Intel SGX Card. Each server deserves its SGX



    Let me remind you what Intel Software Guard Extensions are . As the name implies, the point here is security. Mankind has come up with many software methods to protect its IT infrastructure from malicious or unauthorized code, however, all these methods have their own fundamental limitations. To get around them, it is necessary that protection begins in the very heart of the computer - its processor and relies on its functionality.

    Using this principle, Intel has developed Intel SGX Extensions - a set of CPU instructions that enable applications to create enclaves, protected areas in the application's address space, which ensure confidentiality and integrity even in the presence of malicious programs with privileged rights.

    This post is about the new hardware based Intel SGX for any server platform - Intel SGX Card .

    The operating principles of Intel SGX enclaves are as follows:

    • Access to the enclave's memory for reading and writing from outside the enclave is absent, regardless of the current level of rights and the CPU operating mode.
    • Enclaves of the working level are not available for debugging with either software or hardware debuggers. (You can create an enclave with a debug attribute, in which the Intel SGX debugger can view the contents of the enclave in the same way as a standard debugger. This is done to increase the convenience of the software development process.)
    • It is impossible to enter an enclave environment using classical function calls, transitions, register manipulations, or with the stack. The only way to invoke the enclave function is with a new instruction that performs several security checks.
    • Enclave memory is protected using standard encryption algorithms with playback protection. If you read the memory or connect the memory modules to another system, you can only get encrypted data.
    • The memory encryption key is changed randomly with each change in the power cycle (for example, when loading, when resuming work after sleep and hibernation). The key is stored inside the CPU and is not accessible from the outside.
    • Data is enclosed in enclaves and is only available for the code for that enclave.

    image
    Intel SGX significantly reduces the perimeter of software vulnerability

    Intel Software Guard Extensions was introduced in 2016, since then it has received support from a number of Intel Xeon server processors, after which, in turn, from a number of the largest cloud providers and software manufacturers, such as Alibaba Cloud, Baidu, IBM and Microsoft appreciated the benefits of the technology and began to integrate it into their services and products. However, there was a technical obstacle to the triumphal procession of Intel SGX: processors that do not support the technology are still much more than support. Intel SGX is especially lacking in multi-socket configurations, which are often used in cloud services and data centers.



    The decision came from an unexpected angle. Intel has a device calledIntel Visual Compute Accelerator (VCA) , we briefly talked about it . This is a specialized accelerator for increasing the performance of processing media content, in fact - a full-fledged server in the PCIe x16 card format, its characteristics are given in the post at the link above. It was VCA that they decided to take as a basis, and after some improvements - disabling the graphics core, optimizing security features, etc. - it turned out Intel SGX Card, a card equipped with three processors with support for Intel Software Guard Extensions, ready to take on the interaction with SGX enclaves - this is no longer required from the host system.

    On this same card, you can offload the resource-demanding load, which requires additional protection. The standard 2U server platform based on Intel Xeon Scalable supports up to 4 PCIe x16 cards; Thus, on one server, up to 12 processors can work with sensitive data. As shown in the figure above, the configuration of the environment for applications has become more comfortable and flexible, they have both protected and simple memory areas, processor cores with and without SGX support, and so on.

    The Intel SGX Card is an option for a digital services provider to prepare their infrastructure for Intel Software Guard Extensions without waiting for Intel Xeon Scalable to come with support for this technology. Perhaps it will be useful to someone.

    Also popular now: