Back to Dashboard
Security / Compute/ 6.2.2

6.2.2 Anti-Tamper Hardware

2026 Governance Status: Mostly open

Original Problem in the Paper

Motivation: hardware governance mechanisms assume chips/TEEs are not physically compromised; well-resourced adversaries may tamper to bypass protections. Open problems: reconcile tamper evidence/responsiveness with high-end accelerator cooling and high-bandwidth interconnects; assess robustness of specialized packaging, zeroization/self-destruction triggers, and PUF-based remote attestation for AI hardware.

July 2026 Update & Trajectory

General hardware-security standards, roots of trust, and physical security validation exist, but the AI-specific package-level problem remains largely unsolved publicly. I found no verified 2026 primary source showing deployable tamper-evident/responsive enclosures compatible with dense GPU pods/HBM/NVLink-class interconnects or self-destruct/zeroization for AI accelerators at scale.

Deployed / Operationalized

  • FIPS 140-3/ISO 19790 physical-security and non-invasive attack mitigation requirements for cryptographic modules, not full AI accelerator clusters.
  • Roots of trust (Caliptra/OpenTitan) for identity/measured boot/attestation; they improve logical trust but do not by themselves prove no physical tamper of accelerator packaging.
  • Datacenter physical security and chain-of-custody controls in frontier-lab security programs.

New Tractable Vectors

  • Use chip-unique identities, PUF-like primitives, measured boot, and supply-chain provenance to detect replacement or rollback.
  • Model tamper-evidence around serviceability/cooling/interconnect constraints rather than sealed single-chip modules.
  • Combine datacenter surveillance, hardware inventory attestation, and anomaly detection for practical tamper response.

Key Open Questions

  • Affordable high-volume tamper-responsive packaging for HBM/GPU modules with high heat flux and high-bandwidth board-level links.
  • Reliable remote evidence of physical non-tampering, not merely firmware integrity.
  • Safe zeroization/self-destruct semantics for expensive shared accelerators without denial-of-service abuse.

Evidence & Primary Sources