Microsoft announces Project Cerberus, an opensource standard for platform security

Last year, Microsoft announced Project Olympus in collaboration with the Open Compute Project (OCP). At Zettastructure today, Microsoft provided an update on the Project Cerberus and also announced Project Cerberus, an opensource standard for platform security.

Microsoft today said that Project Olympus is now 100% complete and open sourced via OCP contributions. Documentation covering 19 specifications, 8 designs, chassis, and management can be accessed here. Microsoft is already using it for Azure deployments. The Fv2 VM family, the fastest VMs in Azure, is among the first Project Olympus designs productized in Azure. Microsoft also mentioned that solution providers will bring this design to the OCP ecosystem.

Project Cerberus is a new opensource project that offers security platform for server hardware. It is a NIST 800-193 compliant hardware root of trust designed to offer security for all platform firmware. By enforcing strict access control and integrity verification from pre-boot to runtime, it offers a hardware root of trust for firmware on the motherboard (UEFI BIOS, BMC, Options ROMs) and peripheral I/O devices. It can defend platform firmware from the threats like compromised firmware binaries, supply chain attacks, insiders with administrative privilege or access to hardware, hackers and malware that exploit bugs in the operating system, application, or hypervisor.

Project Cerberus consists of a cryptographic microcontroller running secure code which intercepts accesses from the host to flash over the SPI bus (where firmware is stored), so it can continuously measure and attest these accesses to ensure firmware integrity and hence protect against unauthorized access and malicious updates. This enables robust pre-boot, boot-time and runtime integrity for all the firmware components in the system. The specification is CPU and I/O architecture agnostic and is intended to easily integrate into various vendor designs over time, thus enabling more secure firmware implementations on all platform types across the industry, ranging from datacenter to IoT devices. The specification also supports hierarchical root of trust so that platform security can be extended to all I/O peripherals using the same architectural principles.

Learn more about Project Cerberus here.