Now, it's provided a more detailed rundown of what that means and how Titan will serve as a "hardware root of trust" to ensure each machine's firmware is safe to load and provide other cryptographic functions in its data center.
"Google designed Titan's hardware logic inhouse to reduce the chances of hardware backdoors," Google Cloud Platform engineers wrote in a blogpost.
Titan comprises a "secure application processor, a cryptographic co-processor, a hardware random number generator, a sophisticated key hierarchy, embedded static RAM (SRAM), embedded flash and a read-only memory block," they added.
The chip scans the CPU and other components to monitor "every byte of boot firmware" and executes code from its read-only memory when a server is switched on. It also checks whether firmware has been tampered with.
Titan's boot memory uses public key cryptography (PKI) to verify its own firmware before loading it, and then uses PKI to verify the host system's firmware. Google's verified boot firmware then configures the machine and loads the boot loader and the operating system.
According to Google, these checks go beyond what would normally happen under Secure Boot, which verifies firmware on startup, since it can also patch Titan firmware and identify the first bytes of code that run at startup.
Google also detailed how Titan serves to give each machine its own cryptographic identity, which also helps it patch Titan firmware when necessary.
"The Titan chip manufacturing process generates unique keying material for each chip, and securely stores this material -- along with provenance information -- into a registry database. The contents of this database are cryptographically protected using keys maintained in an offline quorum-based Titan Certification Authority (CA).
"Individual Titan chips can generate Certificate Signing Requests (CSRs) directed at the Titan CA, which -- under the direction of a quorum of Titan identity administrators -- can verify the authenticity of the CSRs using the information in the registry database before issuing identity certificates."
This system allows Google's back-end systems to provision keys to Titan-enabled machines, as well as sign audit logs in a way that shows whether they've been tampered with, even by a malicious insider with root access to a machine.