3. Information Classification: General
Edge Data Challenges
1
Significant growth in
data driven autonomous
decision-making 2
Billions of sensors, IoT
devices, and end-points to
generate data for machine
learning training and inference
3
Many of these endpoints
have weak or no security,
increasing risk of unauthorized
data manipulation
4. Information Classification: General
Trusted Endpoint
• Identity attestation
• Firmware and
run-time attestation
• Secure isolation of
critical functionality
• Origin attestation with
data fingerprinting
Assurance
• Immutable and
verifiable object
storage framework
• Fingerprints for
content and metadata
integrity and origin
Notarization
• Ledger to record
content manifest
identifiers
• Immutable relative
ordering of events
Mobilization
• Devices and
applications have
cryptographic
identities
• Only provisioned
member devices
within the domain
• Verifiable provenance
of data objects based
on crypto identity
Chain of Custody for Data
5. Information Classification: General
Concept Use Case
Cloud
Mobile Device
Edge Data Storage
Data
Manifest
Data offload/storage, manifest validation
Data manifest transfers
RISC-V with secure
enclave(s) as Root of Trust
Endpoint
Provisioning
Notary
Storage
MFA Device
Device identity provisioning
6. Information Classification: General
Building Blocks
• DJI Matrice 100
• HiFive Unleashed
• Keystone Enclave
• Yubico Yubikey
Endpoint Services
• Lightweight object storage
• Verified data transfers
• Device provisioning
• Data movement
• Secure data logging
Trusted Endpoint
7. Information Classification: General
Keystone: Open-Source Enclave
Framework for RISC-V
• Trusted run-time for applications
• Isolation of sensitive data & functionality
Enclaves and Root of Trust
D. Lee et al., “Keystone: An Open Framework for Architecting Trusted Execution Environments”
https://doi.org/10.1145/3342195.3387532
8. Information Classification: General
Enclaves and Root of Trust
Keystone: Open-Source Enclave
Framework for RISC-V
• Trusted run-time for applications
• Isolation of sensitive data & functionality
• Uses Cases:
• Device/endpoint attestation
• Secure endpoint services,
e.g., data fingerprinting, key management
9. Information Classification: General
Root of Trust
• Platform integrity
• Self and system, e.g., Keystone SM
• Secrets storage and crypto operations
• Cryptographic identity
• E.g., Trusted Computing Group’s DICE
(Device Identifier Composition Engine)
Enclaves and Root of Trust
Keystone: Open-Source Enclave
Framework for RISC-V
• Trusted run-time for applications
• Isolation of sensitive data & functionality
• Uses Cases:
• Device/endpoint attestation
• Secure endpoint services,
e.g., data fingerprinting, key management
10. Information Classification: General
OpenTitan is the first open source
project building a transparent,
high-quality reference design for
silicon root of trust (RoT) chips.
Firmware
Instruction Set
Architecture
SoC Architecture
Digital IP
(RTL)
Foundry IP
Protocols
Physical Design Kit
Chip Fabrication
Chip Packaging
PCB Interface
PCB Design
(Sch & Layout)
APIS
RTL
Verification
Analog IP
Firmware
Instruction Set
Architecture
SoC Architecture
Digital IP
(RTL)
Foundry IP
Protocols
Physical Design Kit
Chip Fabrication
Chip Packaging
PCB Interface
PCB Design
(Sch & Layout)
APIS
RTL
Verification
Analog IP
Traditional RoT OpenTitan
Software
Silicon
Integration
Proprietary Open
11. Information Classification: General
Root of Trust Prototype
Seagate evaluation platform for endpoint storage
• Trenz TE0841 - Xilinx Kintex UltraScale XCKU035
• USB 3.x host interface
Ported OpenTitan to TE0841
• Added peripheral proprietary IP blocks
• Added placeholder IP as needed
Firmware/software
• Secure boot and secure updates
• Device identity and attestation
• Advanced features, e.g., HSM
What’s next
• Maturation of OpenTitan
• Attestation protocol enhancements
• Integrated IP for custom SoCs