More and more applications deployed at the edge are pretty demanding in terms of resources. It is for example the case of applications exploiting AI/ML models. For such deployments, mini servers can be a good compromise between hardware cost and resources. This is the reason why CYSEC has qualified ARCA Trusted OS for several mini servers to allow its customers to protect their containers in such devices.
Presently, ARCA Trusted OS for x86 can be deployed on two mini servers:
ARCA Trusted OS for x86 comes with a full disk encryption (FDE) by-default that enforces the encryption of the data stored in the hard-disk of the miniserver. While the miniserver is switched off, the FDE key is stored in a physical TPM 2.0 or a fTPM (firmware TPM). This key is released from the TPM after a successful verification of the authenticity and integrity of ARCA Trusted OS at each boot. Under this condition, a copy of the FDE key is stored in the RAM for the on-the-flight encryption/decryption of the data while transferred between the hard-disk and the volatile memories.
This solution ensures that the data is always encrypted while in hard-disk. Such encryption solution is particularly important for edge servers that are deployed in public areas where their physical protection is limited, as for example in airports, hospitals, shops or autonomous vehicles. Indeed, the risk of theft of an edge server is pretty high in such public environments while the privacy of the data processed by these mini servers can be subject to strict regulations. Furthermore, the provider of the business logic processing the data (e.g. AI algorithm) might want to protect its intellectual property from this type of threat.
Moreover, for the most sensitive cases, the FDE mechanism can be associated with a mechanism of encryption of the data in the RAM to prevent an advanced attacker from getting access to the FDE key while it is in the RAM using the so-called cold boot attack or bootkits and rootkits. ARCA Trusted OS allows the activation of such RAM encryption such as the one proposed by AMD Ryzen and called Secure Memory Encryption (SME). This extended solution offers encryption of the data and code while they are in persistent and volatile memories.