firmware was responsible for most, if not all, security-critical operations. This was fine as long as the vendors included strong security measures within their offering, but it led to device performance being significantly affected. Implementing asymmetric keys to protect the secrets on a device can be a difficult and costly process, and if the firmware is directly processing the cryptography, then these keys must be generated before other important actions are carried out.

In the age of increasing device revolution, the DICE Protection Environment (DPE) specification instead marks an evolution of previous solutions available to vendors. An isolated secure execution environment can now be established separate from the firmware, capable of enhancing device protection for crucial processes through an additional layer of security. Critical operations—for example, the processing of cryptographical keys—are moved away from the firmware and isolated. This frees up the processor to carry out only its main functions, which increases the speed of the device and gives users the required tools to enhance their operations. DICE offers similar benefits to a TPM, but in a solution more fitting for smaller applications.

The DPE also protects transitions between the boot layers of a device, hardening attesting environments and offering greater security for all elements within the “trust chain.” This means that from “power-on reset” to the runtime state of a device, vendors can be assured of the trustworthiness of their devices.

Implementation without the know-how

Now put yourself in the shoes of a silicon vendor for a moment. Knowing the benefits of standards and specifications is one thing, but having the technical understanding of how they work and how best to deploy them in your devices is another. When looking to use a solution like DICE for your own purposes, you have a number of options when it comes to implementation. If you’re a vendor who has strong technical knowledge and fully understands your requirements, this is perfect; yet for many, the number of choices may only lead to misunderstanding and greater confusion. This could even result in errors in implementation and greater vulnerabilities for hackers to exploit, as well as interoperability concerns.

This is why standards bodies are moving towards technologies and specifications that offer increased guidance and best practices to potential implementors. With this additional support, organizations are able to reduce or eliminate the risk of implementation error and achieve greater interoperability, making products more compatible across the entire device ecosystem. Specifications, such as that DPE are no longer limited to devices with existing DICE implementations, are making these a valuable resource for both adopters of RoT hardware and those who have not yet integrated it into their own solutions.

This also means vendors are getting greater opportunities to develop and market their own DICE solutions in the form of a DICE Intellectual Property (IP) block. This provides the ability to adopt and integrate hardware security across solutions, reducing any unnecessary complexity and simplifying the adoption of RoT technologies that are so essential to device security. As a result, silicon vendors can now leverage technologies that offer enhanced security measures without having to fully understand the cryptographic elements associated with them.

Forming the bedrock for strong security

The adoption of innovative technologies has had the unfortunate side effect of increased attacks from hackers looking to exploit systems and steal sensitive data. The growing threat of firmware attacks may quickly put an end to the burgeoning device revolution if the devices being used to increase productivity continue to be weaponized against operators.

If device vendors are to provide the required protection for devices, they must turn to organizations like the TCG and embrace the standards they create. Using the most up-to-date standards available can not only enhance the security measures found in devices, but can also provide guidance to avoid the pitfalls of a mis-implementation and enable greater interoperability across all industries.