Intel has announced new security features for the third generation of the Xeon-SP with the code name Ice Lake-SP. These include an improved version of the Software Guard Extensions (SGX), new functions such as Total Memory Encryption (TME), and the Intel Platform Firmware Resilience (PFR). Intel expects new methods to accelerate cryptographic processes to increase the security of Ice Lake-SP.

Intel’s motivation for the latest security updates followed several successful attacks in recent years – keyword: Specter and Meltdown. According to information from Intel security manager Anil Rao, data that is currently being processed by the processor is and will remain a popular target of attack.

SGX under constant fire The basic idea of ​​SGX is to set up an enclave in the main memory that is isolated from the operating system, so that code running in it remains protected even if the system has already been compromised. The earlier version of Intel’s SGX, which has been usable since Skylake (Core i – 6000, Xeon-SP), has already been the victim of two Specter attacks in 2018. In the following year, the SGX was cracked with serious weaknesses in the enclaves. For example, hidden malicious code was able to penetrate protected areas. When the Load Value Injection (LVI) attack became known in the spring of this year, Intel was already working on improvements.

The software guard extensions are for the operating system and hypervisor invisible.

(Image: Intel)

The now announced Xeon SP processors have the new Intel SGX version, which according to Intel is the most detailed so far is tested. It should be able to protect up to 1 Tbyte of code and data in the entire range of the new Ice Lake SP processors.

New Overview of functions With the help of the new Total Memory Encryption (TME) function, Intel encrypts all address spaces used by the CPU with the 256 – AES XTS bit block cipher. TME works independently of SGX and is not affected by it. Intel wants to protect against physical attacks such as “memory freezing” or “memory removal”.

The second function presented is a precaution against denial-of-service attacks through Intel’s new firmware resilience platform. PFR represents a significant extension of the previous Intel Management Engine (IME) within the chipset, which was a frequent target of attacks due to its top-level access (regardless of the operating system).

Intel uses a an independent, programmable logic chip (Field Programmable Gate Array, FPGA) that manages crypto security keys and is intended to ensure a root of trust. An FPGA is more flexible than the previous firmware TPM (fTPM 2.0) and, in the event of a successful firmware attack, enables it to be automatically restored to a sic