TCG Announces Two New Open Source Credentialing Tools for Trusted Supply Chain
PORTLAND, Ore.--(BUSINESS WIRE)--Oct 2, 2018--Trusted Computing Group (@TrustedComputin) today announced the availability of two new open source tools for using the Trusted Platform Module (TPM) within a trusted supply chain, supporting TCG’s Platform Specification.
A recent Deloitte Touche Tohmatsu Limited survey* found that 85 percent of surveyed global supply chains had experienced at least one disruption in the past 12 months. These disruptions can disrupt business, result in production delays, incur significant fines and result in legal action.
The TPM can be used to cryptographically bind production lines and the devices they produce, including multi-vendor, multi-stage production. In this capacity, the TPM augments existing acceptance testing tools and validates the source of components and assembly – and can detect malicious component swaps.
TCG has published a specification for the trusted supply chain, defining how TPM credentials are used to verify supply chain entities in the manufacturing, assembly and delivery using the specific TPM on the device. The TPM manufacturer creates an endorsement key on the TPM and then separately creates a signed X.509 endorsement credential and installs it into the TPM to provide proof of the TPM’s source.
Any enterprise involved in the production, configuration or testing of a TPM-enabled device can create a platform credential which provides assertions about the device and used for any system component, such as motherboards, network cards, storage devices or other.
Two open source tools now are available supporting the TCG Platform Specification. Intel is offering an open source tool for creating platform certificates for manufacturers and assembly companies. The tool, available at GitHub Platform Certificate Validation Tool, requires PKI certificates, including those from third parties.
NSA Research, as part of NSA’s Technology Transfer program, released new software on September 6, 2018, allowing technology users to mitigate risks with today’s supply chain management. This software is intended to support the supply chain validation techniques prescribed by the Trusted Computing Group (TCG).
NSA’s Host Integrity (HI) Attestation Certificate Authority (ACA) is available on the NSA Cyber GitHub site. The ACA provides an “Acceptance Test” policy, used to prove a device was produced by the claimed manufacturer, and contains the agreed upon list of components. Host Integrity will initially support Centos-based Linux devices; however, the TCG’s supply chain validation process can work with any computerized device that includes a Trusted Platform Module (TPM) (1.2 or 2.0).
TCG further recommends that manufacturers review and update their policy and procurement processes; requiring TPMs with endorsement credentials and requiring platform certificates for motherboards and chassis. TCG plans to expand its work to additional components used in manufacture of various systems.
TCG (@TrustedComputin) is a not-for-profit organization that develops, defines and promotes open, vendor-neutral, global industry standards, supportive of a hardware-based root of trust, for interoperable trusted computing platforms. More information is available at www.trustedcomputinggroup.org. The organization offers a number of resources for developers and designers at develop.trustedcomputinggroup.org. Follow TCG on Twitter and on LinkedIn.
Brands and trademarks are the property of their respective owners.
Tweet this: #TPM for #trustedsupplychain gets 2 new open source tools @Intel @NSA @TrustedComputin for cryptographic binding of production lines & assertions about the device & system components http://bit.ly/2QQYNdT
View source version on businesswire.com:https://www.businesswire.com/news/home/20181002005039/en/
CONTACT: PR Works, Inc.
KEYWORD: UNITED STATES NORTH AMERICA OREGON
INDUSTRY KEYWORD: TECHNOLOGY SUPPLY CHAIN MANAGEMENT HARDWARE NETWORKS SOFTWARE TRANSPORT SECURITY SEMICONDUCTOR LOGISTICS/SUPPLY CHAIN MANAGEMENT RETAIL
SOURCE: Trusted Computing Group
Copyright Business Wire 2018.
PUB: 10/02/2018 12:00 PM/DISC: 10/02/2018 12:01 PM