Security on Intel processors has been a headache for the past few years. Different vulnerabilities have been discovered at the hardware level that have had to be corrected as best as possible. To avoid this problem in the future, Intel has added in its Intel SGX processors, a security measure at the hardware level for the Xeon Scalable.
This additional security measure will be implemented first in the Xeon Scalable of the Ice Lake family. Intel SGX is expected to be deployed across more processor families to prevent serious new security vulnerabilities in the future. Through this and other measures, more possible theft of information will be prevented by intercepting data packets.
Intel SGX, new security measures for its processors
All Xeon Scalable Ice Lake implements new security measures to ensure data protection. In addition to the Intel Software Guard Extension (Intel SGX) other measures have been added. These are: Intel Total Memory Ecryption (Intel TME), Intel Platform Firmware Resilience (Intel PFR), and new cryptography solutions to improve data integrity and confidentiality.
The company takes the security and integrity of the data very seriously, and no wonder. All the vulnerabilities have cost Intel a lot of money and a lot of reputation, but that has developed this battery of security measures. This increases the privacy and security of the data that is managed with these systems.
Data protection is essential in order to extract value from it. And with the capabilities of the upcoming 3rd Generation Xeon Scalable platform, we will help our customers solve their toughest data challenges while improving data confidentiality and integrity. In doing so, we extend our long history of partnering across the ecosystem to drive security innovations.
Lisa Spelman, corporate vice president of the Data Platform Group and general manager of the Xeon and Memory Group at Intel
Protection in all computing solutions
There are technologies such as disk and network encryption that secure data in storage and during transmission. But the problem is that this data is vulnerable to interception and manipulation while it is in memory. 'Confidential Computing' seeks to protect data while using a 'Trusted Execution Environment' (TEE). Intel SGX will be the most developed, updated, and tested TEE in data center security. This system even allows applications to be isolated in private memory areas, called enclaves, to protect up to 1 Terabyte of code and data while they are being used.
The University of California at San Francisco, NEC, Magnit and other leading companies have trusted Intel to strengthen their security. As an example, healthcare organizations can protect data more securely in a trusted computing ecosystem that safeguards patient privacy.
Many companies in the retail sector already rely on Intel solutions to protect and secure their intellectual property. Intel SGX wants to help ensure the security of shared computing across multiple parties. A very complicated practice in the past that requires a lot of privacy, security and regulation.
Main measures that Intel has implemented
- Total memory encryption: Intel Ice Lake introduces Intel TME technology that encrypts all memory to be encrypted. This includes customer credentials, encryption keys, and other IP or personal information in the external memory block. It has sought to improve the protection of system memory against attacks by removing and reading the memory module DIMM, either after flushing it with nitrogen or installing specialized hardware for an attack.
- Graphics accelerators: The aim is to eliminate or minimize the impact of the security improvement on processor performance. Ice Lake implements new instructions, algorithmic and software innovations to improve cryptography. First, the operations of two algorithms that worked sequentially have been joined, now allowing them to be executed simultaneously. The other implementation is to process multiple data buffers in parallel independently.
- Greater resistance: Sophisticated malicious attackers can attempt to compromise or disable firmware to steal data. Intel Ice Lake implements the Intel PFR solution to help protect against these types of attacks. Intel PFR is designed to detect and correct these attacks before the system is compromised. In addition, an Intel FPGA is used as a root of trust to validate the firmware of critical components. Protected components are BIOS Flash, BMC Flash, SPI Decriptor, Intel Management Engine, and power supply firmware.
