Tools Support TCG Platform Specification to Address Supply Chain Risk and Use of TPM for Secure Storage, Measurement and Attestation
PORTLAND, Ore., Oct. 2, 2018 –Trusted Computing Group (@TrustedComputin) today announced the availability of two new open source tools for using the Trusted Platform Module (TPM) within a trusted supply chain, supporting TCG’s Platform Specification.
A recent Deloitte Touche Tohmatsu Limited survey* found that 85 percent of surveyed global supply chains had experienced at least one disruption in the past 12 months. These disruptions can disrupt business, result in production delays, incur significant fines and result in legal action.
The TPM can be used to cryptographically bind production lines and the devices they produce, including multi-vendor, multi-stage production. In this capacity, the TPM augments existing acceptance testing tools and validates the source of components and assembly – and can detect malicious component swaps.
Any enterprise involved in the production, configuration or testing of a TPM-enabled device can create a platform credential which provides assertions about the device and used for any system component, such as motherboards, network cards, storage devices or other.
Two open source tools now are available supporting the TCG Platform Specification. Intel is offering an open source tool for creating platform certificates for manufacturers and assembly companies. The tool, available at GitHub Platform Certificate Validation Tool, requires PKI certificates, including those from third parties.
NSA Research, as part of NSA’s Technology Transfer program, released new software on September 6, 2018, allowing technology users to mitigate risks with today’s supply chain management. This software is intended to support the supply chain validation techniques prescribed by the Trusted Computing Group (TCG).
NSA’s Host Integrity (HI) Attestation Certificate Authority (ACA) is available on the NSA Cyber Github site. The ACA provides an “Acceptance Test” policy, used to prove a device was produced by the claimed manufacturer, and contains the agreed upon list of components. Host Integrity will initially support Centos-based Linux devices; however, the TCG’s supply chain validation process can work with any computerized device that includes a Trusted Platform Module (TPM) (1.2 or 2.0).
TCG further recommends that manufacturers review and update their policy and procurement processes; requiring TPMs with endorsement credentials and requiring platform certificates for motherboards and chassis. TCG plans to expand its work to additional components used in manufacture of various systems.
TCG (@TrustedComputin) is a not-for-profit organization that develops, defines and promotes open, vendor-neutral, global industry standards, supportive of a hardware-based root of trust, for interoperable trusted computing platforms. More information is available at www.trustedcomputinggroup.org. The organization offers a number of resources for developers and designers at develop.trustedcomputinggroup.org.
*** This is a Security Bloggers Network syndicated blog from Trusted Computing Group authored by TCG Admin. Read the original post at: https://trustedcomputinggroup.org/tcg-announces-two-new-open-source-credentialing-tools-for-trusted-supply-chain/