Public Report – Caliptra Security Assessment
During August and September of 2023, Microsoft engaged NCC Group to conduct a security assessment of Caliptra v0.9.
Caliptra is an open-source silicon IP block for datacenter-focused server-class ASICs. It serves as the internal root-of-trust for both measurement and identity of a system-on-chip. The main use cases for Caliptra are to assure integrity of mutable code, to authorize firmware updates, and to support secure platform configuration and lifecycle state transitions. Notably, Caliptra also implements the TCG DICE Protection Environment, enabling other entities within the SoC to leverage the unique device identity for their own security operations.
Our evaluation of Caliptra spanned the three primary components:
- ROM: The immutable mask ROM, which executes when Caliptra is brought out of reset.
- First Mutable Code: Started by the ROM, the FMC is responsible for loading the runtime.
- Runtime Firmware: The services that Caliptra provides to the rest of the SoC.
Microsoft furnished NCC Group with several testing objectives and focus areas for this project. These requirements were related to upholding the properties of confidentiality, integrity, and availability for the DICE Protection Environment and its security-critical assets:
- Ensure that the firmware loading and authentication processes cannot be bypassed.
- Review DPE signing operations for side-channel information leakage, impacting the Unique Device Secret or Composite Device Identifier.
- Prevent attacks that undermine DICE initialization and external firmware measurement.
- Ensure that measurements cannot be silently dropped or excluded from DPE derivations.
- Determine whether an attacker can malform the DPE context tree structure.
- Determine whether risks are present due to leaving cryptographic material in memory.
- Under debug, DPE certificates should not chain to vendor-signed DeviceID certificates.
- Assess the effectiveness of Caliptra’s exploit mitigation technologies.
- Assess the soundness of the fault injection countermeasures.
The assessment identified 26 vulnerabilities, which were promptly addressed by the Caliptra team prior to the publication of this report. Read the full report here:
The audit was performed under the umbrella of the Open Compute Project’s (OCP) Security Appraisal Framework Enablement (SAFE) program, which was recently announced at the OCP Global Summit. More details about SAFE can be found in GitHub, here, including the short-form report for Caliptra’s ROM, FMC and Runtime firmware.
Since May of this year, NCC Group has been collaborating with the OCP by sharing our expertise in hardware and firmware security to support the creation of the SAFE program and the definition of its testing methodologies and reporting outputs. NCC Group is an approved SAFE Security Review Provider.