Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Kunpeng Trusted Computing Architecture

Based on the Huawei-developed Kunpeng CPU and BMC chip, as well as system engineering capabilities such as hardware and firmware reliability, Kunpeng servers build security competitiveness covering processors, hardware, firmware, and systems.

Tianchi architecture-based Kunpeng servers build the security component based on the BMC hardware RoT. The architecture is decoupled from international TPM standards, Chinese TCM standards, and Trusted Computing 3.0 TPCM, enabling a single hardware framework to support multiple trusted computing standards.

The following figure shows the trusted computing architecture for Kunpeng servers.

Figure 1 Dual-system architecture in trusted computing 3.0 for Kunpeng servers

BMC is the first component to power on in a server. Kunpeng's trusted computing 3.0 solution eliminates the untrusted window during the BMC system's startup process and provides both management and service systems with proactive defense capabilities.

By integrating the TPCM main control firmware into the trusted core of the iBMC, the dual-system architecture naturally implements physical isolation. As a result, the architecture is inherently clear, providing high security and strong control, and extending the trust window. Furthermore, the iBMC is decoupled from the computing component, which enhances flexibility and reduces cost. Ultimately, this design makes the system easier to adopt and deploy. The trusted measurement covers the BMC, BIOS, CPU, OS, and extends to virtual machines (VMs), implementing full-lifecycle trust across the entire system.

Kunpeng's trusted computing 3.0 solution is designed with high security, achieved through network isolation between the management and service planes. Leveraging Huawei's self-developed BMC chip, the solution supports separation of trusted cores and service cores, thereby enhancing defense in depth. Moreover, because the trusted core security component powers on before the computing system and the BMC service core, the solution can more effectively implement proactive measurement and control-based defenses.

In Kunpeng's trusted computing 3.0 solution, Huawei's BMC chip integrates the TPCM into its trusted core. As a result, the solution avoids consuming computing system resources and eliminates the need for add-in cards that occupy PCIe slots. Since the BMC is a mandatory component in servers, this design incurs no additional hardware costs. Moreover, it requires no server board customization or modification, making the solution both cost-effective and easy to deploy. Partners can leverage the Kunpeng server board and BMC with integrated TPCM to rapidly establish trusted computing 3.0 capabilities.