After more than a year of delay, Intel launched its latest Intel 4th Gen Xeon Scalable processor (CPU) chips, codenamed Sapphire Rapids, with on-chip confidential computing functionality to prevent attackers from stealing high-value data from computer systems, ensure regulatory compliance and preserve data sovereignty.
In a statement, Intel said that the new Intel Xeon 4th Gen Scalable Processors will increase the baseline enclave and Intel SGX will be able to accurately and reliably test the application software loaded in that enclave.
What is Intel® SGX?
Intel® Software Guard Extensions (Intel® SGX) provides hardware-based memory encryption that isolates certain application code and data in memory, allowing user-level code to be allocated private memory regions called enclaves that are designed to protect against higher-level processes privilege level.
The purpose of confidential computing is to keep data secure while it is being sent between computing systems.
This is achieved by adding an encrypted barrier to the data as it is transmitted. Intel Xeon chips are equipped with technology to make sure the code is real.
At the Xeon launch event last Tuesday, Mark Russinovich, CTO of Microsoft Azure, said: “We hope to be one of the first cloud providers to offer confidential services based on Intel’s 4th generation Xeon Scalable processors with Intel TDX later this year. “
“This will allow organizations to achieve confidentiality by seamlessly lifting and moving their workloads without requiring any code changes.” Russinovich said
Businesses that prioritize the protection of their valuable information, operations, and need strong protection could be highly attracted to this new confidential computing solution on a chip.
In a press briefing about the new chips, Lisa Spelman, Intel’s corporate vice president and general manager of Xeon products, said: “Confidential computing strengthens compliance with data privacy and governance regulations and helps create a more private controlled infrastructure, even when using the public cloud. ,”
Intel’s 4th generation Xeon chips will be connected to the Project Amber cloud service, which will help validate the trustworthiness of data from the cloud to the edge, starting with a separate authentication service for Intel’s confidential computing technologies.
The new Xeon processors will also appear in virtual machine instances on Google, IBM and Alibaba cloud services. However, Intel did not comment on whether cloud providers will specifically offer TDX instructions.
Intel® Trust Domain Extensions (Intel® TDX)
Intel® Trust Domain Extensions (Intel® TDX) introduces new architectural elements to help deploy hardware-isolated virtual machines (VMs) called trust domains (TDs).
Intel TDX is designed to isolate virtual machines from the Virtual Machine Manager (VMM)/hypervisor and any other non-TD platform software to protect TD from a wide range of software.
These hardware-isolated TDs include:
- Secure Arbitration Mode (SEAM) – A new CPU mode designed to host an Intel-provided, digitally signed security services module called the Intel TDX module.
- Shared bit in GPA to help TD access shared memory.
- Secure EPT to help translate private GPA, ensure address translation integrity, and prevent TD code fetching from shared memory. The goal is to encrypt private memory access and protect integrity using the TD private key.
- Physical Address Metadata Table (PAMT), which helps track page allocation, page initialization, and TLB consistency.
- A multi-key, common memory encryption (MKTME) engine designed to provide memory encryption using AES-128-XTS and integrity using a 28-bit MAC and TD ownership bit.
- Remote attestation designed to provide evidence of TD execution on an original Intel TDX system and its TCB version.
According to Anil Rao, vice president and general manager of Intel CTO office systems architecture and engineering, TDX instructions add a boundary around the virtual machine and everything inside it, including the guest operating system and the apps inside it, and remove the cloud. service provider or other cloud tenants from the trust boundary.
TDX uses a Xeon chip security feature called Software Guard Extensions (SGX), which is widely used today as a secure enclave to protect data in execution environments. However, TDX is much broader and covers a wider range of applications such as AI in virtualized environments.
According to Mercury Research, Intel is a strong player in the server hardware market with an x86 server market share of 82.5% in the third quarter of last year; its nearest competitor AMD had a market share of 17.5%.
There are more than 100 million Intel Xeon processors in the world today, powering server platforms and enterprise desktop hardware worldwide starting in 2023.
