Intel celebrates security of Ice Lake Xeon processors, so far impervious to any threat due to their unavailability

But when they ship, Chipzilla promises its server silicon will 'double down' on defense mechanisms


Intel on Wednesday talked up a set of security features planned for its promised third-generation Xeon Scalable Processors, code-named Ice Lake, which are supposed to show up before the end of the year.

The chip biz said it's "doubling down on its Security First Pledge," as if some sort of quantitative measurement of security could be calculated and weighed against prior security commitments.

The suggested twofold security inflation takes the form of adding features like Software Guard Extensions (SGX), Total Memory Encryption (TME), Platform Firmware Resilience (PFR), and cryptographic acceleration to the Ice Lake line.

"With a focus on encrypting and protecting data at rest, in transit and in use, Ice Lake helps our customers move beyond encrypted data to encrypted computing," said Lisa Spelman, corporate VP in Intel's Data Platform Group and general manager of the Xeon and Memory Group, in a video presentation.

SGX consists of security-oriented instructions and features, baked into Intel silicon, that allow applications to run code in private memory areas called secure enclaves that cannot, in theory, be accessed by the operating system, hypervisor, and any other software. The idea is that you can run secret, sensitive stuff in an enclave, such as DRM decryption, without being snooped on.

For what it's worth, SGX has been around for years in Intel's client-end chips. Today's announcement that the security mechanism is coming to Ice Lake Xeons thus signals its arrival in mainstream Intel server processors (entry-level Xeon E3 and Xeon-E parts featured SGX but these are modified desktop Core components.)

Intel 11th gen processor image

Intel screams Tiger Lake is 'world's best processor' (then quietly into its sleeve: for thin Windows, ChromeOS laptops)

READ MORE

Spelman said SGX is "the most researched, updated, and battle-tested trusted execution encouragement available for the data center today," and helps support confidential computing on platforms like Microsoft Azure, Alibaba Cloud, and IBM Cloud Data Guard.

SGX is indeed researched and often thereafter updated when infosec types find holes, as has happened several times in recent years and may yet again. But perhaps it's enough that Intel is paying attention and fixing flaws as they're found.

TME [PDF], as Intel tells it, is just what the name suggests: a way to encrypt all data going in and out of external memory from the processor chipset using AES-XTS cryptography with 128-bit keys. Chipzilla says it created this feature to defend against hardware attacks, "such as removing and reading the dual in-line memory module (DIMM) after spraying it with liquid nitrogen or installing purpose-built attack hardware." In other words, if you rip the RAM out of a server and preserve its contents, it'll be encrypted anyway.

PFR [PDF] meanwhile refers to various measures put in place to prevent server firmware from being altered or tampered with, from the point of production through deployment in a data center or a similar environment.

PRF relies on an FPGA as the platform root of trust, which validates firmware components before firmware code gets run. It can protect components like the BIOS flash, BMC Flash, SPI descriptor, Intel Management Engine, and power supply firmware, according to the manufacturer.

And the various cryptographic improvements touted refer to techniques for parallelizing normally sequential algorithms and data buffer processing – having these operations run at the same time is, as might be expected, faster than running them one after another.

Intel's Ice Lake Xeons are also protected by an additional layer of security known as not actually being available to you and I right now. But that's unlikely to last much longer. Almost suffice to say, rival AMD's Epyc server processors have similar security features, such as RAM encryption and encrypted virtual machine memory. ®

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021