Importance and Value of Trusted Computing

In computing systems, privilege escalates toward the hardware layer, which possesses the highest authority. Attacks originating from lower-layer firmware cannot be effectively defended by upper-layer systems or applications. While lower-layer hardware and firmware can constrain the permissions of upper-layer software, the reverse is not possible.

To ensure that computing systems operate as intended, with behaviors enforced by both hardware and software, the industry commonly builds trusted computing systems on a hardware root of trust (RoT). In computer systems, trusted computing begins with establishment of a hardware RoT. From this root, trust is extended step by step through the hardware platform, operating system (OS), and applications, with each layer measured and attested before being trusted. This chain of trust spans the entire system, to safeguard the integrity of computing resources and ensure predictable system behavior, thereby strengthening overall security and reliability.

Mainstream trusted computing technologies include trusted boot measurement with a Trusted Platform Module (TPM), remote attestation, secure boot, and digital signature mechanisms, as well as Trusted Computing 3.0. All of these rely on the hardware RoT and hardware security to establish system trust anchors. In Kunpeng's trusted computing architecture, multiple implementations can be achieved, and trusted computing technologies can be configured based on customer requirements.

As the security situation continues to deteriorate, the risk of advanced persistent threat (APT) attacks has escalated sharply. Certain malicious parties are leveraging a variety of sophisticated attack methodologies to conduct organized, long-term, and persistent cyberattacks on high-value targets within data infrastructure. This kind of attacks is highly targeted, covert, harmful, and materialized. Traditional security methods are insufficient to counter APT attacks, as they cannot exhaust all possible logical combinations. Additionally, vulnerability exploitation and patching approaches are often susceptible to being leveraged by attackers, further exacerbating the overall security threat to computing systems.

As the core of data infrastructure, servers face various security risks, which are majorly classified into two types:

• Security threats to service systems: Users directly use service systems whose security relies on OSs and software. In this case, security risks impair only service systems.
• Security threats to management systems: A management system manages server hardware, which relies on the server firmware security. Threats to the management system, therefore, affect the management of server devices.

Kunpeng servers are the core asset of customers and the cornerstone for normal service running. They are mainly deployed in core data center equipment rooms with security capabilities. The availability of upper-layer applications and services, as well as the security of networks and data, must rely on the security of the IT intelligent data infrastructure. The security of its hardware (primarily chips and boards) and firmware (including BIOS, iBMC, and device-specific firmware) forms the foundation of computing platform security.

Leveraging the security of its hardware system, Kunpeng servers ensure the security of underlying hardware and firmware across both the service and management planes. They also provide a general solution for trust chain propagation, delivering a robust secure computing infrastructure that enables customers to establish trusted execution and verification environments across the entire system.