Epyc win for AMD in the server security battle
29 June 2017 | 0
While everyone is talking about the impressive performance potential and scale of AMD’s new Epyc server chips, overlooked in all the hype are the security features of the chip that may prove just as appealing.
To start, there is the tag team of Secure Memory Encryption (SME) and Secure Encrypted Virtualisation (SEV). Secure Memory Encryption allows for full encryption of data stored in DRAM, and SEV allows individual virtual machines to be assigned a unique cryptographic key, thus isolating them from each other as well as the OS hypervisor and administrator layer. These functions are based on a hardware security processor attached to the memory controller with a 128-bit AES encryption engine.
That means you can have full memory encryption on virtualised machines, something that will be greatly appreciated by cloud services providers. It will let them assure customers that the memory and the virtual machines that live on their clouds are completely secured in a multi-tenant environment.
Where SME is designed for memory, SEV is specifically aimed at VMs and is designed to keep them from cross-contamination, since each VM has its own encryption key. It also allows unencrypted VMs to run alongside encrypted ones, which is a new option. Up to now, it has been either/or, all-or-nothing. The keys are transparent to the VMs and managed by the protected hypervisor.
SVE does not just work for static VMs; it also supports migrating VMs from one server to another while maintaining encryption throughout the process.
Then there is the Platform Security Processor (PSP), an ARM Cortex-A5 core on the Epyc die that controls the boot process and system security, and basically operates similar to Intel’s Management Engine in the Xeon. It provides secure boot and has full TPM functionality.
The one question unanswered is how much of a performance hit this will incur. Encryption is never a fast process regardless of processor, and now you are talking about encrypting the contents of memory, which are going to be constantly changing. AMD does give the option of turning SEV and SME on or off, and you can do it while the server is running without a restart.
Of course, this hardware is not terribly useful until Microsoft, VMware, Citrix, Red Hat and other Linux distros support it. Once the software enters the market, then that encryption will be truly useful. For now, though, AMD has a security story that Intel cannot quite match.
IDG News Service