® transparent supply chain - nccoe - intel.pdf · intel® transparent supply chain process data...
TRANSCRIPT
® Transparent supply chainMark Boucher – Intel Compute Lifecycle Assurance Architect
Our Approach• Build upon Intel’s internal Supply Chain Expertise
• Scope the end-to-end supply chain(sand to EOL) and complete product lifecycle(Idea to EOL)
• Work with OEMs, Suppliers, Standards Groups and influencers to plan and to promote interoperability and standards for increased transparency
• Make this broadly available across all compute devices
• Deliver Incremental improvements that increase security with transparency of the compute lifecycle
• We are enabling the eco-system today with multiple OEM/ODMs already TSC enabled
Compute Lifecycle Assurance VisionBlock-chain – Cloud-based distributed ledger
Component Sourcing Device Build Distribution Provisioning Operating, Updating, Fixing End of Life
HWChanges
FWChanges
SWChanges
Auto Provisioning
Remote Attestation
Remote Fix
SourcingVisibility
TrustedBuild
Tamper Resistance
TrustedDevice Setup
LifecycleManagement
TrustedEOL
Supply chain integrity Capture platform build & measurements
Tamper Resistance Health check for Automated Provisioning & MDM Enrollment Ownership Transitions
Platform Provisioning via Ownership Proof
Establish owner
Platform Seal
Capture transitions & health of HW, FW
Authentic platform returned
Ownership Transitions Predictive health & security
Security
Provision RetireOperate Recover
Intel® Transparent Supply chain ComponentsTraceability for select Intel® platforms to customers
Provides the following for individual systems:
INTEL® TSC COMPONENT DETAILS
System-Level Traceability
• Supported by signed platform certificates• Linked to discrete Trusted Platform Module on motherboard
Component-Level Traceability• Supported by “as-built” report from ODM• Intel ODM partnerships are vital to two-level traceability
Platform ComponentTraceability
• Snapshot of the Platform Components• Allows for End-User Verification using Auto Verify Tool
Statement of Conformance
• Attests to authenticity of system• Signed by Intel
Customer Web Portal
• Provides customer access to signed files• Files available for download
Generating the Chain of Trust Based on Trusted Platform Module
EndorsementKey Certificate
PlatformCertificate
ApplianceCertificate
Trusted Platform Module Motherboard
End User
• Creates Endorsement Key (EK) for each Trusted Platform Module (TPM)
• Establishes hardware root of trust
• Permanently mounts TPM onto motherboard
• Creates platform certificate and binds it to the EK
• Creates appliancecertificate; binds it to the platform certificate
Ability to trace appliance to crediblehardware root of trust
• Establishes technology provider accountability
• Creates transparency
Chain of Trust Built Up by Multiple Parties in System Lifecycle
System Integrator Capabilities & Benefits
Trusted Platform Module Manufacturer
System Manufacturer
Intel® Transparent Supply Chain Process
Data Transmitted to Intel Key Generation Services
Signed CertificatesCreated & Stored on Intel Database
Signed CertificatesAvailable for Download, View, and Data Analytics
1 2 3 4
Signed “As-Built” Data
Signed Platform Certificate
Signed Statement of Conformance
Component and Platform Data Captured at ODM
Component Data(vendor, part #, serial #, validation history, ... )
Certificate Data(Endorsement Key, Endorsement Key serial #, ... )
“As-Built” Data File
Direct Platform Data File
TPM Platform Certificate Data File
Platform Snapshot Data(model #, PCR data, Intel® vPro™ technology check ... )
“As-Built” Data File
Direct Platform Data File
TPM Platform Certificate Data File
5
Auto Verify Tool (Web Download)
Transparent Supply Chain Auto Verify tool Changes
Motherboard
TPM
IT CUSTOMER (FIRST BOOT)
OEM FACTORY
Motherboard
TPM
POC - TSC on Blockchain – Supply Chain Flows
DAPP Web Application
• Platform Manufactured• Register Platform• Upload Platform Files• Transfers Ownership to OEM
OEMODM
• Retrieve platform data file• Verify Platforms• Transfer ownership to distributor
Trusted Supply Chain Flow
Dist/Reseller
• Retrieve Platform Files• Modify platform• Generate platform files• Transfer ownership to end
customer
Platform Owner
• Retrieve platform data files• Platform attestation• w/ AutoVerify Tool• Configure platform• Generate new platform Data Files w/
AutoVerify
AutoVerify
Ethereum Blockchain
AWS Secure Storage
Supplier
• Components Suppliers• Register Components• Upload Component Information• Transfers Ownership to ODM
8
9
TSC on Blockchain - POC
Customer Data Centers
DistributorDistributors
Customer/ RetailerSuppliers
ManufacturerIn or Out-Source
Auto Verify Tool
TSC DAPP Web App / API
TSC DAPP Web App / API
TSC DAPP Web App / API
TSC Private Ethereum Network
Register Component
Register Platform
3rd Party Logistics
OwnershipTransfer Ownership
Transfer
Platform Changes
Platform Attestation