The HIGHER project aims to build data-center system platforms based on open standards using European technologies and OCP (Open Compute Project) specifications. HIGHER system platforms will be integrating Arm-based and RISC-V-based Host Processor Modules (for processor chips developed in Europe) with AI/HPC acceleration capabilities. HIGHER aims to demonstrate full computing infrastructure deployments from cloud to edge, with processing and energy efficiency suitable for demanding application use-cases.
A part of the project’s technical foundations likes in OCP Caliptra, an open-source Root of Trust (RoT) for Measurement specification, and its integration in project platforms.
Background
Caliptra provides a standardized, silicon-integrated security subsystem designed to establish a hardware-based foundation of trust for computing platforms, capable of the following key functions:
- Secure boot and firmware measurements
- Cryptographic services and key management
- Attestation capability to verify platform integrity
- Operation independently from the main CPU (i.e. even before full-system boot).
Integration of Caliptra technology in cloud environments addresses several critical concerns:
- Supply chain security: Verifies that hardware and firmware components haven’t been tampered with from manufacturing through deployment
- Multi-tenant trust: Provides verifiable cryptographic evidence of platform state to customers sharing infrastructure, critical for cloud service providers
- Standardization: Open specification ensures consistency of security guarantees across different hardware providers
- Zero-trust architecture: Enables “never trust, always verify” approaches at hardware level, essential for high-assurance security frameworks.
Caliptra integration in DC-SCM designs of the HIGHER project
The HIGHER project seeks to develop a DC-SCM (Data Center Secure Control Module) design, which is an OCP-standardized daughterboard that consolidates platform management functions, typically including BMC (Baseboard Management Controller), network controllers, and security components. As shown in the accompanying figure, Caliptra will be integrated as a separate Security Processor, independent from the BMC for additional isolation (i.e. separation prevents BMC compromise from affecting the RoT). Significant effort is planned within HIGHER to implement the standardized boot and measurement flow required to establish the full platform attestation chain, spanning from the hardware RoT all the way to user-managed workloads:
Caliptra (Hardware RoT) à BMC Firmware à Host Firmware (UEFI) à Operating System -> Workloads.
The Caliptra ROM boots first, then proceeds to measure BMC firmware. BMC boots if verified, and proceeds to measure host firmware. Attestation is always available.
Figure 1: Integration of Caliptra RoT with OCP DC-SCM module, as part of HIGHER system platform designs.
Concluding remarks
The DC-SCM integration of Caliptra closes a critical gap in platform security: establishing cryptographic trust before any programmable firmware executes. This hardware-first approach transforms attestation from a best-effort software feature into a foundational platform capability, enabling zero-trust architectures at data-center scale with the operational efficiency that open standards deliver.
In the context of the HIGHER project, DC-SCM modules will be designed and integrated in project prototype platforms. This integration makes DC-SCM modules the security anchor for the entire server platform, which are critical for multi-tenant cloud environments. At the time of writing, the design work for DC-SCM modules is in progress, on several fronts: component selection and customization, evaluation integration alternatives, and software-based emulation. Completion and demonstration of Caliptra-enabled DC-SCM modules will therefore be one of the most prominent outcomes of the HIGHER project.