6.2.2 Anti-Tamper Hardware
Original Problem in the Paper
Motivation: hardware governance mechanisms assume chips/TEEs are not physically compromised; well-resourced adversaries may tamper to bypass protections. Open problems: reconcile tamper evidence/responsiveness with high-end accelerator cooling and high-bandwidth interconnects; assess robustness of specialized packaging, zeroization/self-destruction triggers, and PUF-based remote attestation for AI hardware.
July 2026 Update & Trajectory
General hardware-security standards, roots of trust, and physical security validation exist, but the AI-specific package-level problem remains largely unsolved publicly. I found no verified 2026 primary source showing deployable tamper-evident/responsive enclosures compatible with dense GPU pods/HBM/NVLink-class interconnects or self-destruct/zeroization for AI accelerators at scale.
Deployed / Operationalized
- FIPS 140-3/ISO 19790 physical-security and non-invasive attack mitigation requirements for cryptographic modules, not full AI accelerator clusters.
- Roots of trust (Caliptra/OpenTitan) for identity/measured boot/attestation; they improve logical trust but do not by themselves prove no physical tamper of accelerator packaging.
- Datacenter physical security and chain-of-custody controls in frontier-lab security programs.
New Tractable Vectors
- Use chip-unique identities, PUF-like primitives, measured boot, and supply-chain provenance to detect replacement or rollback.
- Model tamper-evidence around serviceability/cooling/interconnect constraints rather than sealed single-chip modules.
- Combine datacenter surveillance, hardware inventory attestation, and anomaly detection for practical tamper response.
Key Open Questions
- Affordable high-volume tamper-responsive packaging for HBM/GPU modules with high heat flux and high-bandwidth board-level links.
- Reliable remote evidence of physical non-tampering, not merely firmware integrity.
- Safe zeroization/self-destruct semantics for expensive shared accelerators without denial-of-service abuse.
Evidence & Primary Sources
- FIPS 140-3 became effective in 2019 and references ISO/IEC 19790/24759; NIST SP 800-140F covers non-invasive attack mitigation metrics. (2026-06-29): https://csrc.nist.gov/projects/cryptographic-module-validation-program/fips-140-3-standards
- OpenTitan provides production silicon root-of-trust designs and security-certified hardware RoT direction, but not AI-accelerator anti-tamper packaging. (2026): https://opentitan.org/
- Caliptra provides datacenter SoC identity/measured boot/attestation, useful for logical integrity but not a public solution for physical anti-tamper enclosures. (2026): https://github.com/chipsalliance/Caliptra