1

Supply Chain Assessment — Due Diligence & Trusted Foundry

Modern hardware components pass through dozens of hands before arriving at your data centre. A supply chain attack requires compromising only one step in that chain — adding a rogue chip, embedding malware in firmware, or substituting a counterfeit device. Supply chain assessment ensures that every component can be trusted from its origin to your rack.

To create a trusted computing environment, every element must be consistent and tamper-resistant: hardware, firmware, drivers, operating system, and applications. The level of rigour you apply depends on your organisation's risk appetite — a government contractor needs more than a small business does.

Due diligence checklist for new vendors

Cybersecurity programme maturity — is the vendor's security programme properly resourced? Do they have documented security controls, policies, and incident response procedures?
Security assurance and risk management processes — do they have formal risk management frameworks in place? Have they been audited by a third party?
Product support lifecycle — how long will they support this product with patches and updates? What is the end-of-life date? A product with no upcoming EOL date is safer than one that goes unsupported next year.
Security controls for confidential data — if this vendor will handle your data (SaaS, cloud hosting), do they have appropriate data protection, encryption, and access controls?
Incident response and forensic support — when something goes wrong, will they help? Can they provide logs, forensic data, and active support during an incident response?
Company financial stability and history — will they still be in business in three years? A vendor that goes out of business leaves you with an unsupported product and no patch support. Check financials, company age, and market position.
Due diligence applies to contractors too. Not just product vendors — contractors who work on your systems have privileged access. Conduct background checks, verify credentials, and ensure they sign appropriate agreements (NDA, code of conduct, privileged user agreement) before granting access to sensitive systems.

Hardware source authenticity

Trusted sources
Procure hardware directly from the manufacturer or an authorised reseller. Verify the supply chain. When possible, use hardware that comes sealed and with tamper-evident packaging that shows it hasn't been opened between factory and delivery.
Secondhand risk
eBay, grey-market resellers, and aftermarket suppliers carry significantly higher risk of receiving counterfeit or compromised devices. Malware can be embedded in router/switch firmware and extra chips inserted inside the housing — indistinguishable by visual inspection alone.
Trusted Foundry
A microprocessor manufacturing programme created by the US Department of Defense to ensure validated supply chain integrity for military-grade hardware. The hardware and software in the programme does not deviate from its documented function. Exam: Trusted Foundry = DoD-run, ensures secure microprocessors in the supply chain.
Exam note: Trusted Foundry is a US DoD programme for ensuring microprocessor supply chain security. Know that it exists and what it does — you don't need deep implementation details. The concept of supply chain attacks is increasingly tested: understand that compromised hardware could be introduced at any point between manufacture and deployment.
2

Root of Trust — TPM, HSM & Anti-Tamper

A hardware root of trust (RoT) is a cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics. It's the anchor of your entire security chain — if you can't trust the hardware, none of the software security above it matters. The most common RoT implementation is the Trusted Platform Module (TPM).

TPM — Trusted Platform Module

A specification for hardware-based storage of digital certificates, cryptographic keys, hash passwords, and platform identification information. The TPM is the hardware component that makes Secure Boot, BitLocker, and Measured Boot possible.

Cryptographic processor
Contains a true random number generator, RSA key generator, SHA-1 hash generator, and encryption/decryption/signature engines. Performs all cryptographic operations in isolated hardware.
Persistent memory
Endorsement Key (EK) — unique to each TPM, never leaves the chip. Storage Root Key (SRK) — protects all other keys stored in the TPM. These are set during manufacturing and cannot be changed.
Versatile memory
Platform Configuration Registers (PCRs) — store measurements of boot process. Attestation Identity Keys (AIKs) — used to sign attestation reports. Storage keys — protect user/application data.
Secured I/O
Provides protected communication channels between the TPM and the rest of the system. Ensures measurements and attestation data can't be intercepted or modified in transit.
TPM in Windows
Managed via tpm.msc (console) or Group Policy. Used by BitLocker for full-disk encryption (the decryption key is sealed in the TPM and only released when the boot measurements match expected values). Also used by Windows Hello biometric authentication.
TPM and BitLocker
TPM + BitLocker: the drive encryption key is sealed inside the TPM. If someone removes the hard drive and puts it in another computer, the TPM won't release the key — the data stays encrypted. This is why you must back up your BitLocker recovery key separately.

HSM — Hardware Security Module

An HSM is a dedicated appliance for generating and storing cryptographic keys that is significantly less susceptible to tampering and insider threats than software-based key storage. The key advantage: the keys are generated and stored inside the HSM and cannot be extracted in plaintext — even by administrators. This removes the human as a potential attack vector for key compromise.

HSM form factors
Internal PCIe card (low-cost, embedded in server). Rack-mounted appliance (enterprise scale, shared across many servers). Network HSM (accessible via network to multiple applications). IoT-scale hardware tokens. All share the same principle: keys don't leave the HSM in an unencrypted form.
HSM vs. software key storage
Software key stores: accessible to OS, applications, admins with sufficient access. Keys can be copied. HSM: keys are generated inside, operations happen inside, only results come out. Insider threat for key theft is essentially eliminated. FIPS 140-2/3 certified HSMs provide the highest assurance level.

Anti-tamper mechanisms

Anti-tamper concept
Methods that make it difficult for an attacker to alter the authorised execution of software. Physical analogy: the tamper-evident seal on a medicine bottle. If the seal is broken, you know someone was inside. Electronic anti-tamper does the same — if someone tries to access or modify the protected hardware, the system detects it and destroys the data.
FPGA (Field Programmable Gate Array)
A configurable hardware chip that can detect physical tampering. If tamper is detected, it can zero out (wipe) the cryptographic keys, making the stored data permanently inaccessible. The attacker gets the hardware but not the secrets inside it.
PUF (Physically Unclonable Function)
Exploits microscopic manufacturing variations in the chip that are unique to each device — like a hardware fingerprint. Creates a cryptographic key from the physical properties of the silicon. Cannot be cloned or extracted — it's generated from physics, not stored as data. Tampering destroys the physical properties and thus the key.
3

Trusted Firmware — UEFI, Secure Boot, Measured Boot & eFUSE

A firmware exploit gives an attacker the ability to run any code at the highest level of CPU privilege — below the operating system, invisible to antivirus, and persistent across OS reinstalls. Trusted Firmware mechanisms protect the boot process to prevent this. All of these require UEFI rather than legacy BIOS.

Trusted firmware boot chain (top to bottom)

Trusted Firmware Boot Chain — each layer validates the next
Hardware
UEFI
Unified Extensible Firmware Interface. Replaces legacy BIOS. 64-bit support, GUI, secure boot capability. Foundation for all trusted boot mechanisms.
UEFI
Secure Boot
UEFI feature that checks digital signatures of boot loaders. If the OS boot loader isn't signed by a trusted key (e.g. Microsoft's certificate), it won't load. Prevents malware from hijacking the boot process.
Boot
Measured Boot
UEFI feature that records cryptographic measurements of each boot component (timing, sizes, hashes). Creates a detailed audit report of the boot process for later attestation.
Measurement
Attestation
A claim that the measured boot data is valid. The Measured Boot report is digitally signed using the TPM's private key. Any relying party can verify that the boot was clean by checking the TPM signature.
Signs
TPM
Signs the attestation report using its Endorsement Key. Provides hardware-backed proof that the system booted correctly. The root of trust that underpins the entire chain.
Trusted
Trusted OS Loads
Only if all checks pass does the operating system load. The OS can trust that the firmware and boot environment haven't been tampered with.

Additional trusted firmware concepts

eFUSE
Electronic one-time fuse
Like a physical fuse that blows permanently when overloaded, an eFUSE is a transistor on a chip that can be permanently altered by software/firmware to seal cryptographic keys during manufacturing. Once blown, the fuse state cannot be reversed. Tampering with sealed content blows the fuse — making the system permanently non-functional or the data inaccessible. Used for one-time programming of secure boot keys.
Trusted Firmware Updates
Digitally signed updates only
Firmware updates must be digitally signed by the vendor and verified by the system before installation. An unsigned or untrusted firmware update could introduce a persistent rootkit below the OS level. If the signature check fails or an eFUSE would be blown by the update, the update is rejected.
Self-Encrypting Drives (SEDs)
Firmware-controlled encryption
SEDs have firmware on the disk controller that automatically encrypts data written to the drive and decrypts data read from the drive. Hardware-level encryption offloads processing from the CPU. The drive's firmware must be trusted — it is itself a firmware component that can contain vulnerabilities. Applies all the same trusted firmware principles.
BIOS vs. UEFI: Legacy BIOS systems cannot implement Secure Boot, Measured Boot, or most modern trusted firmware features. Almost all systems manufactured in the last decade use UEFI. If you're still running legacy BIOS, you cannot have a trusted boot process — this is a significant security limitation of older hardware and a reason to prioritise hardware refresh cycles.
4

Secure Processing — Processor Extensions, Enclaves & Bus Encryption

Secure processing ensures the confidentiality, integrity, and availability of software code and data as it executes in volatile memory. Even if an operating system is secure, an attacker with physical access or a hypervisor-level exploit can read or modify data in RAM. Secure processing mechanisms protect data during the most vulnerable phase of computation — while it's actively being used.

Processor security extensions — AMD vs. Intel

VendorExtensionWhat it does
AMD SME — Secure Memory Encryption Encrypts system memory transparently using a single key managed by the CPU. Data in RAM is encrypted even if an attacker has physical access to the RAM sticks.
AMD SEV — Secure Encrypted Virtualization Extends SME to virtual machines — each VM's memory is encrypted with a different key. Even the hypervisor can't read a guest VM's memory. Protects cloud tenant data from the cloud provider.
Intel TXT — Trusted Execution Technology Creates a hardware-protected environment for launching code. Ensures that only measured and trusted software runs during critical operations. Works with TPM for launch control policies.
Intel SGX — Software Guard Extensions Allows applications to create encrypted memory enclaves that are protected even from the OS, hypervisor, and other applications. Encryption keys live in the CPU and never leave it.

Five secure processing mechanisms

Processor Security Extensions
Low-level CPU instructions enabling secure processing. AMD: SME/SEV. Intel: TXT/SGX. Built directly into the microprocessor silicon.
Exam level: know the four names and their vendor associations.
Trusted Execution
CPU security extensions invoke TPM and secure boot attestation to ensure only a trusted OS is running. The UEFI Secure Boot + Measured Boot + TPM attestation chain confirms the OS hasn't been tampered with before execution begins.
Prevents OS-level rootkits from executing undetected.
Secure Enclave
An extension allowing trusted processes to create an encrypted container for sensitive data within RAM. Data inside the enclave is inaccessible even to the OS. Typical use: storing encryption keys, credentials, private keys.
Prevents buffer overflow attacks from reaching sensitive memory regions.
Atomic Execution
Extensions ensuring certain operations (like memory initialisation) happen exactly once — they cannot be interrupted, hijacked, or repeated. Prevents buffer overflows and race conditions caused by re-entering an initialisation operation.
Prevents TOCTOU (time-of-check/time-of-use) race condition attacks.
Bus Encryption
Data is encrypted by the application before being placed on the data bus (the communication path between components). Ensures data can't be intercepted during transmission between the CPU, RAM, and peripheral devices. The receiving device must be trusted and have the decryption capability.
Real-world example: HDCP (High-bandwidth Digital Content Protection) encrypts data over HDMI cables between devices. The "HDCP Unauthorized" error = bus encryption handshake failure.
The trusted computing chain: Supply chain (trustworthy hardware) → Root of Trust (TPM/HSM) → Trusted Firmware (UEFI → Secure Boot → Measured Boot → Attestation) → Secure Processing (processor extensions protecting RAM/execution). Each layer protects the layer above it. If any layer is compromised, all layers above it are potentially compromised too — this is why supply chain is the foundation of everything.

Exam

Quick Reference Cheat Sheet

Supply chain assessment
Due diligence on vendors: cybersecurity programme, risk management, product support lifecycle, data security controls, incident response support, financial stability. Trusted Foundry = US DoD programme validating microprocessor supply chain. Hardware source authenticity = buy from manufacturer/authorised reseller, not grey market. Counterfeit routers/switches may contain embedded malware or extra chips indistinguishable by visual inspection.
Root of trust (TPM)
TPM = Trusted Platform Module — hardware chip for storing certificates/keys/hashes. Manages: Endorsement Key (EK), Storage Root Key (SRK), Platform Configuration Registers (PCRs), Attestation Identity Keys (AIKs). Used by: BitLocker, Secure Boot, Measured Boot, Windows Hello. Managed via tpm.msc or Group Policy. Root of trust = the hardware anchor that makes everything else trustworthy.
HSM & anti-tamper
HSM = Hardware Security Module — dedicated appliance for generating/storing crypto keys. Keys never leave HSM in plaintext — removes human as key theft vector. Form factors: PCIe card, rack, network, IoT token. Anti-tamper: FPGA (detects physical tampering → zeroes cryptographic keys). PUF (Physically Unclonable Function — hardware fingerprint from manufacturing variations, cannot be cloned or extracted).
Trusted firmware chain
UEFI (replaces BIOS, required for all below) → Secure Boot (verifies OS boot loader signatures) → Measured Boot (records metrics of boot process) → Attestation (TPM signs the boot report digitally) → Trusted OS loads. eFUSE = one-time programmable transistor that permanently seals crypto keys; tampering destroys the fuse. Trusted Firmware Update = must be vendor-signed. SED = drive with firmware-based encryption.
Processor security extensions
AMD: SME (Secure Memory Encryption — encrypts RAM) and SEV (Secure Encrypted Virtualisation — per-VM RAM encryption). Intel: TXT (Trusted Execution Technology — hardware-protected launch env) and SGX (Software Guard Extensions — encrypted memory enclaves in CPU). For exam: know all 4 names and which vendor makes them.
Secure processing (5 types)
1 Processor security extensions (AMD SME/SEV, Intel TXT/SGX). 2 Trusted Execution (CPU + TPM + Secure Boot confirms trusted OS). 3 Secure Enclave (encrypted container in RAM for sensitive data — invisible to OS). 4 Atomic Execution (prevents memory init from being interrupted/re-entered — stops race conditions). 5 Bus Encryption (encrypt data before it goes on the bus — HDCP is real-world example).