Preventing malicious modifications to firmware using hardware root of trust (HRoT)

Abstract

As computing devices such as servers, workstations, laptops, and embedded systems are transported from one site to another, they are susceptible to unauthorized firmware modifications. Additionally, traditional over-the-air (OTA) firmware update mechanisms often lack robust security features, exposing devices to threats such as unauthorized updates, malware injection, etc. While the industry has made efforts to secure the boot process using a hardware root of trust (HRoT), post-boot firmware tampering remains a significant risk. In this work, we introduce a comprehensive framework that addresses firmware security across both transit and remote update phases by leveraging HRoT and cryptographic techniques. To prevent unauthorized firmware modifications during device shipment, we propose the PIT-Cerberus (Protection In Transit) framework, which enhances the HRoT's attestation capabilities to securely lock and unlock BIOS/UEFI. In addition, we introduce the Secure Remote Firmware Update Protocol (S-RFUP) to fortify OTA firmware updates by incorporating industry standards such as Platform Level Data Model (PLDM) and Management Component Transport Protocol (MCTP). These standards enable interoperability across diverse platforms while reducing management complexity. The protocol enhances security and operational integrity during updates, ensuring that only authenticated and verified firmware modifications occur. Both frameworks are implemented within a trusted microcontroller as part of Project Cerberus, an open-source security platform for server hardware. We present a security analysis, implementation details, and validation results, demonstrating the effectiveness of our approach in securing firmware both in transit and during remote updates.