Intel on Wednesday talked up a set of security features planned for its promised third-generation Xeon Scalable Processors, code-named Ice Lake, which are supposed to show up before the end of the year.
The chip biz said it’s “doubling down on its Security First Pledge,” as if some sort of quantitative measurement of security could be calculated and weighed against prior security commitments.
The suggested twofold security inflation takes the form of adding features like Software Guard Extensions (SGX), Total Memory Encryption (TME), Platform Firmware Resilience (PFR), and cryptographic acceleration to the Ice Lake line.
“With a focus on encrypting and protecting data at rest, in transit and in use, Ice Lake helps our customers move beyond encrypted data to encrypted computing,” said Lisa Spelman, corporate VP in Intel’s Data Platform Group and general manager of the Xeon and Memory Group, in a video presentation.
SGX consists of security-oriented instructions and features, baked into Intel silicon, that allow applications to run code in private memory areas called secure enclaves that cannot, in theory, be accessed by the operating system, hypervisor, and any other software. The idea is that you can run secret, sensitive stuff in an enclave, such as DRM decryption, without being snooped on.
For what it’s worth, SGX has been around for years in Intel’s client-end chips. Today’s announcement that the security mechanism is coming to Ice Lake Xeons thus signals its arrival in mainstream Intel server processors (entry-level Xeon E3 and Xeon-E parts featured SGX but these are modified desktop Core components.)
Intel screams Tiger Lake is ‘world’s best processor’ (then quietly into its sleeve: for thin Windows, ChromeOS laptops)
Spelman said SGX is “the most researched, updated, and battle-tested trusted execution encouragement available for the data center today,” and helps support confidential computing on platforms like Microsoft Azure, Alibaba Cloud, and IBM Cloud Data Guard.
SGX is indeed researched and often thereafter updated when infosec types find holes, as has happened several times in recent years and may yet again. But perhaps it’s enough that Intel is paying attention and fixing flaws as they’re found.
TME [PDF], as Intel tells it, is just what the name suggests: a way to encrypt all data going in and out of external memory from the processor chipset using AES-XTS cryptography with 128-bit keys. Chipzilla says it created this feature to defend against hardware attacks, “such as removing and reading the dual in-line memory module (DIMM) after spraying it with liquid nitrogen or installing purpose-built attack hardware.” In other words, if you rip the RAM out of a server and preserve its contents, it’ll be encrypted anyway.
PFR [PDF] meanwhile refers to various measures put in place to prevent server firmware from being altered or tampered with, from the point of production through deployment in a data center or a similar environment.
PRF relies on an FPGA as the platform root of trust, which validates firmware components before firmware code gets run. It can protect components like the BIOS flash, BMC Flash, SPI descriptor, Intel Management Engine, and power supply firmware, according to the manufacturer.
And the various cryptographic improvements touted refer to techniques for parallelizing normally sequential algorithms and data buffer processing – having these operations run at the same time is, as might be expected, faster than running them one after another.
Intel’s Ice Lake Xeons are also protected by an additional layer of security known as not actually being available to you and I right now. But that’s unlikely to last much longer. Almost suffice to say, rival AMD’s Epyc server processors have similar security features, such as RAM encryption and encrypted virtual machine memory. ®