Azure apparatchik shows custom silicon keeping everything locked down
(2025/08/26)
- Reference: 1756241409
- News link: https://www.theregister.co.uk/2025/08/26/microsoft_silicon_security/
- Source link:
Hot Chips Microsoft is one of the biggest names in cybersecurity, but it has a less-than-stellar track record in the department. Given its reputation, Redmond can't afford to mess around when it comes to securing its cloud customers' data and workloads.
At the annual Hot Chips conference on Monday, Bryan Kelly, a partner security architect at Microsoft, detailed the layer cake of silicon security underpinning Azure's compute offerings.
A key aspect of Microsoft's hardware security is isolation. Encryption keys are stored in an integrated hardware security module (HSM), while VMs are isolated from one another using trusted execution environments (TEE) baked into modern CPUs and GPUs. The control, data, networking, and storage planes are all offloaded to smartNICs and an open source Root of Trust (RoT) module ensures everything is what it purports to be.
[1]
An overview of the lengths Microsoft has gone to isolate just about every aspect of the compute stack - Click to enlarge
During his presentation, Kelly focused most of his attention on new security silicon, including its HSM and Caliptra 2.0 RoT modules, which are now standard as part of Azure's 2025 fleet rollout.
HSMs aren't new by any stretch of the imagination, and serve as a vault for storing and executing cryptographic keys and operations.
[2]
Traditionally, Kelly explained, HSMs have been dedicated appliances which might serve multiple systems and virtual machines. However, this approach presents several challenges.
[3]
[4]
"They're specialized hardware that are deployed separately in separate clusters, and this can create some challenges with scaling them as the compute and AI infrastructure is deployed," he said.
"Another challenge is they're remotely accessed. When a workload wants to access its keys that are stored in HSM, it has to do a TLS connection to the HSM, ask it to perform an operation with the key, and then return the data. That creates latency… so, it becomes impractical for some workloads," Kelly added.
[5]
Instead, Microsoft opted to disaggregate this functionality into its latest generation of systems, making each box its own HSM. Doing this required entirely new silicon, which it [6]teased late last year.
[7]
Azure Integrated HSM - Click to enlarge
"It wouldn't be practical to take one of those large central HSMs and try to nest it in a server, it would be like a server in a server," he said.
Each HSM has been optimized to accelerate AES and Private Key Encryption (PKE) and use hardened interfaces, like the TEE Device Interface Security Protocol (TDISP) for connecting to the rest of the system and services.
In addition to protecting from internal threats, the module was also hardened against physical and side-channel attacks, as the last thing Microsoft needs is someone smuggling one of these things out of the datacenter to extract the keys Oceans 11 style.
"One of the challenges with this anti-tamper packaging is you can't have slits or ways for probes to get in there, it has to be fully sealed," he explained.
[8]
The integrated HSM compliments Azure's existing confidential computing stack which ensures data is encrypted at rest, in transit, and while in memory, and that during execution, it's isolated from other VMs which might be running on the machine at any given moment.
These TEE environments have been part of Intel, AMD, and Nvidia's hardware for years now. However, to ensure everything is above board and nothing has been tampered with, Microsoft, with the help of AMD, Google, and Nvidia, developed an open source root-of-trust (RoT) module called Caliptra back in 2022.
Now in its second generation, the part's primary responsibility is making sure that all the constituent pieces of the compute stack are what they purport to be and haven't been modified or coopted for malicious purposes.
Caliptra 2.0 also introduces Adam's Engine, a quantum safe cryptographic accelerator, as well as the Open Compute Platform's layered open source cryptographic key management (LOCK) spec for NVMe key management.
[9]Docker Desktop bug let containers hop the fence with barely a nudge
[10]AWS, Cloudflare, Digital Ocean, and Google helped Feds investigate alleged Rapper Bot DDoS perp
[11]Bug bounties: The good, the bad, and the frankly ridiculous ways to do it
[12]Honey, I shrunk the image and now I'm pwned
Kelly argues that, in spite of open source's reputation for being "lower quality," (his words, not ours) the transparency it affords is invaluable for an application like RoT.
In theory, if there were a flaw in Caliptra 2.0's design or implementation, its open nature means that it's all laid out for security researchers to find and report any flaws. Open source also lends itself well to spaces that are heavily standardized, Kelly noted.
"Cryptography has been heavily standardized. There's not a whole lot of room for differentiation. You want to do standard cryptography because… the first rule of cryptography, don't write your own cryptography," he said.
Both of these components are now standard in all new deployments across Azure's fleet as of this year. ®
Get our [13]Tech Resources
[1] https://regmedia.co.uk/2025/08/26/microsoft_hardware_security.jpg
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cloudinfrastructuremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aK4uelKwEP6FaQtMSQQh4wAAAIo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cloudinfrastructuremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK4uelKwEP6FaQtMSQQh4wAAAIo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cloudinfrastructuremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK4uelKwEP6FaQtMSQQh4wAAAIo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cloudinfrastructuremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK4uelKwEP6FaQtMSQQh4wAAAIo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2024/11/20/microsoft_azure_custom_amd/
[7] https://regmedia.co.uk/2024/11/20/azureintegratedhsm.jpg
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cloudinfrastructuremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK4uelKwEP6FaQtMSQQh4wAAAIo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/08/26/docker_desktop_bug/
[10] https://www.theregister.com/2025/08/25/infosec_in_brief/
[11] https://www.theregister.com/2025/08/24/bug_bounty_advice/
[12] https://www.theregister.com/2025/08/21/google_gemini_image_scaling_attack/
[13] https://whitepapers.theregister.com/
At the annual Hot Chips conference on Monday, Bryan Kelly, a partner security architect at Microsoft, detailed the layer cake of silicon security underpinning Azure's compute offerings.
A key aspect of Microsoft's hardware security is isolation. Encryption keys are stored in an integrated hardware security module (HSM), while VMs are isolated from one another using trusted execution environments (TEE) baked into modern CPUs and GPUs. The control, data, networking, and storage planes are all offloaded to smartNICs and an open source Root of Trust (RoT) module ensures everything is what it purports to be.
[1]
An overview of the lengths Microsoft has gone to isolate just about every aspect of the compute stack - Click to enlarge
During his presentation, Kelly focused most of his attention on new security silicon, including its HSM and Caliptra 2.0 RoT modules, which are now standard as part of Azure's 2025 fleet rollout.
HSMs aren't new by any stretch of the imagination, and serve as a vault for storing and executing cryptographic keys and operations.
[2]
Traditionally, Kelly explained, HSMs have been dedicated appliances which might serve multiple systems and virtual machines. However, this approach presents several challenges.
[3]
[4]
"They're specialized hardware that are deployed separately in separate clusters, and this can create some challenges with scaling them as the compute and AI infrastructure is deployed," he said.
"Another challenge is they're remotely accessed. When a workload wants to access its keys that are stored in HSM, it has to do a TLS connection to the HSM, ask it to perform an operation with the key, and then return the data. That creates latency… so, it becomes impractical for some workloads," Kelly added.
[5]
Instead, Microsoft opted to disaggregate this functionality into its latest generation of systems, making each box its own HSM. Doing this required entirely new silicon, which it [6]teased late last year.
[7]
Azure Integrated HSM - Click to enlarge
"It wouldn't be practical to take one of those large central HSMs and try to nest it in a server, it would be like a server in a server," he said.
Each HSM has been optimized to accelerate AES and Private Key Encryption (PKE) and use hardened interfaces, like the TEE Device Interface Security Protocol (TDISP) for connecting to the rest of the system and services.
In addition to protecting from internal threats, the module was also hardened against physical and side-channel attacks, as the last thing Microsoft needs is someone smuggling one of these things out of the datacenter to extract the keys Oceans 11 style.
"One of the challenges with this anti-tamper packaging is you can't have slits or ways for probes to get in there, it has to be fully sealed," he explained.
[8]
The integrated HSM compliments Azure's existing confidential computing stack which ensures data is encrypted at rest, in transit, and while in memory, and that during execution, it's isolated from other VMs which might be running on the machine at any given moment.
These TEE environments have been part of Intel, AMD, and Nvidia's hardware for years now. However, to ensure everything is above board and nothing has been tampered with, Microsoft, with the help of AMD, Google, and Nvidia, developed an open source root-of-trust (RoT) module called Caliptra back in 2022.
Now in its second generation, the part's primary responsibility is making sure that all the constituent pieces of the compute stack are what they purport to be and haven't been modified or coopted for malicious purposes.
Caliptra 2.0 also introduces Adam's Engine, a quantum safe cryptographic accelerator, as well as the Open Compute Platform's layered open source cryptographic key management (LOCK) spec for NVMe key management.
[9]Docker Desktop bug let containers hop the fence with barely a nudge
[10]AWS, Cloudflare, Digital Ocean, and Google helped Feds investigate alleged Rapper Bot DDoS perp
[11]Bug bounties: The good, the bad, and the frankly ridiculous ways to do it
[12]Honey, I shrunk the image and now I'm pwned
Kelly argues that, in spite of open source's reputation for being "lower quality," (his words, not ours) the transparency it affords is invaluable for an application like RoT.
In theory, if there were a flaw in Caliptra 2.0's design or implementation, its open nature means that it's all laid out for security researchers to find and report any flaws. Open source also lends itself well to spaces that are heavily standardized, Kelly noted.
"Cryptography has been heavily standardized. There's not a whole lot of room for differentiation. You want to do standard cryptography because… the first rule of cryptography, don't write your own cryptography," he said.
Both of these components are now standard in all new deployments across Azure's fleet as of this year. ®
Get our [13]Tech Resources
[1] https://regmedia.co.uk/2025/08/26/microsoft_hardware_security.jpg
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cloudinfrastructuremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aK4uelKwEP6FaQtMSQQh4wAAAIo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cloudinfrastructuremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK4uelKwEP6FaQtMSQQh4wAAAIo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cloudinfrastructuremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK4uelKwEP6FaQtMSQQh4wAAAIo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cloudinfrastructuremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK4uelKwEP6FaQtMSQQh4wAAAIo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2024/11/20/microsoft_azure_custom_amd/
[7] https://regmedia.co.uk/2024/11/20/azureintegratedhsm.jpg
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cloudinfrastructuremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK4uelKwEP6FaQtMSQQh4wAAAIo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/08/26/docker_desktop_bug/
[10] https://www.theregister.com/2025/08/25/infosec_in_brief/
[11] https://www.theregister.com/2025/08/24/bug_bounty_advice/
[12] https://www.theregister.com/2025/08/21/google_gemini_image_scaling_attack/
[13] https://whitepapers.theregister.com/
Look at all this fancy hardware....
IGotOut
...to try and offset all the issues caused by our bug ridden software, but look, it now has AI!
Oh dear
Microsoft can put as many “quantum-safe” locks and anti-tamper seals on its boxes as it likes. The moment the Cloud Act is invoked, those locks pop open. And with Washington visibly compromised - from the White House down to the intelligence agencies - customers aren’t buying protection, they’re buying plausible deniability. Encrypt it in transit, encrypt it at rest, encrypt it in memory - but it won’t stop the files taking a day-trip to Moscow the next time Putin mentions the word “Epstein”.