The brief directly cites some of the compliance frameworks which have supply chain risk controls in them.
This topic is kind of fascinating though. Considering the mindset from the Reflections on Trusting Trust paper, I do wonder how you bootstrap an assured supply chain like this. I know verification of chips and designs has been an active research area. But is there any formal solution to the larger problem of all the transitive dependencies of design and control of production?
How do you get there if you weren't already doing it from the start? It isn't just the chain of custody of the new chip that comes out. What about all the chips used in the production process and in the chain-of-custody tracking process? What about the chain of custody of all the design and process control artifacts that influenced the implementation of these processes? And the chips used to develop and manage those artifacts...
It feels like it most likely is a "turtles all the way down" kind of myth. Eventually, do you just give up and hope your layers of compliance frameworks have produced some kind of defense in depth cocoon?
I'm not sure it is even all that asymmetric. Do all the layers of compliance ritual disrupt the attacker more aggressively than it disrupts the desired production? There is a strong whiff of regulatory capture to these compliance frameworks, making it hard to divine how much it really blocks attackers versus upstart competitors...
show comments
kevincloudsec
the attestation is a real step forward for silicon provenance.
the problem is your board, firmware, bmc, and nic still come through the same opaque supply chain as before.
the processor is rarely where a hardware implant goes.
throwway120385
So only for some of their processors? This doesn't seem to have anything to do with their bid to become a foundry.
show comments
TZubiri
Interestingly it's just for processors, I would have been down to read about at least a product that 'assures' the supply chain of a broader part of the stack, at least the hardware.
It's just not enough to make me care, I'd probably just rely on the packaging, and vendor procurement, but I guess this is an additional tool.
The brief directly cites some of the compliance frameworks which have supply chain risk controls in them.
This topic is kind of fascinating though. Considering the mindset from the Reflections on Trusting Trust paper, I do wonder how you bootstrap an assured supply chain like this. I know verification of chips and designs has been an active research area. But is there any formal solution to the larger problem of all the transitive dependencies of design and control of production?
How do you get there if you weren't already doing it from the start? It isn't just the chain of custody of the new chip that comes out. What about all the chips used in the production process and in the chain-of-custody tracking process? What about the chain of custody of all the design and process control artifacts that influenced the implementation of these processes? And the chips used to develop and manage those artifacts...
It feels like it most likely is a "turtles all the way down" kind of myth. Eventually, do you just give up and hope your layers of compliance frameworks have produced some kind of defense in depth cocoon?
I'm not sure it is even all that asymmetric. Do all the layers of compliance ritual disrupt the attacker more aggressively than it disrupts the desired production? There is a strong whiff of regulatory capture to these compliance frameworks, making it hard to divine how much it really blocks attackers versus upstart competitors...
the attestation is a real step forward for silicon provenance. the problem is your board, firmware, bmc, and nic still come through the same opaque supply chain as before. the processor is rarely where a hardware implant goes.
So only for some of their processors? This doesn't seem to have anything to do with their bid to become a foundry.
Interestingly it's just for processors, I would have been down to read about at least a product that 'assures' the supply chain of a broader part of the stack, at least the hardware.
It's just not enough to make me care, I'd probably just rely on the packaging, and vendor procurement, but I guess this is an additional tool.