Stefano Righi
Senior Vice President, Global Security Software Group
Ensuring best practices in the compute system supply chain is critical. This effort becomes challenging when managing multiple code streams and the certification keys that enable them.
One area of concern that has been the reoccurance of firmware test keys found in production systems. These test keys support AMI’s approach to increase efficiency of firmware integration during system development. The keys are only intended to be used during development and should never remain in place as systems are placed into production.
Adopting a Less Efficient Approach Does Not Fix the Issue
AMI has evaluated its offering of these test keys to its partners. While understanding the improvements to partner efficiency during development, there is risk that best practices might not be met, creating exposure of these keys in production systems.
The alternative to providing these test keys would be that AMI partners would have the burden of generating the test keys themselves for development. While this would remove AMI’s exposure to having AMI-generated test keys found in production systems, this would still not remove the need for best practices in the supply chain for having the partner-generated test keys replaced prior to production.
AMI is Committed to an Efficient Approach that Helps Ensure Best Practices are Followed
In order to continue to support the efficient system development of partner systems, AMI has chosen to maintain its approach toward efficient system development. As such AMI will continue to deliver tools, including test cert keys, to its partners, while committing to efforts that help ensure best practices are followed. AMI has incrementally added safeguards in its firmware, such as partner alerts when test keys are in use in code builds that include warnings in the BIOS setup screens, notifying the user that test keys are present.
Supporting the transition from development to production, AMI offers the AMI CLEFs firmware signing tool. This cloud-based service generates the necessary keys for AMI firmware in production, maintaining the private keys in a Cloud HSM. By providing this service, AMI is assisting its partners in transitioning from the test keys that are used in development to secure keys that are used in production systems.
AMI continues to evaluate how it contributes to efficient system development and best practices.
Security is Paramount at AMI
Additionally, AMI now offers various products and features, such as Tektagon Platform Root of Trust with encryption key management and remote attestation support, ensuring platform firmware resilience for host and peripheral devices.
In the end, ensuring best practices in the supply chain is necessary to avoid issues, like the proliferation of insecure test certs being used in production systems. Often following the processes associated with these practices is challenging. AMI understands these challenges but is committed to helping maintain a secure supply chain. AMI will continue to support this effort, providing the necessary tools and support that help ensure a secure supply chain.