• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Intel Introduces new Security Technologies for 3rd Generation Intel Xeon Scalable Platform, Code-named "Ice Lake"

AleksandarK

Staff member
Joined
Aug 19, 2017
Messages
782 (0.65/day)
Intel today unveiled the suite of new security features for the upcoming 3rd generation Intel Xeon Scalable platform, code-named "Ice Lake." Intel is doubling down on its Security First Pledge, bringing its pioneering and proven Intel Software Guard Extension (Intel SGX) to the full spectrum of Ice Lake platforms, along with new features that include Intel Total Memory Encryption (Intel TME), Intel Platform Firmware Resilience (Intel PFR) and new cryptographic accelerators to strengthen the platform and improve the overall confidentiality and integrity of data.

Data is a critical asset both in terms of the business value it may yield and the personal information that must be protected, so cybersecurity is a top concern. The security features in Ice Lake enable Intel's customers to develop solutions that help improve their security posture and reduce risks related to privacy and compliance, such as regulated data in financial services and healthcare.



"Protecting data is essential to extracting value from it, and with the capabilities in the upcoming 3rd Gen Xeon Scalable platform, we will help our customers solve their toughest data challenges while improving data confidentiality and integrity. This extends our long history of partnering across the ecosystem to drive security innovations," said Lisa Spelman, Intel corporate vice president in the Data Platform Group and general manager of the Xeon and Memory Group.
Data Protection across the Compute Stack
Technologies such as disk- and network-traffic encryption protect data in storage and during transmission, but data can be vulnerable to interception and tampering while in use in memory. "Confidential computing" is a rapidly emerging usage category that protects data while it is in use in a Trusted Execution Environment (TEE). Intel SGX is the most researched, updated and battle-tested TEE for data center confidential computing, with the smallest attack surface within the system. It enables application isolation in private memory regions, called enclaves, to help protect up to 1 terabyte of code and data while in use.

"Microsoft Azure was the first major public cloud to offer confidential computing, and customers from industries including finance, healthcare, government are using confidential computing on Azure today," said Mark Russinovich, chief technology officer, Microsoft Azure. "Azure has confidential computing options for virtual machines, containers, machine learning, and more. We believe the next-generation Intel Xeon processors with Intel SGX featuring full memory encryption and cryptographic acceleration will help our customers unlock even more confidential computing scenarios."
Customers like the University of California San Francisco (UCSF), NEC, Magnit and other organizations in highly regulated industries have relied on Intel to support their security strategy and leveraged Intel SGX with proven results. For example, healthcare organizations can more securely protect data—including electronic health records—with a trusted computing environment that better preserves patient privacy. In other industries, such as retail, companies rely on Intel to help keep data confidential and protect intellectual property. Intel SGX helps customers unlock new multiparty shared compute scenarios that have been difficult to build in the past due to privacy, security and regulatory requirements.

Intel is also introducing new security capabilities to improve data protection and strengthen the platform, including:

  • Full memory encryption: To better protect the entire memory of a platform, Ice Lake introduces a new feature called Intel Total Memory Encryption (Intel TME). Intel TME helps ensure that all memory accessed from the Intel CPU is encrypted, including customer credentials, encryption keys and other IP or personal information on the external memory bus. Intel developed this feature to provide greater protection for system memory against hardware attacks, such as removing and reading the dual in-line memory module (DIMM) after spraying it with liquid nitrogen or installing purpose-built attack hardware. Using the National Institute of Standards and Technology (NIST) storage encryption standard AES XTS, an encryption key is generated using a hardened random number generator in the processor without exposure to software. This allows existing software to run unmodified while better protecting memory.
  • Cryptographic acceleration: One of Intel's design goals is to remove or reduce the performance impact of increased security so customers don't have to choose between better protection and acceptable performance. Ice Lake introduces several new instructions used throughout the industry, coupled with algorithmic and software innovations, to deliver breakthrough cryptographic performance. There are two fundamental innovations. The first is a technique to stitch together the operations of two algorithms that typically run in combination yet sequentially, allowing them to execute simultaneously. The second is a method to process multiple independent data buffers in parallel.
  • Growing resilience: Sophisticated adversaries may attempt to compromise or disable the platform's firmware to intercept data or take down the server. Ice Lake introduces Intel Platform Firmware Resilience (Intel PFR) to the Intel Xeon Scalable platform to help protect against platform firmware attacks, designed to detect and correct them before they can compromise or disable the machine. Intel PFR uses an Intel FPGA as a platform root of trust to validate critical-to-boot platform firmware components before any firmware code is executed. The firmware components protected can include BIOS Flash, BMC Flash, SPI Descriptor, Intel Management Engine and power supply firmware.

Privacy-preserving, trusted platforms in the upcoming 3rd generation Xeon Scalable processors will help drive even greater innovative services, usage models and solutions for organizations looking to activate the full value of their data.

To learn more about how Intel SGX can help protect sensitive workloads and data, visit www.intel.com/sgx and www.confidentialcomputing.io.

View at TechPowerUp Main Site
 
Joined
Nov 4, 2005
Messages
10,666 (1.94/day)
System Name MoFo 2
Processor AMD PhenomII 1100T @ 4.2Ghz
Motherboard Asus Crosshair IV
Cooling Swiftec 655 pump, Apogee GT,, MCR360mm Rad, 1/2 loop.
Memory 8GB DDR3-2133 @ 1900 8.9.9.24 1T
Video Card(s) HD7970 1250/1750
Storage Agility 3 SSD 6TB RAID 0 on RAID Card
Display(s) 46" 1080P Toshiba LCD
Case Rosewill R6A34-BK modded (thanks to MKmods)
Audio Device(s) ATI HDMI
Power Supply 750W PC Power & Cooling modded (thanks to MKmods)
Software A lot.
Benchmark Scores Its fast. Enough.
Intel is using a FPGA, field programmable gate array.... That can be reprogrammed... For security.....


Sounds about right. Right stupid.
 
Joined
May 19, 2009
Messages
1,439 (0.34/day)
Location
Latvia
System Name Personal \\ Work - HP EliteBook 840 G3
Processor i7-4790K \\ i7-6500U
Motherboard MSI Z97 Gaming 7
Cooling Noctua DH-15
Memory Corsair Vengeance Pro 32GB 2400 MHz \\ 16GB DDR4-2133
Video Card(s) ASUS RoG Strix 1070 Ti\\ Intel 520 HD
Storage Samsung 850 Pro 512GB, WD Black 2 TB, Samsung 970 Pro 512GB \\ Samsung 256GB SSD
Display(s) BenQ XL2411Z \\ FullHD + 2x HP Z24i external screens via docking station
Case Fractal Design Define Arc Midi R2 with window
Audio Device(s) Realtek ALC1150 with Logitech Z323
Power Supply Corsair AX860i
Software Windows 10
Intel is using a FPGA, field programmable gate array.... That can be reprogrammed... For security.....
Sounds about right. Right stupid.
Ok fine, they make it read-only and then find out there was a bug. What then?
 
Joined
Feb 20, 2020
Messages
693 (2.41/day)
Location
Texas
System Name Ghetto Rigs x299 & z490 & Q9550 Old timer
Processor 9940x with optimus sigV2 & 10900k with optimus foundation & Q9550 with EK Evo
Motherboard X299 Rampage VI Apex & z490 Maximus XII Apex & Acer WG43M
Cooling D5 combo/280 GTX/ VRM water block copper/280 GTX/ D5 Top/Optimus sigV2/TitanXp/Mora 360x2
Memory Trident-Z 3600C16 4x8gb & Trident-Z 3600c16 2x8gb/ 4x2gb crucial
Video Card(s) Titan Xp & 1080ti ftw3 & evga 980ti
Storage 970 evo plus 500gb & 970 evo 500gb many 2.5" ssd's and regular hdd's
Display(s) 1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
Case D450 second floor for 2nd rad x2/ Entertainment center
Audio Device(s) Built in Realtek x2
Power Supply evga 1200P2 & 1000P2 & 850P2
Mouse Redragon Perdition x3
Keyboard G910 & G710+x2
Software Win-7 pro x3 and Linux Cinnamon 20x2 & win-10 pro x3
HI,
They sure have an azure fetish it seems.
 
Joined
Nov 4, 2005
Messages
10,666 (1.94/day)
System Name MoFo 2
Processor AMD PhenomII 1100T @ 4.2Ghz
Motherboard Asus Crosshair IV
Cooling Swiftec 655 pump, Apogee GT,, MCR360mm Rad, 1/2 loop.
Memory 8GB DDR3-2133 @ 1900 8.9.9.24 1T
Video Card(s) HD7970 1250/1750
Storage Agility 3 SSD 6TB RAID 0 on RAID Card
Display(s) 46" 1080P Toshiba LCD
Case Rosewill R6A34-BK modded (thanks to MKmods)
Audio Device(s) ATI HDMI
Power Supply 750W PC Power & Cooling modded (thanks to MKmods)
Software A lot.
Benchmark Scores Its fast. Enough.
Ok fine, they make it read-only and then find out there was a bug. What then?

Have higher testing standard for a multi-Billion dollar company that claims to be an expert in their field. Its like asking what if we make a car that crashes or bursts into flames.

Don't buy their product.

Fix it before you sell it.

its what validation testing is for, Alpha testing, beta testing, etc.... I get paid to do some engineering in my field, and if we don/can't successfully get at least a certain number of units to a standard its back to the drawing board.
 
Joined
Oct 27, 2009
Messages
818 (0.20/day)
Location
Republic of Texas
System Name [H]arbringer
Processor 4x 61XX ES @3.5Ghz (48cores)
Motherboard SM GL
Cooling 3x xspc rx360, rx240, 4x DT G34 snipers, D5 pump.
Memory 16x gskill DDR3 1600 cas6 2gb
Video Card(s) blah bigadv folder no gfx needed
Storage 32GB Sammy SSD
Display(s) headless
Case Xigmatek Elysium (whats left of it)
Audio Device(s) yawn
Power Supply Antec 1200w HCP
Software Ubuntu 10.10
Benchmark Scores http://valid.canardpc.com/show_oc.php?id=1780855 http://www.hwbot.org/submission/2158678 http://ww
SGX is what they removed from 10th gen desktop because it was insecure and unpatchable in 9th gen....
I guess they have figured out how to work around that for icelake?
 
Joined
Mar 10, 2010
Messages
8,416 (2.15/day)
Location
Manchester uk
System Name RyzenGtEvo/ Asus strix scar II
Processor Amd R7 3800X@4.350/525/ Intel 8750H
Motherboard Crosshair hero7 @bios 2703/?
Cooling 360EK extreme rad+ 360$EK slim all push, cpu Monoblock Gpu full cover all EK
Memory Corsair Vengeance Rgb pro 3600cas14 16Gb in two sticks./16Gb
Video Card(s) Sapphire refference Rx vega 64 EK waterblocked/Rtx 2060
Storage Samsung Nvme Pg981, silicon power 1Tb samsung 840 basic as a primocache drive for, WD2Tbgrn +3Tbgrn,
Display(s) Samsung UAE28"850R 4k freesync, LG 49" 4K 60hz ,Oculus
Case Lianli p0-11 dynamic
Audio Device(s) Xfi creative 7.1 on board ,Yamaha dts av setup, corsair void pro headset
Power Supply corsair 1200Hxi
Mouse Roccat Kova/ Logitech G wireless
Keyboard Roccat Iksu force fx
Software Win 10 Pro
Benchmark Scores 8726 vega 3dmark timespy/ laptop Timespy 6506
And protect power supply firmware?, I'm learning stuff today eh, wtaf well I never, why just why does anyone leave a PSU networked for bios flashing besides the actual maker?.
 
Joined
Sep 11, 2015
Messages
585 (0.31/day)
Have higher testing standard for a multi-Billion dollar company that claims to be an expert in their field. Its like asking what if we make a car that crashes or bursts into flames.

Don't buy their product.

Fix it before you sell it.

its what validation testing is for, Alpha testing, beta testing, etc.... I get paid to do some engineering in my field, and if we don/can't successfully get at least a certain number of units to a standard its back to the drawing board.
I strongly agree with this. I have worked as a QA Engineer for one of the biggest banks in Europe for two years. The QA procedure, even for something as important as your finances, was literally to do the least amount of testing as possible before you have to move on to the next project. I was advised by the most senior QA engineer there to work like this. It wasn't about actual test coverage, it was just about making the least amount of tests to meet the basic requirement of having tests at all. So you can probably imagine how many holes those tests had.
 
Last edited:
Joined
May 19, 2009
Messages
1,439 (0.34/day)
Location
Latvia
System Name Personal \\ Work - HP EliteBook 840 G3
Processor i7-4790K \\ i7-6500U
Motherboard MSI Z97 Gaming 7
Cooling Noctua DH-15
Memory Corsair Vengeance Pro 32GB 2400 MHz \\ 16GB DDR4-2133
Video Card(s) ASUS RoG Strix 1070 Ti\\ Intel 520 HD
Storage Samsung 850 Pro 512GB, WD Black 2 TB, Samsung 970 Pro 512GB \\ Samsung 256GB SSD
Display(s) BenQ XL2411Z \\ FullHD + 2x HP Z24i external screens via docking station
Case Fractal Design Define Arc Midi R2 with window
Audio Device(s) Realtek ALC1150 with Logitech Z323
Power Supply Corsair AX860i
Software Windows 10
Have higher testing standard for a multi-Billion dollar company that claims to be an expert in their field. Its like asking what if we make a car that crashes or bursts into flames.
You cannot test for every scenario among tens of millions of computers and servers using each new generation regardless. Does not matter how big your budget is or how good QA team you have. It literally is not possible, no matter the vendor, unless we get some kind of AI learning driven testing someday in the future.
Bugs will be found sooner or later, what matters is the response to them.
 
Joined
Nov 4, 2005
Messages
10,666 (1.94/day)
System Name MoFo 2
Processor AMD PhenomII 1100T @ 4.2Ghz
Motherboard Asus Crosshair IV
Cooling Swiftec 655 pump, Apogee GT,, MCR360mm Rad, 1/2 loop.
Memory 8GB DDR3-2133 @ 1900 8.9.9.24 1T
Video Card(s) HD7970 1250/1750
Storage Agility 3 SSD 6TB RAID 0 on RAID Card
Display(s) 46" 1080P Toshiba LCD
Case Rosewill R6A34-BK modded (thanks to MKmods)
Audio Device(s) ATI HDMI
Power Supply 750W PC Power & Cooling modded (thanks to MKmods)
Software A lot.
Benchmark Scores Its fast. Enough.
You cannot test for every scenario among tens of millions of computers and servers using each new generation regardless. Does not matter how big your budget is or how good QA team you have. It literally is not possible, no matter the vendor, unless we get some kind of AI learning driven testing someday in the future.
Bugs will be found sooner or later, what matters is the response to them.

It's all bytes, it's a combination of 1s and 0s, off and on.

I assure you, you can run enough testing to ensure a hard coded product does exactly what it's sold to do.

Making it programmable is where malicious code can enter, and makes it more vulnerable to issues.

Also, stepping is the word for how they fix issues in products.
 
Joined
Mar 10, 2010
Messages
8,416 (2.15/day)
Location
Manchester uk
System Name RyzenGtEvo/ Asus strix scar II
Processor Amd R7 3800X@4.350/525/ Intel 8750H
Motherboard Crosshair hero7 @bios 2703/?
Cooling 360EK extreme rad+ 360$EK slim all push, cpu Monoblock Gpu full cover all EK
Memory Corsair Vengeance Rgb pro 3600cas14 16Gb in two sticks./16Gb
Video Card(s) Sapphire refference Rx vega 64 EK waterblocked/Rtx 2060
Storage Samsung Nvme Pg981, silicon power 1Tb samsung 840 basic as a primocache drive for, WD2Tbgrn +3Tbgrn,
Display(s) Samsung UAE28"850R 4k freesync, LG 49" 4K 60hz ,Oculus
Case Lianli p0-11 dynamic
Audio Device(s) Xfi creative 7.1 on board ,Yamaha dts av setup, corsair void pro headset
Power Supply corsair 1200Hxi
Mouse Roccat Kova/ Logitech G wireless
Keyboard Roccat Iksu force fx
Software Win 10 Pro
Benchmark Scores 8726 vega 3dmark timespy/ laptop Timespy 6506
It's all bytes, it's a combination of 1s and 0s, off and on.

I assure you, you can run enough testing to ensure a hard coded product does exactly what it's sold to do.

Making it programmable is where malicious code can enter, and makes it more vulnerable to issues.

Also, stepping is the word for how they fix issues in products.
AFAIK every single processor ever released had an errata list, and if it's your opinion that Intel should have known about some of the methods of attack I don't think your thinking it through(rowhamer etc)
A chip for general purpose processing is not the same as a car, or anywhere near as simple a system to mitigate failure on.
 

AleksandarK

Staff member
Joined
Aug 19, 2017
Messages
782 (0.65/day)
It's all bytes, it's a combination of 1s and 0s, off and on.

I assure you, you can run enough testing to ensure a hard coded product does exactly what it's sold to do.

Making it programmable is where malicious code can enter, and makes it more vulnerable to issues.

Also, stepping is the word for how they fix issues in products.
Yeah you can run every single scenario in design verification process, but often it is a question of time and how long do you have to test it out. To get a coverage of each scenario of x86 core you need millions of cases and verification for that is insanely huge. Things like SGX are also rather complex, and maybe there is no time to test out each scenario. Thats how vulnerabilities happen. Yes you can, but often you do not test everything. Time is the biggest limit here.
 
Joined
Sep 26, 2012
Messages
515 (0.17/day)
Location
Australia
System Name ATHENA
Processor AMD 5950X
Motherboard Aorus X570 Xtreme
Cooling Noctua NH-U12A, 3xNoctua IndustrialPPC 120mm 2000RPM PWM, 2xSilverstone AP 180mm 1200RPM
Memory 4x32GB Trident-Z 4000mhz
Video Card(s) EVGA 3090 FTW Ultra Gaming
Storage 3 x Samsung 970 2TB
Display(s) Acer X34P 34" 21:9 3440x1440 @ 120hz
Case Silverstone FT05
Audio Device(s) Topping A90/D90 MQA
Power Supply Seasonic Prime Ultra Titanium 1000w
Mouse Logitech MX Vertical+Master 3, Glorious Model 0
Keyboard Hexgears X1
Software Windows 10 + OpenSUSE Tumbleweed
Even with this, Intel's still significantly behind AMD's Platform Security features.

Still, its nice to see Intel trying to make up ground, even if I can't see myself rolling out Intel except in legacy support scenarios in the next two to three years.
 
Joined
Nov 4, 2005
Messages
10,666 (1.94/day)
System Name MoFo 2
Processor AMD PhenomII 1100T @ 4.2Ghz
Motherboard Asus Crosshair IV
Cooling Swiftec 655 pump, Apogee GT,, MCR360mm Rad, 1/2 loop.
Memory 8GB DDR3-2133 @ 1900 8.9.9.24 1T
Video Card(s) HD7970 1250/1750
Storage Agility 3 SSD 6TB RAID 0 on RAID Card
Display(s) 46" 1080P Toshiba LCD
Case Rosewill R6A34-BK modded (thanks to MKmods)
Audio Device(s) ATI HDMI
Power Supply 750W PC Power & Cooling modded (thanks to MKmods)
Software A lot.
Benchmark Scores Its fast. Enough.
AFAIK every single processor ever released had an errata list, and if it's your opinion that Intel should have known about some of the methods of attack I don't think your thinking it through(rowhamer etc)
A chip for general purpose processing is not the same as a car, or anywhere near as simple a system to mitigate failure on.

Errata for a piece of hardware with billions of transistors is common.

Errata with a piece of silicon with millions of transistors is unacceptable.

My point isnt that there can't be issues, but making it programmable makes it more, not less vulnerable. As hardware can be implemented to recover (even if it's a BSOD) from unauthorized access.

All it takes is the keys or access to the program and to deconstruct it to gain complete access.

See Jeep and their open programmable CAN bus on vehicles, allowing remote control of a whole vehicle essentially.
 
Joined
Sep 26, 2012
Messages
515 (0.17/day)
Location
Australia
System Name ATHENA
Processor AMD 5950X
Motherboard Aorus X570 Xtreme
Cooling Noctua NH-U12A, 3xNoctua IndustrialPPC 120mm 2000RPM PWM, 2xSilverstone AP 180mm 1200RPM
Memory 4x32GB Trident-Z 4000mhz
Video Card(s) EVGA 3090 FTW Ultra Gaming
Storage 3 x Samsung 970 2TB
Display(s) Acer X34P 34" 21:9 3440x1440 @ 120hz
Case Silverstone FT05
Audio Device(s) Topping A90/D90 MQA
Power Supply Seasonic Prime Ultra Titanium 1000w
Mouse Logitech MX Vertical+Master 3, Glorious Model 0
Keyboard Hexgears X1
Software Windows 10 + OpenSUSE Tumbleweed
My point isnt that there can't be issues, but making it programmable makes it more, not less vulnerable. As hardware can be implemented to recover (even if it's a BSOD) from unauthorized access.
Easier to update versus permanent vulnerability, whilst I think you have an excellent point and in a perfect world, I think its better to be completely immutable, I think the reality is vulnerabilities will exist, and I'll be much more comfortable being able to patch up than mitigate.
 
Joined
Oct 22, 2014
Messages
10,214 (4.57/day)
Location
Sunshine Coast
System Name Black Box
Processor Intel i5-9600KF
Motherboard NZXT N7 Z370 Black
Cooling Cooler Master 240 RGB AIO / Stock
Memory Thermaltake Toughram 16GB 4400MHz DDR4 or Gigabyte 16GB 3600MHz DDR4 or Adata 8GB 2133Mhz DDR4
Video Card(s) Asus Dual 1060 6GB
Storage Kingston A2000 512Gb NVME
Display(s) AOC 24" Freesync 1m.s. 75Hz
Case Corsair 450D High Air Flow.
Audio Device(s) No need.
Power Supply FSP Aurum 650W
Mouse Yes
Keyboard Of course
Software W10 Pro 64 bit
It's nice to put a face to the next person Intel will throw under a bus when things go pear shaped.
 
Joined
Aug 20, 2007
Messages
13,769 (2.84/day)
System Name Pioneer
Processor Intel i9 9900k
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ 14-14-14-34-2T
Video Card(s) EVGA GeForce RTX 2080 SUPER XC ULTRA
Storage Mushkin Pilot-E 2TB NVMe SSD
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) VGA HDMI->Panasonic SC-HTB20/Schiit Modi MB/Asgard 2 DAC/Amp to AKG Pro K7712 Headphones
Power Supply Seasonic Prime Titanium 750W
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 Enterprise (Product of work, yes it's legit)
Benchmark Scores www.3dmark.com/fs/23478641 www.3dmark.com/spy/13863605 www.3dmark.com/pr/306218
And protect power supply firmware?, I'm learning stuff today eh, wtaf well I never, why just why does anyone leave a PSU networked for bios flashing besides the actual maker?.
This is for high end servers. Most consumer machines don't even HAVE power supply firmware.

SGX is what they removed from 10th gen desktop because it was insecure and unpatchable in 9th gen....
I guess they have figured out how to work around that for icelake?
SGX is more hardware security bullshit. It's doomed to fail. This is a fail philosophy, from AMD or Intel it's the same garbage.
 
Top