Introduction to Intel Transparent Supply Chain on Lenovo ThinkSystem Servers

Infrastructure security has long been on top of the lists of concerns for businesses. Increasingly frequent reports of supply chain attacks add to those concerns, whether it’s purported “spy chip” hardware implants, tainted firmware, interdicted shipments, or counterfeit components.

Recent publications have expressed growing concern that counterfeit electronic parts can cause safety hazards, failure of critical business applications, or that there's a risk that vulnerabilities can be introduced into the supply chain to be exploited later.

Modern manufacturing logistics and the globalization of current supply chains make it difficult to trace the origin and safety of the components inside a device. Your data center supplier must be able to provide assurance that it has tamper proof supply chains from the manufacturing facility all the way into your hands. Current supply chain practices start with trusting the source, but processes are limited to screening out counterfeit components, particularly for products containing many subsystems.

Lenovo has one of the world’s best supply chains as ranked by Gartner Group, backed by extensive and mature supply chain security programs that exceed industry norms and US Government standards. Now we are the first Tier 1 manufacturer to offer Intel® Transparent Supply Chain in partnership with Intel, offering you an unprecedented degree of supply chain transparency and assurance.

Intel Transparent Supply Chain (Intel TSC) is a set of tools, policies, procedures and data capture. It extends from motherboard production through the manufacturing factory floor to your data center, implemented on the factory floor enabling you to verify the authenticity of components, installed firmware, and the configuration of your systems.

It all starts with motherboard production, where a comprehensive bill of materials detailing each electronic component – down to the smallest part – is automatically generated by the automated shop floor control systems used for printed circuit board assembly. This inventory forms the motherboard “as built” data file, with each file uniquely tied to a specific motherboard.

Next, in server manufacturing, we physically inventory all the components we assemble in a server using barcoded component identifiers scanned into our manufacturing systems. This inventory is the source of the platform “as built” data file, with each file uniquely tied to a specific server chassis.

Once server manufacturing is complete, an Intel-provided software tool is run that inventories all software readable components, installed firmware, and configuration information within the server. This information is then tied to the TPM, the Trusted Platform Module, that's on the server motherboard.

All of this data is then sent via secure connection to Intel where they digitally sign the data and post it to the Intel-hosted Lenovo ISG Transparent Supply Chain portal at https://tsc.intel.com/lenovo-dcg/. You can then retrieve the data and a companion verification tool. This way you know what's in your system, and you will have the full bill of materials and traceability report of your system along with the accountability and attestation provided by Intel's digital signature which safeguards against data tampering.

With this enhanced supply chain security capability, you will have the confidence that all components are known and genuine, and have a way to verify that the hardware you are receiving hasn’t been tampered with between when it left our facility to when it arrived at yours.

This feature provides traceability back to the motherboard component level giving you the confidence of knowing exactly what's in your product. Below you will find a graphic depiction of the process.

Figure 1. Intel Transparent Supply Chain workflow (click to view a larger version)

The motherboard “as built” data file - shown in the image below - goes to the detailed level of the motherboard: every micro circuit, chip, resistor, everything that’s placed on a motherboard is inventoried along with information like where it came from, what's its part number, and if there's a serial number. Then we extend that to all the other components that are installed in the server like memory DIMMs, CPUs and hard drives. This creates a set of data which captures each of those individual pieces that make up the product.

Figure 2. "As Built" data file screen capture (click to view a larger version)

The direct platform data file consists of component information that is programmatically readable from the system. A software utility runs and identifies what's installed in the server, where it will identify a hard disk if its installed, then read the model number, serial number, firmware version and other details. The utility will also read the platform configuration registers from the Trusted Platform Module (TPM) which represent system configuration values.

The software also talks to the TPM that's on the server motherboard to read the platform configuration registers representing system configuration values, and to read unique characteristics built into each TPM from the TPM manufacturer such as serial number, and cryptographic endorsement key, certificate. Since the TPM is soldered down to the motherboard it provides a unique representation that ties the collected data to a specific motherboard with specific components in a specific system.

To add Intel Transparent Supply Chain to your order simply add the following feature code in the DCSC configurator, under the Security tab.

The benefits of adding Intel Transparent Supply Chain can be summarized in four features, as follows:

The following tables list the ThinkSystem and ThinkEdge servers that support this enhanced security feature. The equivalent ThinkAgile systems are also supported.

Lenovo ISG has paired its industry leading supply chain with Intel’s innovative Transparent Supply Chain program to add a layer of protection to your data center and bring peace of mind that the server hardware you bring into it is authentic and with documented, testable, and provable origin.

Ask your Lenovo representative how this feature can be added to your purchase.