Solidigm™ SSDs (starting with the D7-PS1xxx series and beyond) will feature the Device Attestation capability, which enables customers to verify cryptographically that the SSD is an authentic Solidigm product and running the expected firmware and configuration.
Attestation data can be obtained from the SSD using the commands specified in the DMTF Security Protocol and Data Model (SPDM) Specification. Please refer to this specification in order to execute the protocol necessary to obtain Attestation data.
Once the attestation data is obtained from the SSD, it is critical to verify the authenticity of the retrieved data.
Once the attestation data from the SSD and the Solidigm Attestation certificate data have been obtained, the requesting entity (e.g., host software, BMC, etc.) can verify the digital signature of the attestation data from the SSD to ensure it has been digitally signed by Solidigm.
If the digital signature is proven to be from Solidigm, the requestor can confirm that the SSD is a genuine Solidigm SSD that is configured as expected. If any of these verification steps fail, the requestor may choose to take remediation actions and/or prevent the SSD from booting. If this occurs, the requestor may need to contact Solidigm Customer Support for assistance.
The figure below is a high-level depiction of the above process:
The Solidigm Device Attestation Root Certificate is an X.509 digital certificate that is used to verify the digital signature produced by a Solidigm SSD (an overview of certificates and digital signatures can be found here).
In accordance with industry standards and best-known practices, Solidigm maintains an internal Certificate Authority that hosts the Solidigm Device Attestation Root Certificate. Some of the attributes of the Solidigm Device Attestation Root Certificate can be found below. Customers may retrieve the Solidigm Device Attestation Root Certificate below:
The Solidigm Attestation Root CA Certificate Status:
Active
Obtain Solidigm Attestation Root Certificate Data for the D7 the D7-PS1010 and D7-PS1030 to verify the digital signature and security of your SSD.
In addition to querying the HW cryptographic identity, the Device Attestation feature also enables the host to query and establish the device's firmware identity through the invocation of the DMTF SPDM GET_MEASUREMENTS command. The values returned by the SSD are cryptographic measurements (i.e., hash values) of the firmware code and its configuration. The host may request that the device signs the measurements to ensure that they are bound to the device's HW cryptographic identity.
The table below provides a sample output of the SPDM GET_MEASUREMENTS response from a Solidigm SSD. This is for illustration purposes only:
Index | Fields | Sub-fields |
Value | Description |
---|---|---|---|---|
1 | Measurement Specification | DMTFSpecMeasurementValueType - Bit 7 | 0x0 | Digest |
Measurement Specification | DMTFSpecMeasurementValue - Bits 6:0 | 0x0 | Immutable ROMs | |
Measurement Size | Measurement Size | 48 | Bytes | |
Measurement | Measurement | ROM | SHA-384 hash | |
2 | Measurement Specification |
DMTFSpecMeasurementValueType - Bit 7 | 0x0 | Digest |
Measurement Specification |
DMTFSpecMeasurementValue - Bits 6:0 | 0x1 | Mutable FW | |
Measurement Size | Measurement Size | 48 | Bytes | |
Measurement | Measurement | Firmware | SHA-384 hash | |
3 | Measurement Specification | DMTFSpecMeasurementValueType - Bit 7 | 0x0 | Digest |
Measurement Specification | DMTFSpecMeasurementValue - Bits 6:0 | 0x2 | Hardware Configuration | |
Measurement Size | Measurement Size | 48 | Bytes | |
Measurement | Measurement | EFUSE | SHA-384 hash | |
4 | Measurement Specification | DMTFSpecMeasurementValueType - Bit 7 | 0x0 | Digest |
Measurement Specification | DMTFSpecMeasurementValue - Bits 6:0 | 0x3 | Firmware Configuration | |
Measurement Size | Measurement Size | 48 | Bytes | |
Measurement | Measurement | Firmware Configuration | SHA-384 hash |
For any questions, please contact Solidigm customer support at Create Case · Customer Self-Service.