How to activate DICE and TPM for optimal security


By 2030, more than 24 billion Internet of Things (IoT) devices will have entered our cities, workplaces and homes, according to Transforma Insights. For years, I have worked to make sure these devices have healthy immune systems so they can defend themselves against malicious attacks. It starts with a root of trust. Without it, there is no way to determine the security of the system and every component around it. This opens the door to potential vulnerabilities. As each vertical market is responsible for creating safe and secure devices, from smart home devices to satellite networks, building blocks need to be put together during the design and development stages of these devices. IT developers face many challenges as they strive to achieve this goal, but there are some key lessons they can take to be successful.

If I were to develop a new computing platform, my first priority would be to make sure that my IoT device and any accessories, components or parts have all the necessary mechanisms in place to implement an ID dialing engine. device (DICE) and the Trusted Platform Module (TPM).

The underlying hardware: the architecture
This is the most important consideration. First, the device subcomponents and chipmakers – which make up the device or the firmware – need to be customized so that they can be DICE compliant and perform measurements. They must also be able to communicate with the TPM in a secure manner. Before doing anything else, it is essential to make sure that these subcomponents have the required capabilities. This is the only way to ensure secure communication paths to each of the subcomponents to assess the level of trust in the system.

For example, a chip inside a device will need to be measured for its integrity and needs a path to allow measurement and communication. Not all components that need to measure and build trust on the platform have this capability.

If you are stuck with subcomponent vendors, have dependencies on other subcomponents, or find that the vendor cannot provide the subcomponent with the basis for interacting with DICE or TPM, then you have a problem. major security breach in the device. This will make all the security of the device mute. It would be like locking the front door and all the windows but leaving the back door open.

In my experience, not all subcomponent vendors incorporate Trusted Computing Group (TCG) standards into their products. However, adoption is accelerating and many other subcomponent vendors not only know about DICE and TPM, but also use them. However, there are only a few providers that haven’t done this yet, which is why it’s important to check before doing anything else.

The triangle of compromise
When deciding which alternative vendor that implements the TCG standards to use, it is important to remember that this can be a tradeoff with price. You can get more features, but it might cost you more. Usually, this tradeoff means that if you gain security, you lose performance on some other feature. This is something to be expected and prepared for. Most people are willing to compromise if they get extra security, because the costs and consequences of not having security are not even worth considering against the benefits of everything else.

The next level of security
Once the components can handle the integrity metrics and communications around security, you can take it to the next level and establish a root of trust on a hardware platform.

Then you need to find a way to activate the software side of the device. Start by choosing the operating system and architecture, be it Windows or Linux, that you want to communicate with the hardware to use DICE and TPM.

Once you’ve verified that the hardware is trustworthy, it may be helpful to read the DICE and Cyber ​​Resiliency Specifications before integrating the TPM Software Stack (TSS) to use what can be done.

Editor’s Note: For more information on this topic, read the recent article in Thorsten Stremlau’s Journal, “A secure and reliable ecosystem begins with self-protection” ISACA Journal, volume 4, 2021.

Remember: members can earn free CPEs ISACA Journal quizzes!