Announcer 00:00
You’re listening to InTechnology, your source for trends about security, sustainability, and technology
Patrick Bohart 00:11
Solar winds taught us we can’t just take a piece of software and trust that “Oh yeah, I’m sure those guys did a good job building.” And we can’t do that on the hardware side either.
Tom Garrison 00:27
Hi, and welcome to the InTechnology podcast. I’m your host, Tom Garrison with me, as always, is my co-host, Camille Morhardt. And today we have Patrick Bohart, who is a longtime Intel employee that I’ve had the privilege to work with for many, many years. And he is currently leading Intel’s effort around Transparent Supply Chain–a topic that we’ve talked about before, but we’re going to go into depth today, really to give an update on what is the capability, and how are people using it and so forth. And so, Patrick, welcome to the podcast.
Patrick Bohart 01:03
Happy to be here. Thanks, Tom. Thanks, Camille.
Tom Garrison 01:06
So Patrick, you know, we’ve talked about transparent supply chain before. But for those guests that may not have heard the podcast previously, can you describe what Transparent Supply Chain is? and what problem is trying to solve?
Patrick Bohart 01:20
So transparent supply chain is a process by which we gather information as compute systems are manufactured. So we start back at the components; as components are assembled into motherboards, we gather information as the motherboard gets configured into a full system, all the way through the supply chain until the device arrives at its final destination–whether that’s an IT organization or a data center, or cloud service provider. And a transparent supply chain process leverages the fact that Intel’s manufacturing tools are in every factory around the world that’s building anything based on Intel. And so we use that tool footprint to take electronic measurements of the platform, not only what components are active, and what components are communicating to subsystems like the CPU and stuff like that. But also where are we whose involved in the supply chain? What ODM is this? What OEM is this? What country are we in? And we electronically gather all that information as the system is being built? And we make that available to the end user who can then use it to generate insights like: did I get what I purchased? Or did the system arrive in the exact same state that it left? Or was there any evidence of tampering? And so that at a really high level is the Transparent Supply Chain process.
Tom Garrison 02:45
Right. So that’s mostly a sort of a security value proposition. Are there other use cases using that same data but in other ways?
Patrick Bohart 02:54
Yeah, it’s interesting. A lot of the security technologies that we use today that involve telemetry of the platform, they started for the purposes of quality, you know, do we know exactly what manufacturing lines this device or these devices came from? So that if there’s a problem in the field, we can look at all these devices and say, “oh, all these devices came from the same factory in the same location or right.” But as the geopolitical climate changed, and security became a bigger concern, all this data that we’ve been capturing, and these tools that we put in place to understand the transparency and traceability of the system became even more useful for the purposes of security.
So our customers use the data for quality assurance, they use the data for security, not only identifying problematic vendors, or problematic contributors to the supply chain, but also things like in the past, if you got a system from a Dell or a Lenovo, there was really no way of understanding what other companies had contributed technology. And now with the explosion of vulnerabilities and bug bounty programs and ethical hacking, it’s important to have that information because if a hackathon identifies a problem with a particular Texas Instruments component, how do you know whether you have that component in your environment? And years ago, you didn’t? And now with transparent supply chain, you have that roadmap of what’s in the environment?
Camille Morhardt 04:21
Is this the first time that this kind of information is available, or were people sort of tracing the supply chain and you know, where the parts were coming from and what the components were, and this is a shift to digitization of that?
Patrick Bohart 04:36
It’s a shift to digitization. It’s a shift in usability. And again, let me give you an example. I was speaking to the Deputy CIO of the Department of Defense and we were showing him the types of datasets that we could expose. Not only like, “Hey, are you buying Lenovo x1 carbons, but we can tell you what’s in Lenovo x1 carbons, we can tell you what’s in this specific Lenovo x1 carbon.” And he was telling us he would get alerts in the past that said a particular vendor is problematic. And it would take him and his team weeks, scouring their environment trying to understand; they would call the OEM, the OEM would send them a spreadsheet, which they would have to sort through and it was a big mess. And with Transparent Supply Chain in that move to digitization, it’s now all at your fingertips. And we actually even provide the tools so that you can ask, “Do I have these components in my environment?” and not just look at a single machine, but look across the entire fleet.
Tom Garrison 05:35
And so Patrick, what about things like sustainability? It seems like this data could be also used to try to track things like carbon footprint or other areas of concern that maybe in the past weren’t that important, but have been growing in importance over time.
Patrick Bohart 05:51
Yeah, that that is exactly where we are going. So the Transparent Supply Chain process today really focuses on the motherboard at system level manufacturing, and then integration. But more and more, we want to go farther back into the supply chain. So we began building in capability not only for Intel products, but for all products to begin capturing more and more information about the components that were coming in. But then the security and sustainability effort globally across the high tech manufacturing industry, was being asked to generate information about the sustainability, product carbon footprint, recycle ability, responsible minerals, lead content, arsenic content. And these vendors were generating these reports and it was unclear, “well, how do we get the report from the component vendor all the way to the person that wants to use it–which is maybe the person who’s recycling the system eight years from now?” and raised our hand and said, “we can use Transparent Supply Chain for this.”
We’re already capturing information about what’s going into the system, we can also add information about the sustainability profile of the components going into the system for the software bill of materials for those components that are going in the system. As we put better tools and better tracing into the supply chain, other industry groups that are trying to communicate data about how their components are made, reached out or we reached out to them. And it was like, “yeah, we should be including all this information.” It’s really becoming sort of the 23andMe, for your laptop or for your server.
Tom Garrison 07:30
And where’s all that information stored?
Patrick Bohart 07:33
Those vendors that work with us, we store it in an AWS protected cloud service. So there’s a way you can identify yourself to the system, you can prove your identity and then access the files from that AWS database. But we’re moving to blockchain. We’re moving there next year, for a couple different reasons. One, blockchain was designed for supply chain because you literally are moving from taking pieces and combining them into bigger pieces, and then those pieces and combining them into bigger pieces and chaining them together. It’s just a natural technology for supply chain.
But the other reason why blockchain makes so much sense here is what people are putting into their systems or who’s participating in the supply chain of a system is intellectual property. And competing vendors don’t want each other, their competitors to see what they’re doing. So there’s a tremendous need for privacy, there’s a tremendous need for permission-based access. Camille can see this data because she has a business need to see it. But Tom, you don’t need to see it, so you can’t see it. And blockchain provides us the ability to do that. And so we’re in the process now of building and transitioning that service to a blockchain solution.
Camille Morhardt 08:49
So you’re looking at making system level transparency of a computer in this case? And so how do you decide which components comprise essentially a system? Who decides that and what are you checking? And is it kind of vendor specific? So are you checking, you know, hey, we’re checking 80% of the components, so we’re fine? or we’re checking only components with active firmware ?or we’re checking only to CPU? How are you coming to conclusion about okay, this is generating some kind of a threshold of system-level transparency.
Patrick Bohart 09:25
One of the pieces of data that Transparent Supply Chain delivers, actually conforms to an industry specification. The Trusted Computing Group, which is an industry body took on the challenge of how do we improve traceability? How do we improve transparency in the supply chains of systems as they’re being built? We’ve extended our tools to go much beyond that.
The second part of that your question is, how far we go is really vendor specific. So if we’re working with an OEM, we cannot go all the way down to tracking information about screws and brackets and stuff like that. But the reality is, is that the end user doesn’t care where the screws came from our recommendation and where we’ve seen the industry sit is active components. So if you’re a component on the system and you’re executing firmware, or you’re executing code, you should be logged into the supply chain of the platform. And the sum total of all the active components on the system is greater than what’s specified in that specification. But we still think it’s important that since we can capture it, we offer it to our customers.
Tom Garrison 10:68
So Patrick, this is obviously something that Intel has been working on–actually, you and I worked on this for some time–and so it’s not new. But it has been growing in acceptance and availability in the industry. So can you share with our listeners, how pervasive is this kind of solution? If they’re interested in having this kind of information, where can they get machines that have Transparent Supply Chain as part of the platform?
Patrick Bohart 10:54
Well, if you go to Intel.com, and you type in Intel Transparent Supply Chain, there, we do have a list of vendors. But you’re right, although the standard was written, you know, whatever, like seven years ago, it really does take the industry that long to get from somebody finalizing a specification, to the standards bodies, and the regulatory bodies and NIST and the Department of Defense to get it and put it into committee and understand it and then get to the point where they say, “Hey, systems coming into our environment should have Transparent Supply Chain, or IR systems coming into our environment should support TCG platform certificates.” And then the OEMs themselves start kind of rambling, “Oh, how are we going to support this?” And so it’s taken that long, and just our volume, projected for 23 is going to be 10x, our volume from 2022 and that was 10x, from our volume in 2021. So we’re on this, like, whenever I see a hockey stick on a graph, I’m always like, that’s nonsense. But we really are in sort of this hockey stick explosion, where now the recommendations are turning into requirements and vendors are beginning to realize they have to do this in order to win business. And so that’s why we’re seeing the numbers grow.
Camille Morhardt 12:14
There’s kind of been a growing desire and demand for it in the government space. And now that’s kind of extended across enterprise. Is this going to be one of those things that everybody expects to have complete transparency into the supply chain of their products? And when will that happen? Are we just kind of right at that tipping point right now?
Patrick Bohart 12:36
It feels like we’re right at the tipping point. And you know, there are limitations? Well, you said complete transparency. So I mean, we have to be realistic that we are providing a much-improved level of transparency over what has been available, but we still have a long ways to go. We can actually talk about that. The reality is the compute infrastructure that we bring into sensitive environments can’t be a black box any longer. I mean, we’ve dug into the software, right? There’s a bunch of regulations around software bill of materials. Now people are realizing Solar winds taught us we can’t just take a piece of software and trust that “oh, yeah, I’m sure those guys did a good job building that.” And we can’t do that on the hardware side, either.
And then you mentioned government, but the interesting thing, is there not the biggest customer, the biggest customer by a longshot, is what I’ll call IP sensitive firms, which are high tech companies who are buying PCs for their employees and they’re worried about spying, and they’re worried about IP theft. And financial services is second, and then government has 30 government probably has more reason to be concerned, but of course, they move so slow compared to corporate high tech IT. They’re getting their act together. But yeah, I mean, the big deals that I see come through almost without fail are big, high tech companies that are worried about IP theft.
Tom Garrison 13:54
And you mentioned software a second ago, but most of what we’ve been talking about has been more hardware examples. So can you talk about the software and the firmware? And how does that factor into Transparent Supply Chain.
Patrick Bohart 14:07
So as a motherboard’s being created, we have a set of tools at the device manufacturer that load the firmware and load the BIOS and test to make sure it’s a genuine Intel CPU. So we’ve just extended those tool sets to capture information about “okay, well, what firmware is being loaded? what microcode is being loaded, right, what BIOS is being loaded? You know, what’s the description string, who’s the vendor, what’s the date code, a lot of information. And so, you know, we can get a fairly accurate accounting of what was loaded into the system at a particular point in time. And then we store that in the cloud. And so if the system arrives at Intel’s IT department, and they’re going to hand the system to Camille, they can use our tools to re-measure those values and do a comparison that’s what our tools do, and look to see if those values have changed.
Camille Morhardt 15:00
Don’t IT departments like re-image systems, though before they send them out to employees?
Patrick Bohart 15:05
Often they do on the software side operating system and applications. And as Tom was pointing out, the Transparent Supply Chain solution today is, you know, basic hardware down. So it’s the hardware, it’s the firmware, it’s the BIOS. But yeah, they do tend to wipe away the software layer and reinstall it, but we still provide that check of the hardware and firmware.
Tom Garrison 15:25
Yeah, that the IT shops in terms of re-imaging BIOS and re-imaging firmware versions and whatnot, I think they’re more reluctant is been my experience more reluctant to mess with those because they’re afraid that through that re-imaging of those low-level software that they might do something to mess up the system, and they brick the system or make it unusable. So they tend to stay away from that level. And just re-image OS and above.
Patrick Bohart 15:53
And just interesting anecdote, this isn’t a geopolitical shift, b ut another shift that has dramatically influenced the desire for this capability was COVID. The biggest deployment that I know of today of a fortune, whatever 500/1000 company, purchasing transparent supply chain and using it for the purposes of tamper detection and BOM verification, did I get what I ordered? And did it arrive in the same state that it left–
Camille Morhardt 16:21
BOM being Bill of Material, just—
Patrick Bohart 16:22
BOM being Bill of Materials, thank you, is because the devices were no longer going to an IT cage, right, because everybody was at home. It created a need for this company to start shipping their PCs to their employees directly to the home. And they’re like, “we lacked sufficient ability to detect if the system arrived as we expected it and it arrived in an untampered state.” So just runs a bunch of tests and it compares it you get a little green light that says, “Yeah, looks like nothing’s changed.” And then the provisioning process would keep going.
Camille Morhardt 16:53
So you’re not just looking at verifying that the components are authentic at the time of manufacture, you’re also making sure that nothing happens in transit.
Patrick Bohart 17:03
Right.
Tom Garrison 17:04
And so Patrick, what do you see as the future? We’re obviously ramping quickly as an industry now; where do you see this going over the next few years.
Patrick Bohart 17:14
So we’re just on the cusp of the next set of standards that I believe–and we’re investing based on this belief–will kind of provide the next level of transparency not only into the supply chain, but into the trust state of the platform. So where Transparent Supply Chain basically takes a set of static measurements as the systems being manufactured and then you compare him to a static measurement later, the standards are going to take us to a new level where we’re going to use DICE, which is a new identification capability, where devices will have a unique identity fused into their hardware; there will also be a mechanism for those individual devices to communicate themselves to a controller, which will generate a manifest at a trusted point like app manufacturer and say, “Okay, here’s who’s getting on the plane. Tom Garrison’s getting on the plane. You know, he knew the secret password, he showed me his ID, everything matched up Tom, you get on the plane, Camille, we do the same unique identity check to you.” Plane takes off and lands and at any point in time, at any layover, I can go down the seats and say, “Camille, tell me the secret password that you told me before, prove to me that you are who you say that you are.” And if at any point in time, you can’t reestablish your trust, we can go so far as to power to cut component. And this dynamic bottle of challenging each active component actually is called an Active Component Root of Trust.
And, you know, the other thing is, is if is if at some later point in time, a device says, “Hey, I would like access to the CPU. And I would like access to the comm stack to send information over the internet” if that device can’t prove that it’s legitimate and prove its trust status, and then prove that it’s supposed to be there, it could be a spy chip that was built into the system lately, and is now waking up and saying, “Hey, I’m capturing data, I want to send it back to wherever.” And if it can’t prove it’s supposed to be there, then we can capture it. And that’s what we’re building right now.
Tom Garrison 19:20
And Patrick, you said that those identifiers are it’s kind of like a serial number, right? But it’s a serial number that’s unique to every specific component. So even the same component, like same part number will have a different identifier, and it’s built into the device so it can’t be mimicked. Is that the idea?
Patrick Bohart 19:39
The key is fused into the silicone.
Tom Garrison 19:42
And everything’s unique. So even if they if they swap that part out with the same part, but just a different version of it, it couldn’t pretend to be the first part that correct.
Patrick Bohart 19:53
Yeah.
Camille Morhardt 19:55
Just to be clear, when you’re talking about this kind of dynamic recheck continuous checking, this is no longer just while the system is in transit, you’re extending now into operational phase. Is that right?
Patrick Bohart 20:07
Exactly. If somebody came into my office last night and swapped out the graphics card with a similar graphics card, but with an altered BIOS to send restricted Intel secrets to Canada, I would have no way of knowing the Intel it would have no way of knowing. And I mean, but in that situation, when the check is performed, and when that device is required to identify itself, if it doesn’t know the secret code word that it was given, and we’ve held a copy in the cloud or in the blockchain, then we will say “that graphics controller is not trusted” and shut that system down. Kick it off the internet.
Tom Garrison 20:47
Interesting. Well, Patrick, it’s been great to get the latest on transparent supply chain has come a long way from when you and I worked on it, and kicked it off and introduced it actually to the industry. So thanks for coming, and I wish you the best of luck driving it forward.
Patrick Bohart 21:04
Thanks, Tom. Thanks, Camille.
Announcer 21:08
Stay tuned for the next episode of in technology and follow @TomMGarrison and Camille @Morhardt on Twitter to continue the conversation. Thanks for listening.
The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.
