Wednesday, October 12th 2016

AMD's ZEN to Implement Advanced Security Features not found in Intel's solutions

Thanks to AMD's incorporation of an ARM-based "AMD Secure Processor" in their upcoming ZEN micro-architecture, the company is poised to offer something competitor Intel's microprocessors yet don't: memory encryption. This processor, and its underlying technologies, could prove to be a stepping-stone for AMD towards regaining lost server market share. Essentially, because in a market ever more steered by cloud computing considerations, it allows for the client's data to be encrypted at every moment of the work chain. Assuming all works as intended, for the first time not even cloud providers, with either hypervisor-level privileges or even physical access to the servers, will be able to carry out any malicious actions against their clients.

One only has to consider the writing on the wall: Morgan Stanley predicts that by 2018, 30% of Microsoft's revenue will stem from its cloud services; Amazon Web Services (AWS) generated $7.88B in revenue on Q4 2015, up 69% over 2014; and worldwide spending on public cloud services by itself will grow from $70B in 2015 to an estimated $141B in 2019. Cloud computing is here to stay, and with security being as important as it is for some businesses, this is an important area of investment for AMD. This "AMD Secure Processor" will work on essentially two fronts: SME (Secure Memory Encryption) and SEV (Secure Encrypted Virtualization), backed by an hardware-based SHA (Secure Hash Algorithm).
According to AMD's Memory Encryption Whitepaper, SME works by leveraging the Secure Processor in encrypting data (using a 128-bit AES encryption key) when it is written to DRAM, effectively putting an end to the last redoubt of Cleartext-stored data. This becomes increasingly important when one considers the advent of NVDIMM (non volatile memory), which if left unencrypted, would be much more vulnerable to physical removal and subsequent cloning of its contents than currently employed solutions. This encryption key is randomly generated by the Secure Processor on each system reset, and is never accessible by any software running on the CPU cores. Furthermore, AMD states that the encryption impact on performance (namely, latency on memory accesses) is, quote, "very small", even when the entirety of the addressable memory is encrypted, but especially considering the Security Processor's ability to encrypt only specific memory pages, and not the entire amount of used RAM.

SEV, on the other hand, solves the problem with the traditional ring-based security system, where customer's code runs at a lower privilege level than the hypervisor. In essence, this means that in ring-based security, the hypervisor can have access to the guest's (ie., client's) data. With SEV, that will no longer be the case, isolating the hypervisor and the client's resources, as well as different client's workloads running on the same machine. Each of these workloads, as well as the hypervisor, will have their code and data tagged and separately encrypted, guaranteeing that each time the encrypted data is accessed by code with an incorrect encryption tag, all it sees is its encrypted state. SEV differs from SME in that in this case, the hypervisor must interact with the Secure Processor in order for the encryption to occur. It informs the Secure Processor that an encrypted VM (Virtual Machine) is going to run, and passes to the server's Secure Processor the needed certificates and exchange key which, in turn, allows the Secure Processor to load the appropriate, unique AES key.
With the ever-expanding computing requirements of businesses and customers worldwide being increasingly serviced by servers on the so-called cloud, the need for increased security becomes more and more of a concern for service-providers. According to The 2016 Global Cloud Data Security Study, 60% of IT professionals consider it to be more difficult to protect confidential or sensitive information in the cloud. At the same time, it's estimated that globally, 36% of organization's total IT and data processing needs are met by cloud resources. This is expected to increase to 45% over the next two years.

And with 86% of the study's respondents claiming encryption will become even more important over the next two years, this feature disparity between AMD and Intel's solutions could prove to be an ace up AMD's sleeve in regaining some of its lost server market share from its glory days.
Sources: 2016 Global Cloud Data Security Study, AMD x86 Memory Encryption Technologies
Add your own comment

31 Comments on AMD's ZEN to Implement Advanced Security Features not found in Intel's solutions

#1
FR@NK
Next we will need encryption on the data in the cache...
Posted on Reply
#2
Raevenlord
News Editor
Hey there everyone.

Currently proving myself to TPU's staff, so, here's my first news post. I hope you enjoy reading through it.
Posted on Reply
#3
TheinsanegamerN
Hopefully this leads to AMD getting marketshare in servers. They need design wins, and we need a strong AMD.

This could also be useful for laptops/2 in 1s. Perhaps OEMs will give AMD a fair shot here.
Posted on Reply
#4
Thefumigator
RaevenlordHey there everyone.

Currently proving myself to TPU's staff, so, here's my first news post. I hope you enjoy reading through it.
Great, keep on ! interesting read btw
Posted on Reply
#5
entropic
RaevenlordHey there everyone.

Currently proving myself to TPU's staff, so, here's my first news post. I hope you enjoy reading through it.
Well its a good effort and a decent read, tho i have to say some sentence structures sound weird in my head, like they were written in another language and translated into english which doesn't always sound right in the end, also proof read your work thouroughly before submitting, stepping-stone at the beginning is missing the second 's', and lastly you dont need to write so much, get on the topic and be concise, im sure you'll get the hang of everything shortly and i wish you the best of luck at TPU.
Posted on Reply
#6
john_
entropicWell its a good effort and a decent read, tho i have to say some sentence structures sound weird in my head, like they were written in another language and translated into english which doesn't always sound right in the end, also proof read your work thouroughly before submitting, stepping-stone at the beginning is missing the second 's', and lastly you dont need to write so much, get on the topic and be concise, im sure you'll get the hang of everything shortly and i wish you the best of luck at TPU.
I don't agree with the "and lastly you dont need to write so much". It's nice to see a complete article and not feeling the need to start googling around. Writing about a motherboard, yes, you don't have to mention all the USB ports on it, but when you have a new security feature on a new processor, it's preferable to also have a nice little explanation about it, than just saying "Zen will be more secure, because of new security features, google is you friend, the end.".

PS "im" "dont" "thouroughly"... :p


@Raevenlord
That's a really nice FIRST article. Don't worry, soon it will become easier and if you like news posting, an everyday habit.
Posted on Reply
#7
Rockarola
entropicWell its a good effort and a decent read, tho i have to say some sentence structures sound weird in my head, like they were written in another language and translated into english which doesn't always sound right in the end, also proof read your work thouroughly before submitting, stepping-stone at the beginning is missing the second 's', and lastly you dont need to write so much, get on the topic and be concise, im sure you'll get the hang of everything shortly and i wish you the best of luck at TPU.
Would you have a decent analysis of what this piece of news is, or would you rather like a transcript of the press release?
The analysis can't be more concise, the English is (somewhat) better than most, non American, news sites and you should proof read your own posts
Posted on Reply
#8
Chaitanya
RaevenlordHey there everyone.

Currently proving myself to TPU's staff, so, here's my first news post. I hope you enjoy reading through it.
Welcome, I hope you dont fall asleep on job like Btarunner used to do.
Posted on Reply
#9
chaosmassive
RaevenlordHey there everyone.

Currently proving myself to TPU's staff, so, here's my first news post. I hope you enjoy reading through it.
why your nickname is not green?
Posted on Reply
#10
ZoneDymo
Finally I can safely browse the...deep web :O
Posted on Reply
#11
cyneater
If this works.. I give intel 18 months to have similar technology.
Posted on Reply
#12
lorraine walsh
I think the consumers just want fast cores AMD rather than these gimmicks. The CPU can be the most secure ever, but if its slow no one will buy that.
Posted on Reply
#13
john_
lorraine walshI think the consumers just want fast cores AMD rather than these gimmicks. The CPU can be the most secure ever, but if its slow no one will buy that.
The consumer probably, the enterprises will probably love it. And those selling Cloud services can charge more for those ultra secure servers. And it wouldn't matter if the CPUs are slower, because higher costs for more secure cloud services, also means less customers for those services, so those servers will be less crowded(but they will be returning more profits to the company offering those services).
Posted on Reply
#14
Raevenlord
News Editor
entropicWell its a good effort and a decent read, tho i have to say some sentence structures sound weird in my head, like they were written in another language and translated into english which doesn't always sound right in the end, also proof read your work thouroughly before submitting, stepping-stone at the beginning is missing the second 's', and lastly you dont need to write so much, get on the topic and be concise, im sure you'll get the hang of everything shortly and i wish you the best of luck at TPU.
Thanks for the feedback. I'm not used to writing for a tech audience, so it might have something to do with that. That said, I'm sure I will get it better in time.

Regarding length, I tried to keep it as concise as possible, whilst going into as much detail as I considered relevant to you guys, without meandering into TL;DR territory (we've all been there, after all).
john_@Raevenlord
That's a really nice FIRST article. Don't worry, soon it will become easier and if you like news posting, an everyday habit.
Thanks, john_, I believe that's exactly the case.
ChaitanyaWelcome, I hope you dont fall asleep on job like Btarunner used to do.
Ahh, I'm not sure that won't happen, but alas, your concern has been noted and well received :roll:
john_The consumer probably, the enterprises will probably love it. And those selling Cloud services can charge more for those ultra secure servers. And it wouldn't matter if the CPUs are slower, because higher costs for more secure cloud services, also means less customers for those services, so those servers will be less crowded(but they will be returning more profits to the company offering those services).
That's exactly the target audience for this kind of technology, I'd wager. The everyday consumer might not think of it (though some tech-savvy users might want to make use of it), but for enterprises, I believe this is the natural and needed development. Ring-based security always needed that compromise of trusting the service provider. Now, not so much.
Posted on Reply
#15
laszlo
RaevenlordHey there everyone.

Currently proving myself to TPU's staff, so, here's my first news post. I hope you enjoy reading through it.
enjoyed reading your 1st news post; i'm not a tech in this domain but understood it as you took the time to explain all clear&simple.

have one question related to news post:

i open news(with pictures) from front page and i can preview pictures and close them having the article in background
i open same news but from forum/news, if i watch one picture this is opened in a new page, forcing me to go back one page to view again the article , as i can't preview them...; isn't possible as above?
Posted on Reply
#16
W1zzard
laszloi open news(with pictures) from front page and i can preview pictures and close them having the article in background
i open same news but from forum/news, if i watch one picture this is opened in a new page, forcing me to go back one page to view again the article , as i can't preview them...; isn't possible as above?
I understand the problem you are describing, but it's a technical limitation that's not easily fixed, due to how we use the forum for article storage.
Posted on Reply
#17
laszlo
W1zzardI understand the problem you are describing, but it's a technical limitation that's not easily fixed, due to how we use the forum for article storage.
thanks for reply W1zz!

maybe is solvable but i'm not familiar with the script and can't help unfortunately.....
Posted on Reply
#18
R-T-B
RaevenlordHey there everyone.

Currently proving myself to TPU's staff, so, here's my first news post. I hope you enjoy reading through it.
This likely means I got eliminated then from the news editor application show, doesn't it? I can't say I'm surprised, my work history is... nothing. :laugh:

Congrats man. You seem to be an excellent news writer from this piece, and are well suited for this work if you can keep that grade up.
Posted on Reply
#19
Raevenlord
News Editor
R-T-BCongrats man. You seem to be an excellent news writer from this piece, and are well suited for this work if you can keep that grade up.
Thanks a lot, R-T-B :toast: Hope to keep you guys interested.
Posted on Reply
#20
librin.so.1
RaevenlordHey there everyone.

Currently proving myself to TPU's staff, so, here's my first news post. I hope you enjoy reading through it.
As a first post I'd say good job && well done! A comprehensive and well-rounded post, I'd say.
But as a news post it kinda fails, as this information has been known for well over a half a year now – ever since AMD pushed those patches to the linux kernel, implementing support for these features. xP
Either way, hope to see more of Your posts soon, as You really seem to have a knack for writing good, comprehensive and detailed articles.
Posted on Reply
#21
xorbe
Sounds neat, but has physical server security been an issue? But, it does impart that warm and fuzzy feeling, it's a good server feature.
Posted on Reply
#23
librin.so.1
xorbeSounds neat, but has physical server security been an issue? But, it does impart that warm and fuzzy feeling, it's a good server feature.
Sure, this is a feature where servers and enterprise applications of hardware will benefit the most. But it doesn't mean it's useless for a consumer. To the contrary:
for a regular consumer this means:
  • Makes cold boot attacks unviable. This is mostly a privacy concern as it can be and is used by authorities to recover encryption keys from a running system.
  • Potentially makes DMA attacks useless. (i.e. does not protect against it, just makes it read garbage, i.e. useless)
  • Potentially makes "ring -3" attacks useless. i.e. stuff like the gapping hardware backdoor in Intel ME would theoretically be useless, just like a DMA attack
(warning: I am by no means an expert, take whatever I wrote with a grain of salt)
Posted on Reply
#25
FordGT90Concept
"I go fast!1!11!1!"
I was looking closer at that picture and it looked familiar...


AMD Beema

That's not Zen so, either the picture is bull or Beema already has this feature and it's not new to Zen.
Posted on Reply
Add your own comment
Dec 23rd, 2024 00:09 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts