Intel Ice Lake-SP Xeon Server-Grade CPUs Get Multiple Security And Data Protection Features That Could Trickle Down To Consumers
Intel announced several security-related innovations that are now part of the Ice Lake CPU Architecture. As part of the Security First Pledge, Intel has incorporated technologies such as Intel SGX, Memory Encryption, Firmware Resilience, and Breakthrough Cryptographic Accelerators within the 3rd-Gen Intel Xeon CPUs.
The upcoming 3rd Generation Intel Xeon Scalable platform, code-named “Ice Lake,” will have several technologies working together to safeguard sensitive workloads. These new innovations should enable new avenues to work with sensitive data packets that must be secured against modern-day threats. While the Intel Software Guard Extensions is now available to the volume mainstream server platform with the Ice Lake generation of CPUs, there are three other technologies that enhance the security and protection of massive amounts of data that are processed every day.
Entire Range of Ice Lake Platforms Get Several New Data Security And Protection Technologies:
In addition to the Intel Software Guard Extension (Intel SGX), the upcoming 3rd-Gen Ice Lake-SP CPUs that will be part of the Xeon Server-grade processors will have new features that include Intel Total Memory Encryption (Intel TME), Intel Platform Firmware Resilience (Intel PFR) and new cryptographic accelerators. Together, these technologies should boost the overall confidentiality and integrity of data processed in servers at all stages.
Intel assures the security features in Ice Lake enable the company’s customers to develop solutions that help improve their security posture and reduce risks related to privacy and compliance, such as regulated data in financial services and healthcare.
Standard technologies such as disk- and network-traffic encryption typically protect data in storage and during transmission. However, data can be vulnerable to interception and tampering while in use in memory. The Intel SGX is a Trusted Execution Environment (TEE) that enables application isolation in private memory regions, called enclaves, to help protect up to 1 terabyte of code and data while in use.
New Intel Security-Focused Technologies That Will Be Embedded Inside The 3rd-Gen Ice Lake Xeon Server-Grade CPUs:
Intel released a Press Release that mentions the new technologies which will be embedded inside the new Xeon CPUs. These technologies essentially protect the data not just while it is resting in storage devices and while being processed but also during the transition from CPU to RAM, and other areas. They should be able to safeguard data even if a malicious threat is able to obtain raw memory dumps from compromised systems. Following is a brief description of each of the technologies.
- Full Memory Encryption: To better protect the entire memory of a platform, Ice Lake introduces a new feature called Intel Total Memory Encryption (Intel TME). Intel TME helps ensure that all memory accessed from the Intel CPU is encrypted, including customer credentials, encryption keys, and other IP or personal information on the external memory bus. Intel developed this feature to provide greater protection for system memory against hardware attacks, such as removing and reading the dual in-line memory module (DIMM) after spraying it with liquid nitrogen or installing purpose-built attack hardware. Using the National Institute of Standards and Technology (NIST) storage encryption standard AES XTS, an encryption key is generated using a hardened random number generator in the processor without exposure to software. This allows existing software to run unmodified while better protecting memory.
- Cryptographic Acceleration: One of Intel’s design goals is to remove or reduce the performance impact of increased security so customers don’t have to choose between better protection and acceptable performance. Ice Lake introduces several new instructions used throughout the industry, coupled with algorithmic and software innovations, to deliver breakthrough cryptographic performance. There are two fundamental innovations. The first is a technique to stitch together the operations of two algorithms that typically run in combination yet sequentially, allowing them to execute simultaneously. The second is a method to process multiple independent data buffers in parallel.
- Firmware Resilience: Sophisticated adversaries may attempt to compromise or disable the platform’s firmware to intercept data or take down the server. Ice Lake introduces Intel Platform Firmware Resilience (Intel PFR) to the Intel Xeon Scalable platform to help protect against platform firmware attacks. It is designed to detect and correct firmware before they can compromise or disable the machine. Intel PFR uses an Intel FPGA as a platform root of trust to validate critical-to-boot platform firmware components before any firmware code is executed. The firmware components protected can include BIOS Flash, BMC Flash, SPI Descriptor, Intel Management Engine, and power supply firmware.