Intel adds security features to Xeon Scalable platform
Security technologies to secure sensitive workloads have been integrated into the third generation Intel Xeon Scalable platform (codenamed Ice Lake).
The suite of security features include the proven Intel Software Guard Extension (Intel SGX) to all Ice Lake platforms and new features Total Memory Encryption (Intel TME), Platform Firmware Resilience (Intel PFR) and cryptographic accelerators to improve confidentiality and integrity of data.
The security features in Ice Lake are designed to enable customers to develop solutions that help improve security and reduce risks related to privacy and compliance, such as regulated data in financial services and healthcare.
“Protecting data is essential to extracting value from it, and with the capabilities in the upcoming 3rd Gen Xeon Scalable platform, we will help our customers solve their toughest data challenges while improving data confidentiality and integrity,” said Lisa Spelman, Intel corporate vice president in the Data Platform Group and general manager of the Xeon and Memory Group.
Technologies such as disk- and network-traffic encryption protect data in storage and during transmission, but data can be vulnerable to interception and tampering while in use in memory.
Intel SGX presents the smallest attack surface within the system. It enables application isolation in private memory regions, called enclaves, to help protect up to 1Tbyte of code and data while in use.
Intel SGX helps customers unlock new multi-party shared compute scenarios that have been difficult to build in the past due to privacy, security and regulatory requirements, explains Intel. Potential users are healthcare organisations which need to securely protect data e.g. electronic health records. Other industries, e.g. retail, also need to keep data confidential and protect intellectual property. To improve data protection, Intel is introducing full memory encryption. Intel Total Memory Encryption (Intel TME) helps ensure that all memory accessed from the Intel CPU is encrypted, including customer credentials, encryption keys and other IP or personal information on the external memory bus. Intel developed this feature to provide greater protection for system memory against hardware attacks, such as removing and reading the dual in-line memory module (DIMM) after spraying it with liquid nitrogen or installing purpose-built attack hardware. Using the National Institute of Standards and Technology (NIST) storage encryption standard AES XTS, an encryption key is generated using a hardened random number generator in the processor without exposure to software. This allows existing software to run unmodified while better protecting memory.
To eliminate customers having to face a choice between better protection and acceptable performance, Ice Lake introduces several new instructions, coupled with algorithmic and software innovations. One cryptographic innovation is a technique to stitch together the operations of two algorithms that typically run in combination yet sequentially, allowing them to execute simultaneously. The second is a method to process multiple independent data buffers in parallel.
Ice Lake introduces Intel Platform Firmware Resilience (Intel PFR) to the Intel Xeon Scalable platform to help protect against platform firmware attacks. It is designed to detect and correct them before they can compromise or disable the machine. Intel PFR uses an Intel FPGA as a platform root of trust to validate critical-to-boot platform firmware components before any firmware code is executed. The firmware components protected can include BIOS Flash, BMC Flash, SPI Descriptor, Intel Management Engine and power supply firmware.