A recent Deloitte Touche Tohmatsu Limited survey* found that 85 percent of surveyed global supply chains had experienced at least one disruption in the past 12 months. These disruptions can disrupt business, result in production delays, incur significant fines and result in legal action. The report also noted that “…supply chain risk management (is) not normally considered effective.”
TCG has been working on this problem and recently has published a specification for the trusted supply chain, defining how TPM credentials are used to verify supply chain entities in the manufacturing, assembly and delivery using the specific TPM on the device. The TPM manufacturer creates an endorsement key on the TPM and then separately creates a signed X.509 endorsement credential and installs it into the TPM to provide proof of the TPM’s source.
The TPM can be used to cryptographically bind production lines and the devices they produce, including multi-vendor, multi-stage production. In this capacity, the TPM augments existing acceptance testing tools and validates the source of components and assembly – and can detect malicious component swaps.
The NSA and Intel, both active in this effort, have announced new open source tools to support this specification and its use. Intel offers an open source tool for creating platform certificates for manufacturers and assembly companies, available at GitHub as the Platform Certificate Validation Tool.
NSA’s Host Integrity (HI) Attestation Certificate Authority (ACA) is available on the NSA Cyber Github site. The ACA provides an “Acceptance Test” policy, used to prove a device was produced by the claimed manufacturer.
Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.
Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.
Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.