® Transparent supply chainMark Boucher – Intel Compute Lifecycle Assurance Architect

Our Approach• Build upon Intel’s internal Supply Chain Expertise

• Scope the end-to-end supply chain(sand to EOL) and complete product lifecycle(Idea to EOL)

• Work with OEMs, Suppliers, Standards Groups and influencers to plan and to promote interoperability and standards for increased transparency

• Make this broadly available across all compute devices

• Deliver Incremental improvements that increase security with transparency of the compute lifecycle

• We are enabling the eco-system today with multiple OEM/ODMs already TSC enabled

Compute Lifecycle Assurance VisionBlock-chain – Cloud-based distributed ledger

Component Sourcing Device Build Distribution Provisioning Operating, Updating, Fixing End of Life

HWChanges

FWChanges

SWChanges

Auto Provisioning

Remote Attestation

Remote Fix

SourcingVisibility

TrustedBuild

Tamper Resistance

TrustedDevice Setup

LifecycleManagement

TrustedEOL

Supply chain integrity Capture platform build & measurements

Tamper Resistance Health check for Automated Provisioning & MDM Enrollment Ownership Transitions

Platform Provisioning via Ownership Proof

Establish owner

Platform Seal

Capture transitions & health of HW, FW

Authentic platform returned

Ownership Transitions Predictive health & security

Security

Provision RetireOperate Recover

Intel® Transparent Supply chain ComponentsTraceability for select Intel® platforms to customers

Provides the following for individual systems:

INTEL® TSC COMPONENT DETAILS

System-Level Traceability

• Supported by signed platform certificates• Linked to discrete Trusted Platform Module on motherboard

Component-Level Traceability• Supported by “as-built” report from ODM• Intel ODM partnerships are vital to two-level traceability

Platform ComponentTraceability

• Snapshot of the Platform Components• Allows for End-User Verification using Auto Verify Tool

Statement of Conformance

• Attests to authenticity of system• Signed by Intel

Customer Web Portal

• Provides customer access to signed files• Files available for download

Generating the Chain of Trust Based on Trusted Platform Module

EndorsementKey Certificate

PlatformCertificate

ApplianceCertificate

Trusted Platform Module Motherboard

End User

• Creates Endorsement Key (EK) for each Trusted Platform Module (TPM)

• Establishes hardware root of trust

• Permanently mounts TPM onto motherboard

• Creates platform certificate and binds it to the EK

• Creates appliancecertificate; binds it to the platform certificate

Ability to trace appliance to crediblehardware root of trust

• Establishes technology provider accountability

• Creates transparency

Chain of Trust Built Up by Multiple Parties in System Lifecycle

System Integrator Capabilities & Benefits

Trusted Platform Module Manufacturer

System Manufacturer

Intel® Transparent Supply Chain Process

Data Transmitted to Intel Key Generation Services

Signed CertificatesCreated & Stored on Intel Database

Signed CertificatesAvailable for Download, View, and Data Analytics

1 2 3 4

Signed “As-Built” Data

Signed Platform Certificate

Signed Statement of Conformance

Component and Platform Data Captured at ODM

Component Data(vendor, part #, serial #, validation history, ... )

Certificate Data(Endorsement Key, Endorsement Key serial #, ... )

“As-Built” Data File

Direct Platform Data File

TPM Platform Certificate Data File

Platform Snapshot Data(model #, PCR data, Intel® vPro™ technology check ... )

“As-Built” Data File

Direct Platform Data File

TPM Platform Certificate Data File

5

Auto Verify Tool (Web Download)

Transparent Supply Chain Auto Verify tool Changes

Motherboard

TPM

IT CUSTOMER (FIRST BOOT)

OEM FACTORY

Motherboard

TPM

POC - TSC on Blockchain – Supply Chain Flows

DAPP Web Application

• Platform Manufactured• Register Platform• Upload Platform Files• Transfers Ownership to OEM

OEMODM

• Retrieve platform data file• Verify Platforms• Transfer ownership to distributor

Trusted Supply Chain Flow

Dist/Reseller

• Retrieve Platform Files• Modify platform• Generate platform files• Transfer ownership to end

customer

Platform Owner

• Retrieve platform data files• Platform attestation• w/ AutoVerify Tool• Configure platform• Generate new platform Data Files w/

AutoVerify

AutoVerify

Ethereum Blockchain

AWS Secure Storage

Supplier

• Components Suppliers• Register Components• Upload Component Information• Transfers Ownership to ODM

8

9

TSC on Blockchain - POC

Customer Data Centers

DistributorDistributors

Customer/ RetailerSuppliers

ManufacturerIn or Out-Source

Auto Verify Tool

TSC DAPP Web App / API

TSC DAPP Web App / API

TSC DAPP Web App / API

TSC Private Ethereum Network

Register Component

Register Platform

3rd Party Logistics

OwnershipTransfer Ownership

Transfer

Platform Changes

Platform Attestation