The Kunpeng Security Libraries (KunpengSecL) open-source project provides basic security software components running on Huawei’s Kunpeng ARM processors used in the TaiShan server family. The project currently focuses on trusted computing capabilities such as remote attestation to empower security developers in the community.
Each feature of the KunpengSecL will consist of components and services. A component is deployed on a server node that provides resources (computing, storage, and network) for users to run workloads. It converts platform security and trust capabilities into software interfaces and provides them for services. A service is deployed on a dedicated management server node, aggregates the security and trust capabilities from all worker server nodes, and provides them to users and their designated management tools to meet the user’s specific requirements for system security and trustworthiness design.
The first security feature of the KunpengSecL is remote attestation. The purpose is to help users obtain trust status reports on the software and hardware in worker server nodes and to support the end-to-end remote attestation solution. Resource management tools can formulate policies based on trust status reports in order to schedule and to use server resources in a differentiated manner.
The remote attestation feature of the KunpengSecL builds on the mature TPM root of trust and it supports complex deployment environments and multi-layer scalability.
The remote attestation service (RA Service or RAS) and remote attestation client (RA Client or RAC) in the remote attestation architecture correspond to the services and components in the general definition of the KunpengSecL.
The remote attestation feature of the KunpengSecL intends to support the following scenarios:
The RAC Tools abstracts the details of the interaction with trusted modules and the worker server system, and assumes the responsibility of supporting other trusted modules in the future.
The RA Hub is responsible for the communication convergence and proxy role for the local RAC when required. In addition, the RA Hub will provide the capability of adapting the communication channel between the RAC and the RAS in the future.
1. Uses heartbeat handling flow to help target server piggy-back action request from the RAS, in order to avoid opening new communication ports in the target worker server, thus reducing the attack surface.
2. Uses policies in the RAS to support automatic extraction of reference measurements and automatic update of the reference measurements for upgrading a target worker server.
3. Deploys the RAHub to enable client aggregation (cascading) in the case that some RACs in a network are not able to reach the RAS due to network isolation or communication channel restrictions.
In the next few years, the KunpengSecL will:
Developers and end users are welcome to actively participate in the open source development of the KunpengSecL from design to development. For more ideas, please access https://gitee.com/openeuler/kunpengsecl/issues and leave your valuable comments there or submit issues.
Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.
Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.
Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.