Intel Unveils New Security Tech in Upcoming Ice Lake CPU

Intel on Wednesday announced the new security technologies that will be present in the company’s upcoming 3rd generation Xeon Scalable processor, code-named “Ice Lake.”

Intel told SecurityWeek that it’s aiming to make initial production shipments of the first 10nm-based Xeon Scalable product at the end of the year.

The company says Ice Lake will include its SGX trusted execution environment, as well as several new features for memory encryption, firmware resilience, and cryptographic performance acceleration. Intel says these features should address concerns related to data integrity and confidentiality.

“Protecting data is essential to extracting value from it, and with the capabilities in the upcoming 3rd Gen Xeon Scalable platform, we will help our customers solve their toughest data challenges while improving data confidentiality and integrity. This extends our long history of partnering across the ecosystem to drive security innovations,” said Lisa Spelman, corporate VP of the Data Platform Group and GM of the Xeon and Memory Group at Intel.

One of the new security features introduced with Ice Lake processors is named Total Memory Encryption (TME), which ensures that all memory accessed from the CPU is encrypted. This includes encryption keys, user credentials, and other sensitive information on the external memory bus.

The feature uses the AES XTS standard and the encryption key is generated by a hardened random number generator in the processor. TME, Intel says, can provide better protection against attacks that involve custom-built hardware or removing the RAM sticks.

As for cryptographic acceleration, Intel says it has introduced two new innovations that should help reduce the performance impact caused by better security.

“The first is a technique to stitch together the operations of two algorithms that typically run in combination yet sequentially, allowing them to execute simultaneously. The second is a method to process multiple independent data buffers in parallel,” the company explained.

Finally, the Intel Platform Firmware Resilience (PFR) feature in Ice Lake processors is designed to protect systems against firmware attacks by detecting and addressing them before any damage is caused. Protected components include the BIOS and BMC flash, Management Engine, SPI Descriptor, and even the power supply firmware.

Microsoft believes the new processors can be very useful for its Azure confidential computing offering.

“Azure has confidential computing options for virtual machines, containers, machine learning, and more. We believe the next-generation Intel Xeon processors with Intel SGX featuring full memory encryption and cryptographic acceleration will help our customers unlock even more confidential computing scenarios,” said Mark Russinovich, chief technology officer at Microsoft Azure.

Related: Intel Improves Hardware Shield in New 10th Gen Core vPro Processors

Related: CacheOut/L1DES: New Speculative Execution Attack Affecting Intel CPUs

Related: New Security Tech in Intel CPUs Protects Systems Against Malware Attacks