Earlier this month Intel released details about several new security technologies associated with the upcoming 3rd Generation Intel® Xeon® Scalable processor (code-named “Ice Lake”) server platform. These technologies include:
- Intel® Software Guard Extension (Intel® SGX), a heavily researched, updated, and battle-tested Trusted Execution Environment (TEE) used for confidential computing in data centers.
- Intel Total Memory Encryption (Intel TME), which helps ensure that all data in memory that’s accessed by an Intel® CPU – including customer credentials, encryption keys and other IP or personal information – is encrypted whenever it appears on the external memory bus.
- Cryptographic acceleration, based on several newly added, industry-pervasive instructions coupled with algorithmic and software innovations that collectively deliver breakthrough cryptographic performance.
- Intel® Platform Firmware Resilience (Intel® PFR), which implements a Platform Root of Trust (PRoT) that helps protect against platform firmware attacks, designed to detect and correct them before they can compromise or disable the machine.
The Intel PFR is based on an Intel® MAX® 10 FPGA, which implements a PRoT that can be used to validate critical-to-boot platform firmware components before the Intel® CPU executes a single instruction. The Intel PFR is designed to protect, detect, and correct against multiple security threats such as permanent denial of service (PDOS) attacks. A PDOS attack attempts to render a server permanently inoperable by irrecoverably corrupting the system firmware. PDOS attacks are a growing threat against critical infrastructure systems such as those associated with banks, national power grids, and other utilities.
The Intel MAX 10 FPGA helps protect firmware by attesting that it is safe prior to code execution. It also provides boot and runtime monitoring to assure that the server only runs known good firmware. The Intel PFR also supports automated recovery if corrupted firmware is detected. Previously, such protection would require manual intervention.
The Intel PFR can protect multiple firmware components including the BIOS Flash, the BMC Flash, the SPI Descriptor, the Intel® Management Engine, and power supply firmware. The soft IP used in the Intel MAX 10 FPGA to implement the Intel PFR provides design visibility and flexibility, which allows system developers to customize the design to accommodate specific hardware, firmware, or other customer needs. For example, this flexibility would be critical when switching from one firmware BIOS vendor to another.
For more information about Intel SGX, click here.
For more information about all of the enhancements in the 3rd Generation Intel Xeon Scalable processor family, click here.
Notices & Disclaimers
Intel’s compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations.
Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice.
Intel technologies may require enabled hardware, software or service activation.
No product or component can be absolutely secure.
Your costs and results may vary.
© Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other names and brands may be claimed as the property of others.