Solidigm™ SSD Device Attestation Support

Solidigm™ SSDs (starting with the D7-PS1xxx series and beyond) will feature the Device Attestation capability, which enables customers to verify cryptographically that the SSD is an authentic Solidigm product and running the expected firmware and configuration.  

Attestation data can be obtained from the SSD using the commands specified in the DMTF Security Protocol and Data Model (SPDM) Specification. Please refer to this specification in order to execute the protocol necessary to obtain Attestation data.

Once the attestation data is obtained from the SSD, it is critical to verify the data against Solidigm Verified Attestation Data, typically referred to as Reference Integrity Manifests (RIMs).  Solidigm Verified Attestation data has been verified by Solidigm as accurate and has been digitally signed in order to maintain integrity and preserve its authenticity.  

Once the attestation data from the SSD and the Solidigm Verified Attestation data have been obtained, the requesting entity (e.g., host software, BMC, etc.) can compare these two datasets to see if they match.  Additionally, the requestor will be able to verify the digital signature of the attestation data from the SSD to ensure it has been digitally signed by Solidigm. 

If the attestation datasets match, and the digital signature is proven to be from Solidigm, the requestor can confirm that the SSD is a genuine Solidigm SSD that is configured as expected.  If any of these verification steps fail, the requestor may choose to take remediation actions and/or prevent the SSD from booting.  If this occurs, the requestor may need to contact Solidigm Customer Support for assistance.

The figure below is a high-level depiction of the above process:

Device attestation process for Solidigm SSDs]

 

Retrieval of Solidigm Device Attestation Root Certificate

The Solidigm Device Attestation Root Certificate is an X.509 digital certificate that is  used to verify that the identity of the SSD is a genuine Solidigm SSD (an overview of certificates and digital signatures can be found here and here).

In accordance with industry standards and best-known practices, Solidigm maintains an internal Certificate Authority that hosts the Solidigm Device Attestation Root Certificate.  Some of the attributes of the Solidigm Device Attestation Root Certificate can be found below.  Customers may retrieve the Solidigm Device Attestation Root Certificate below:

The Solidigm Attestation Root CA Certificate Status:

Active

  • Solidigm Attestation Root Certificate (ECDSA P-384, O =  Solidigm, CN = Solidigm Attestation Root CA)
  • Self-signed: DER, PEM, Text
  • SHA256 (base64): 3fKYNpROUS5Pm6EHd1qLXoWb7GA+HvMplnS5Z+Ok6GA=
Solidigm D7-P5810 Product Brief PDF for SLC NVMe SSD for HPC, caching, and high random writes

Obtain Solidigm Attestation Root Certificate Data for the D7 the D7-PS1010 and D7-PS1030 to verify the digital signature and security of your SSD.

Retrieval of Device Attestation Data from a Solidigm SSD

In addition to querying the HW cryptographic identity, the Device Attestation feature also enables the host to query and establish the device's firmware identity through the invocation of the DMTF SPDM GET_MEASUREMENTS command. The values returned by the command are the SSD Attestation Data, expressed as cryptographic measurements (i.e., hash values) of the firmware code and its configuration. The host may request that the device signs the returned measurements to ensure that they are bound to the device's HW cryptographic identity.  Additionally, the host should compare these measurements against Solidigm’s Verified Attestation Data to ensure their authenticity. 

The table below provides a sample output of the SPDM GET_MEASUREMENTS response from a Solidigm SSD.  This is for illustration purposes only:

SPDM Meadurement

For any questions, please contact Solidigm customer support at Create Case  · Customer Self-Service.

Retrieval of Solidigm Verified Attestation Data

Solidigm customers may obtain Solidigm Verified Attestation Data for their target product below.  The more technical term for Solidigm Verified Attestation Data is Solidigm’s Concise Reference Integrity Manifests (CoRIMs).  Details on CoRIMs, as defined by IETF, can be found here.

Solidigm’s CoRIMs convey the cryptographic measurements and device composition information that the host should expect to see when retrieved from the SSD using the SPDM protocol (e.g., immutable ROM measurements, mutable firmware measurements, etc). Solidigm CoRIMs must be used to verify the attestation data retrieved from the SSD. Note that Solidigm’s CoRIMs may not include measurements for device’s dynamically configurable attributes such as hardware and firmware configurations as those can vary from one SSD configuration to another. 

Related Industry Specifications and Other References