Intel is bringing its Software Guard Extension confidential computing technology to the company’s Xeon Scalable lineup for the first time with the upcoming Ice Lake server processors, which will come with expanded capabilities and new security features.
The company announced on Wednesday that the “full spectrum” of the Ice Lake server lineup — which is the second phase of the third-generation Xeon Scalable launch — will support Intel Software Guard Extension, or SGX, with new capabilities like larger enclaves for application isolation. The processors will also support new features like Total Memory Encryption, cryptographic accelerators and Intel Platform Firmware Resilience.
Intel said organisations like the University of California San Francisco’s Center for Digital Health and Russian retail company Magnit that are in highly regulated industries are using Intel SGX to, for instance, protect electronic health records or intellectual property.
The expanded security capabilities of the upcoming Ice Lake server processors, expected to start shipping at the end of the year, will give Intel extra ammo to compete with AMD, which had already introduced confidential computing capabilities in its mainstream EPYC sever processors. The growth of Intel SGX, on the other hand, had been limited because it has only been available on Intel’s Xeon E entry-level server and workstation CPUs and not in first two generations of Xeon Scalable.
“Now we‘re really bringing it to the [Xeon] Scalable processors for the first time, in a much bigger way,” said Ron Perez, a fellow in Intel’s Data Center Group who focuses on security architecture.
Among the expanded capabilities for Ice Lake is expanded Intel SGX enclaves, which are private memory regions in the processor that can isolate applications with confidential or otherwise sensitive data. The enclaves can now protect up to 1 TB of code and data while in use, which is much larger than the 256 MB limit of the Intel E-2200 processors.
Perez said with the larger enclaves, there is much less of a need to move data in and out of the enclaves, which was previously a major factor for performance degradation in previous implementations.
“If you had a lot of data, you‘d have to page it into the enclave and then page it back out when you’re finished. I think a lot of that goes away [with Ice Lake], so that should address a lot of the performance issues that we’ve seen in the past,” he said.
Another major new security feature in Ice lake is Total Memory Encryption, or TME, which, as the name suggests, allows the processor to encrypt all memory in the system as opposed to individual workloads, which Intel SGX was already capable of doing. This new type of hardware security is designed to protect against hardware attacks, including “removing and reading the DIMM after spraying it with liquid nitrogen or installing purpose-built attack hardware.”
“As we see the edge space growing, where some of these servers may be in environments where attackers have physical access to the systems, those kind of hardware protections come in more handy, where people can walk away with the actual physical memory,” Perez said.
With the Ice Lake’s new cryptographic accelerators, the new components will remove or reduce the performance impact that typically comes with expanded security capabilities. Perez said these new accelerators will provide as much as an eight-fold performance increase for some algorithms, thanks to a new ability to run algorithms and multiple data buffers in parallel.
“That should go a long way in reducing overhead where that [cryptography] is being used specifically by the application,” he said.
The other significant new security feature for Ice lake is Intel Platform Firmware Resilience, which uses an FPGA as a platform root or trust in Ice Lake platforms to validate critical-to-boost platform firmware components, such as BIOS Flash, BMC Flash and Intel Management Engine, before the firmware runs.
“This Platform Firmware Resilience capability, or platform root or trust essentially, provides the capability to protect that firmware, to ensure that the right copy is installed,” Perez said. “And if somehow it gets modified maliciously or otherwise, it can revert back to a known good state.”
When Google Cloud launched its new Confidential Virtual Machines product earlier this year using the Secure Encrypted Virtualization feature in AMD EPYC, Google Cloud product manager Nelly Porter said one reason the cloud service provider didn’t use Intel SGX was that it came with a “significant price” associated with a need to redesign applications for Intel SGX enclaves.
Perez said open-source tool kits like Graphene and commercial tool kits from Fortanix can help reduce the cost of adapting applications to take advantage of Intel SGX.
“If you really want to take the most advantage of SGX, you would need to either design your application from scratch with SGX in mind or refactor,” he said. “But now we’ve seen some of these other tool kits and capabilities, such as Graphene and Fortanix, that allow this ’lift and shift’ capability. So I think most of that extra cost of refactoring now kind of goes by the wayside.”