secure data storage in permanent and operational memory, security technologies, I/O blocks and secure boot components. The device also provides blocks with the implementation of typical encryption algorithms such as AES and HMAC-SHA256, and an accelerator of mathematical operations used in algorithms for working with digital signatures based on public keys.
Source: opennet.ru
