Intel’s addition of memory encryption to its upcoming 3rd generation Xeon Scalable processors matches AMD’s Secure Memory Encryption (SME) feature.
Intel’s 3rd-generation Xeon Scalable server processors, code-named Ice Lake, will be rolled out with new security upgrades that the chip giant claims will better protect devices from firmware attacks.
Xeon Scalable Processors
The upcoming chips are based on Ice Lake, Intel’s 10nm CPU microarchitecture, which was first launched in 2019. Intel is targeting initial production shipments for its Xeon scalable processors for servers at the end of the year, but just announced that they will come with new security features.
One feature is called Intel Total Memory Encryption (Intel TME), which Intel commented helps ensure that all memory accessed from the CPU is encrypted, such as customer credentials, encryption keys & other IP or personal information on the external memory bus.
“Intel developed this feature to provide greater protection for system memory against hardware attacks, such as removing & reading the dual in-line memory module (DIMM) after spraying it with liquid nitrogen or installing purpose-built attack hardware,” according to Intel on Wednesday.
This feature already exists in other competing chip platforms, with AMD first proposing its own version, Secure Memory Encryption (SME), in 2016.
Intel TME utilises the storage encryption standard, AES XTS, from the National Institute of Standards & Technology (NIST). Intel said an encryption key is generated using a hardened random number generator in the processor without exposure to software, allowing existing software to run unmodified while better protecting memory.
Intel also claims that another new feature can protect against sophisticated adversaries who may attempt to compromise or disable the platform’s firmware to intercept data or take down the server.
The Intel Platform Firmware Resilience (Intel PFR) will be part of the Xeon Scalable platform, which Intel claims will help protect against platform firmware attacks by detecting them before they can compromise or disable the machine.
Platform Root of Trust
Intel PFR will use an Intel field-programmable gate array (FPGA) as a “platform root of trust,” which will validate critical-to-boot platform firmware components before any firmware code is executed, according to Intel. An Intel FPGA is an integrated circuit designed to be configured by a customer or a designer after manufacturing.
The firmware components protected “can include BIOS Flash, BMC Flash, SPI Descriptor, Intel Management Engine & power supply firmware.”
The chip giant is also bringing its existing Intel Software Guard Extensions (SGX) feature to Ice Lake. Intel SGX, a set of security-related instruction codes that are built into Intel CPUs, shields sensitive data – such as AES encryption keys inside “enclaves,” which are physically separate from other CPU memory & are protected by software encryption.
Intel SGX is not an end-all-be-all solution – researchers have previously been able to bypass SGX in various attacks, from the Plundervolt security issue revealed in 2019 to speculative execution design flaws in Intel CPUs revealed in 2018.
The new security features come as Intel processors have been plagued by various security issues over the past years – including Meltdown & Spectre, as well as other speculative execution & side-channel attacks.