Supply Chain Management

Question 1

Due Diligence

Answer 1

A legal principle identifying a subject has used best practice or reasonable care when setting up, configuring, and maintaining a system

Question 2

Trusted Foundry

Answer 2

A microprocessor manufacturing utility that is part of a validated supply chain (one where hardware and software does not deviate from its documented function)

Trusted Foundry Program is operated by the Department of Defense (DoD)

Question 3

Hardware Source Authenticity

Answer 3

The process of ensuring that hardware is procured tamper-free from trustworthy suppliers

Greater risk of inadvertently obtaining counterfeited or compromised devices when purchasing from second-hand or aftermarket sources

Question 4

Hardware ROT

Answer 4

Hardware Root of Trust:
A hardware root of trust is the foundation on which all secure operations of a computing system depend. It contains the keys used for cryptographic functions and enables a secure boot process. It is inherently trusted, and therefore must be secure by design.

A cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics

A hardware root of trust is used to scan the boot metrics and OS files to verify their signatures, which we can then use to sign a digital report

Question 5

Hardware Security Module HSM

Answer 5

Hardware Security Module:
generates and stores cryptographic keys

less susceptible to tampering and insider threats than software-based storage

Question 6

Anti-Tamper

Answer 6

Methods that make it difficult for an attacker to alter the authorized execution of software

Anti-tamper mechanisms include a field programmable gate array (FPGA) and a physically unclonable function (PUF)

Question 7

UEFI - Unified Extensible Firmware Interface

Answer 7

Unified Extensible Firmware Interface:

firmware providing support for 64-bit CPU operation at boot

Basically a new-and-improved BIOS

Question 8

Secure Boot

Answer 8

A UEFI feature that prevents unwanted processes from executing during the boot operation

Question 9

Measured Boot

Answer 9

A UEFI feature that gathers secure metrics to validate the boot process in an attestation report

Question 10

Attestation

Answer 10

A claim that the data presented in the report is valid by digitally signing it using the TPM’s private key

Question 11

eFUSE

Answer 11

Basically, the fuse will blow if the state of the software/firmware is modified

An eFuse is an “active circuit protection device with an integrated FET used to limit currents, voltages to safe levels during fault conditions”. It embeds various functions to protect system against inrush current, overcurrent, overvoltage, reverse current, reverse polarity and short circuit faults.

Question 12

Processor Security Extensions

Answer 12

AMD:
SME (Secure Memory Encryption)
SEV (Secure Encrypted Virtualization)

Intel:
TXT (Trusted Execution Technology)
SGX (Software Guard Extensions)

Question 13

Trusted Execution

Answer 13

The CPU’s security extensions invoke a TPM and secure boot attestation to ensure that a trusted operating system is running

Question 14

Secure Enclave

Answer 14

The extensions allow a trusted process to create an encrypted container for sensitive data

Question 15

Atomic Execution

Answer 15

Certain operations that should only be performed once or not at all, such as initializing a memory location

Question 16

Bus Encryption

Answer 16

Data is encrypted by an application prior to being placed on the data bus

Ensures that the device at the end of the bus is trusted to decrypt the data