The venture is a cryptographic microcontroller that Azure hardware infrastructure GM Kushagra Vaid describes as “a cryptographic microcontroller running secure code which intercepts accesses from the host to flash over the SPI bus (where firmware is stored).“
Project Cerberus continuously measures these accesses and validates the integrity, protecting against malicious updates. According to Microsoft, it can prevent malware that exploits operating system bugs, supply chain attacks, and compromised firmware binaries. Importantly, it also protects against insiders with admin privileges or physical access.
Of course, it wouldn't be much of a solution if it was difficult to implement. Cerberus is CPU and architecture agnostic, meaning it shouldn't be too hard to integrate into new designs.
As a result, Microsoft expects a much wider range than initially intended, including use in IoT devices. To further advancement, the draft specification will be open sourced to OCP, and Intel will help explore implementation models.
In many ways, this is Project Olympus‘ next phase. The hardware development model was put forward by Microsoft at Zettastructure in London just over a year ago, and seeks to bring open source to physical devices.
As a result, Microsoft shares designs when they're just 50% complete, and Project Cerberus is one of its first contributions.
“The initial draft being contributed today covers motherboard firmware (UEFI BIOS, BMC, Options ROMs) and the vision is to work with the OCP community to extend the specifications over time to cover all peripheral I/O components such as HDD, SSD, NIC, FPGA, GPU, etc,” said Vaid in a recent blog post.
“We're encouraging the industry to collaborate on Project Cerberus to drive a new level of security for future hardware platforms.”
You can see the draft for yourself on GitHub.
Tip: If your business is running its own server infrastructure, consider taking benefit of the usually higher data center security via colocation.