Google Launches Open-Source OpenTitan Project for Silicon Root of Trust Chips
Google’s OpenTitan is a collaborative venture with tech companies that offers multi-factor security keys and RoT technology, which will be baked into new chips.
It wasn’t long ago that some Intel, IBM POWER, and Arm-based processors were found to have security faults that could be breached, opening up access to data stored in memory. While those security issues have been dealt with, their legacy remains: manufacturers have started incorporating security features directly into their latest chips.
Google took notice of this new trend and has partnered with several tech companies to bake open-source silicon RoT (Root of Trust) within their respective architectures using OpenTitan.
What Is OpenTitan?
OpenTitan, the first open-source project of its kind, aims to create new secure chips for use in data centers, computer peripherals, and storage devices that are open and transparent, which anyone can use to inspect hardware and find any security faults. The platform was built off Google’s Titan chip, which already features multi-factor security keys and RoT technology, helping ensure that those chips haven’t been tampered with.
A comparison chart showing the differences between traditional RoT architecture and those instituted within OpenTitan. Image from Google
Google’s latest press release explains, “We are transparently building the logical design of a silicon RoT, including an open-source microprocessor (the lowRISC Ibex, a RISC-V-based design), cryptographic coprocessors, a hardware random number generator, a sophisticated key hierarchy, memory hierarchies for volatile and non-volatile storage, defensive mechanisms, IO peripherals, secure boot, and more.”
Google has stated that OpenTitan will be run through the UK-based nonprofit community LowRisc and has partnerships with Western Digital, ETH Zurich, Nuvoton, and G+D Mobile Security.
The founding partners of OpenTitan. Image from Google
In maintaining a secure silicon design, the OpenTitan project also aims to build technical documentation, reference firmware, and verification collateral.
Google claims that OpenTitan will be useful for chip manufacturers, platform providers, and security organizations looking to enhance their infrastructures with silicon-based security, meaning we could see the technology trickle down to consumer devices in the near future. Many engineers will welcome this boost in security, especially when it comes to IoT development.
Is Open Source the Answer?
The question of security is an important one, certainly so when valuable data can be stolen on a whim, such as identity theft and access to bank accounts. But is open-source an effective security solution to prevent unwanted access?
According to a 2019 open-source security report from Synopsys, the open-source software associated with hardware is often overlooked concerning security and licensing risks.
The report states, “Software developers routinely take code from open source repositories to embed in their company’s products to speed up the development process. While the efficiencies and cost savings of code reuse are clear, organizations rarely review the incoming code regularly for potential security and legal issues.”
Synopsys does admit that the number of vulnerabilities associated with open-source software is on the low end compared to propriety software. Still, over 7,000 vulnerabilities were reported last year, and 50,000 were reported over the past two decades.
Debunked Open-Source Myths
OpenTitan, and the notion of open-source software in general, can seem somewhat paradoxical in terms of security. The OpenTitan website notes that because the platform is public, the larger community can "proactively audit, evaluate, and improve the security properties of the design."
With that said, there are several myths associated with open-source software security that have been debunked.
Let's start with the notion, "Since anyone can read open-source code, they can also take advantage of bugs!" While the software can be compromised in general, hackers who break software don’t need to look at the code, and the same goes for proprietary software.
Another myth is that developers are not paid for open-source code, so there is no reason to make it secure. That notion is invalid, considering that developers generate revenue in many forms, the most popular being advertising for open-source websites.
Finally, one of the most widely-believed myths surrounding open-source software is that it can’t compete with the security of its proprietary counterparts. Commercial licenses don’t guarantee security in this area, and unlike the transparency of OSS, users have to trust the vendor to make sure their wares are secure.
The Trend Toward In-House Development
While security for open-source software and hardware are of significant importance, another important consideration is how giants like Google and Amazon have been moving toward developing their hardware and software in-house, rather than outsourcing to other developers and manufacturers.
For instance, Google's engineers created firmware for the Titan Security Keys, and they did so on FIDO open standards.
Google's Titan Security Key. Image from Google
This isn’t an emerging trend, but a growing one. Of course, building in-house allows for more significant innovation, which can be seen with new trends within the tech industry, including AI, IoT, AR, hyper-automation, edge computing, and others.
As these technologies emerge, security is key; in that regard, it seems that OpenTitan is a step in the right direction.
How might an open-source project, such as OpenTitan, be different when it's spearheaded by Google versus when it's launched by a smaller company? Tell us what you think in the comments.