Intel has unveiled their suite of new security features for the upcoming 3rd generation Intel Xeon Scalable platform, code-named ‘Ice Lake.’ The security features in Ice Lake would enable the hosting and data center services industry to develop server solutions that help improve their security posture. These server security features can help reduce risks related to privacy and compliance, such as regulated data in financial services and healthcare.
Intel is doubling down on its Security First Pledge, bringing its “pioneering and proven” Intel Software Guard Extension (Intel SGX) to the full spectrum of Ice Lake platforms. Along with new features that include Intel Total Memory Encryption (Intel TME), Intel Platform Firmware Resilience (Intel PFR) and new cryptographic accelerators. It would strengthen the platform and improve the overall confidentiality and integrity of data.
Technologies such as disk- and network-traffic encryption protect data in storage and during transmission, but data can be vulnerable to interception and tampering while in use in memory. ‘Confidential computing’ is a rapidly emerging usage category that protects data while it is in use in a Trusted Execution Environment (TEE).
Intel SGX is a thorough researched, updated and battle-tested TEE for data center confidential computing, with a small attack surface within the system. It would enable application isolation in private memory regions, called enclaves, to help protect up to 1 terabyte of code and data while in use.
“Protecting data is essential to extracting value from it,” said Lisa Spelman, corporate vice president in the Data Platform Group and general manager of the Xeon and Memory Group, Intel. “With the capabilities in the upcoming 3rd Gen Xeon Scalable platform, we will help our customers solve their toughest data challenges while improving data confidentiality and integrity. This extends our long history of partnering across the ecosystem to drive security innovations.”
Intel’s new security capabilities to improve data protection and strengthen the platform include:
- Full memory encryption – To better protect the entire memory of a platform, Ice Lake introduces a new feature called Intel Total Memory Encryption (Intel TME). Intel TME would help ensure that all memory accessed from the Intel CPU is encrypted, including customer credentials, encryption keys and other IP or personal information on the external memory bus.Intel developed this feature to provide greater protection for system memory against hardware attacks, such as removing and reading the dual in-line memory module (DIMM) after spraying it with liquid nitrogen or installing purpose-built attack hardware. Using the National Institute of Standards and Technology (NIST) storage encryption standard AES XTS, an encryption key is generated using a hardened random number generator in the processor without exposure to software. This would allow existing software to run unmodified while better protecting memory.
- Cryptographic acceleration – One of Intel’s design goals is to remove or reduce the performance impact of increased security, so customers don’t have to choose between better protection and acceptable performance. Ice Lake introduces several new instructions used throughout the industry, coupled with algorithmic and software innovations, to deliver “breakthrough” cryptographic performance.There are two fundamental innovations. The first is a technique to stitch together the operations of two algorithms that typically run in combination yet sequentially, allowing them to execute simultaneously. The second is a method to process multiple independent data buffers in parallel.
- Growing resilience – Sophisticated adversaries may attempt to compromise or disable the platform’s firmware to intercept data or take down the server. Ice Lake introduces Intel Platform Firmware Resilience (Intel PFR) to the Intel Xeon Scalable platform to help protect against platform firmware attacks, designed to detect and correct them before they can compromise or disable the machine.Intel PFR uses an Intel FPGA as a platform root of trust to validate critical-to-boot platform firmware components before any firmware code is executed. The firmware components protected can include BIOS Flash, BMC Flash, SPI Descriptor, Intel Management Engine and power supply firmware.
“Microsoft Azure was the first major public cloud to offer confidential computing, and customers from industries including finance, healthcare, government are using confidential computing on Azure today,” said Mark Russinovich, Chief Technology Officer (CTO), Microsoft Azure. “Azure has confidential computing options for virtual machines, containers, machine learning, and more. We believe the next-generation Intel Xeon processors with Intel SGX featuring full memory encryption and cryptographic acceleration will help our customers unlock even more confidential computing scenarios.”
