ZeroRISC raises $5M to deliver commercial OpenTitan-based cloud security for chips

ZeroRISC has raised $5 million in seed funding to deliver its first commercial OpenTitan-based cloud security service for silicon chips.

Boston-based startup ZeroRISC has officially launched, with a funding led by Cambridge Angels, a prominent network of U.K. angel investors. The funding round included participation from private investors, with Rajat Malhotra of Wren Capital and Pete Hutton, former Arm President of Product Groups, co-leading the deal on behalf of Cambridge Angels.

The capital will be used to develop and deliver the first commercial cloud security service for silicon, based on the OpenTitan open-source silicon root of trust (RoT) project. The company has also become a member of the OpenTitan project, said CEO Dominic Rizzo, in an interview with VentureBeat.

ZeroRISC provides fabrication-to-field cloud security services that couple tightly with the OpenTitan open-source root of trust design. These start from initial configuration and identity creation, extending to secure ownership transfer and in-field device and platform update and management.

OpenTitan

ZeroRISC, founded in April 2023, consists of original members of the OpenTitan project team from Google, including Rizzo.

In January, Google made some resourcing decisions and the people who formed ZeroRISC team were impacted. The team had been working on OpenTitan and open source silicon for about five years and they were on the cuspot of tapeout. Tapeout refers to the final result of the design process for semiconductor chips.

“We took that event as an opportunity. And we went out and did a fundraise the week that Silicon Valley Bank went sideways. So we did this raise in Cambridge in the UK,” Rizzo said.

“We’ve successfully done the tapeout at this point,” Rizzo added. “We did it in July and we are getting our chips back in a couple of weeks.”

OpenTitan is a collaborative open-source silicon root of trust chip design project, but one designed so that its components form the basis of an open silicon ecosystem. With its partners, it is building trustworthy chip designs for use in consumer, data centers, storage and peripherals, all of which are open and transparent. This transparency allows anyone to inspect the hardware for security vulnerabilities and backdoors as well as contribute to the design and development. This root of trust is a firm security foundation for any platform that integrates the chip. It enables attestation of the silicon itself, its firmware, and the higher level code and operating systems of any device that leverages the technology.

“This is 100% open-source oriented so no one company can dominate it,” Rizzo said. “It’s very much meant to be independent, trustworthy. Everything is visible. This project has been going for about five years and now it’s producing actual physical artifacts.”

Root of Trust

The silicon root of trust (RoT) is the anchor upon which all subsequent operations are based. The RoT is a secure piece of silicon below the operating system. It can attest to both the authenticity of the silicon itself, its firmware, and the higher-level software of the entire platform. Because the operating system is a large attack surface, the silicon RoT is important to establish immutable trust at the very lowest layers of a system.

That is, the root of trust anchors a platform’s entire chain of trust. A root of trust passes measured and validated instructions along to hardware, firmware, or software that is layered above that first trusted component. This continues, with each component trusting the code it is executing because it has been accepted by the link before it, leading all the way back to the root of trust. This is also known as establishing “transitive trust” throughout the entire firmware and higher level software stack.

Secure by default

ZeroRISC’s implementations are secure by default in that its software and services offerings are all rooted in a silicon root of trust that is itself secure by default and secure by design. All operations are authenticated, all hardware IP is protected by physical countermeasures, and the design itself has been extensively reviewed and tested by third-party experts against physical attacks.

The company’s goal is to provide a cloud security service for silicon that prioritizes transparency and trustworthiness for data centers, as well as internet of things, edge devices, and ICS/OT.

The ZeroRISC platform offers a comprehensive solution encompassing silicon, software, and services, enabling secure device management below the operating system. It also facilitates secure ownership transfer.

The startup is collaborating with multiple commercial integration partners, with Nuvoton being the first in line.

OpenTitan’s silicon Root of Trust

OpenTitan, known as the world’s first open-source digital design for silicon RoT, incorporates commercial-grade design verification, top-level testing, and continuous integration (CI). The silicon RoT ensures the integrity of both hardware infrastructure and software by verifying that critical system components boot securely using authorized and verifiable code.

As a member of the OpenTitan project, ZeroRISC played a significant role in the initial discrete silicon tapeout and is actively involved in validating and bringing the first chip to commercial production.

“With cybersecurity liability shifting from end users to manufacturers, truly trustworthy security leveraging the OpenTitan drop-in design represents a massive commercial opportunity,” said Pete Hutton, ZeroRISC investor, in a statement. “The team at ZeroRISC is unmatched and we immediately recognized its potential to significantly disrupt a highly proprietary industry. We look forward to supporting the team in realizing long-term success through commercial utility and broad adoption.”

With the newly secured funding, ZeroRISC aims to focus on open-source development, including the production-quality discrete and integrated RoTs from OpenTitan ecosystem components. The company will also develop a proprietary integration kit for the integrated RoT, a secure-by-default and secure-by-design embedded operating system (OS), and a set of cloud-based services that integrate with the secure OS and silicon designs.

ZeroRISC’s operating system – the software – is written in Rust which is secure by default. See the recent ONCD RFI on memory-safe programming languages like Rust. This embedded operating system is also designed to enforce strict isolation between layers and between applications on a given layer making it secure by design.

The first discrete open-market chip from ZeroRISC boasts resistance against physical attacks, supports post-quantum secure boot, and adheres to commercially relevant certification guidelines from the outset.

“No system can be secure at the operating system level. The safest and most secure systems start with open secure silicon and provide assurances upon that trustworthy foundation,” said Rizzo. “Our mission is to advance the incredible work of the OpenTitan project by delivering a set of secure cloud-based services for device security and management built upon a transparent, trustworthy, secure silicon platform that makes secure transfer of ownership a reality. In doing so, we’re extending zero trust principles below the operating system and back into the supply chain.”

Zero Trust principles are built around the notion that no person or device is automatically trusted. OpenTitan extends this further by making the lowest layer of the stack, the silicon, fully open source and thus able to be verified by any end user.

Nuvoton is a partner of ZeroRISC’s. A leader in secured computing, Nuvotonrecognizes the increasing demand for silicon RoT solutions. While acknowledging OpenTitan’s transparency and reliability as a silicon foundation, Nuvoton believes that value-multiplying software and services are key to driving adoption. The company is excited to partner with ZeroRISC to demonstrate the potential of OpenTitan through an end-to-end solution for addressing complex security challenges.

ZeroRISC, in partnership with Nuvoton and other OpenTitan partners, both developed the original design and led integration efforts to create the first discrete silicon tapeout of a commercial grade open source silicon chip. ZeroRISC has 14 people.