If you’ve been following along with us at RedGamingTech for a few months, you’re probably intimately familiar with AMD’s upcoming next generation processor known as Zen. The CPU is being designed from the ground up as a scaleable, high performance X86 processor for use in the traditional desktop, low per solutions such as laptops and of course the enterprise market.
With the enterprise market in mind, AMD are keen to offer unique features which could tip companies towards Zen rather than an Intel equivalent, and while performance is certainly a key part of any cloud or HPC (High Performance Computing) system, security is perhaps as important. So, AMD will be introducing two feature sets, the first is SME (Secure Memory Encryption) and the second SEV (Secure Encrypted Virtualization). Once again, these two solutions are current unique to AMD, and Intel doesn’t even support them on their upcoming Kaby Lake range of processors.
AMD’s secure processor is integrated within the Zen SoC (System on Chip) and is a 32-bit microcontroller (an ARM Cortex-A5). This Secure Processor is a system wide approach to security, and in essence allows tasks to run in two distinct ‘worlds’. The first of these is “Secure World” and the second is “Standard Operation”. Sensitive data driven tasks (for example, customers information) could be ran in the secure area, protecting the integrity and confidentiality of these key resources.
Most folks are familiar with AES or other types of disk based encryption, which takes data and makes it ‘impossible’ (unless you crack the security) to be read within the proper authorisation. But DRAM (in other words, main system RAM) is a different story, and instead the data is stored essentially as plain text. AMD are looking to fix this with SME (Secure Memory Encryption) by using the secure processor to encrypt or decrypt data from DRAM.
“Main memory encryption is performed via dedicated hardware in the on-die memory controllers. Each controller includes a high performance Advanced Encryption Standard (AES) engine that encrypts data when it is written to DRAM, and decrypts it when read as shown. The encryption of data is done with a 128-bit key,” says AMD.
To make things even more interesting, you have Zen Secure Encrypted Virtualization, which was designed specifically for VM (Virtual Machine) instances and works in tandem with AMD-V Virtualization. What does this mean? Well, in essence each VM instance is running in an encrypted memory space, and (in theory) prevents a rogue admin (either of the server running the VM’s, or a rogue VM) from gaining access or stealing data from a VM running sensitive user data. In the words of AMD:
“When enabled, SEV hardware tags all code and data with its VM ASID which indicates which VM the data originated from or is intended for. This tag is kept with the data at all times when inside the SOC, and prevents that data from being used by anyone other than the owner. While the tag protects VM data inside the SOC, AES with 128 bit encryption protects data outside the SOC.“
Quite simply, even if you were able to gain access to the ‘host’ machine, you couldn’t then decide to easily read or write information from the systems RAM and leach data from one of the Virtual Machines.
With this technology, AMD’s Zen provides an incredible level of additional security which will doubtlessly be extremely welcomed by data centre’s hosting sensitive user data. And in the age where servers are spread as scalable instances on multiple servers (where those instances increase or decrease resources as needed) and security is ever a bigger issue, the notion of having hardware based security, with no additional coding really needed is surely going to be a win.
As we all know, Intel currently are the biggest provider of X86 servers in the world, and took much of AMD’s marketshare over the past several years. With technology such as this, we might well see AMD emerge as the number one choice – at least where security is concerned.