The Trusted Computing Group (TCG) is an organization that develops and promotes industry standard security specifications for computers and networks. The security specifications are intended to protect data and other resources from being compromised, such as by malware (malicious software) that may be introduced into a computer or network system.
Hard disk drive controllers are manufactured to include firmware, such as drive firmware and cryptographic firmware, that is implemented to control the various operations and functions of a hard disk drive. A cryptographic module within a hard disk drive controller may include hardware and/or cryptographic (also referred to as secure) firmware to perform key management, authentication protocols, and media encryption operations. The cryptographic firmware is typically a non-modifiable smaller set of code, unlike the drive firmware that is more extensive and subject to frequent updates.
If the drive firmware and cryptographic firmware both run on the same processor, there is no isolation between the two sets of code. This may result in a breach of security if drive firmware is able to access cryptographic data on shared random access memory (RAM) that stores the cryptographically sensitive data, such as encryption keys, locking security partitions, tables of access rights, and the like. Even if the cryptographic firmware does run on a separate processor from the drive firmware, the two sets of code may still not be isolated when there is shared RAM that stores cryptographically sensitive data.
Disk drive manufacturers are exposed to liability for potential security lapses when an employee or other person having access introduces or embeds malware into the drive firmware of a disk drive controller. This type of security compromise during firmware development, implementation, and/or initial distribution is commonly referred to as a warehouse attack.
The malware that is embedded in drive firmware can compromise the security of the encrypted data stored on a disk drive when masquerading as the crypto firmware. In one example, malware can request a key loading operation directly and bypass the authentication scheme needed to access an encrypted data block on a disk drive. The malware can obtain the key encrypting key (KEK) that is the root of trust for the disk drive and return the key value over a host communication path to read the encrypted data and decrypt it elsewhere. In another example, the malware can initiate the output of the cryptographically sensitive data, such as cryptographic keys for encrypting data on the drive media, outside of the cryptographic boundary. When the media encryption keys are recovered, the encrypted data can be read and decoded off-line.