After a delay of more than a year, Intel launched its latest 4th Gen Intel Xeon Scalable processor (CPU) chips, codenamed Sapphire Rapids, with on-chip confidential data processing capability to prevent attackers from stealing high-value data from computer systems, ensure regulatory compliance and maintain data sovereignty.
In a statement, Intel announced the new Scalable 4th generation Intel Xeon processors will increase the baseline enclave and Intel SGX will be able to accurately and securely verify the application software loaded in that enclave.
What is Intel® SGX?
Intel® Software Guard Extensions (Intel® SGX) provides hardware-based memory encryption that isolates specific application code and data in memory, allowing user-level code to allocate private areas of memory, called enclaves, designed to protect processes from running higher privileges .
Keeping data secure while it’s being sent between computer systems is what confidential computing is all about.
This is achieved by adding an encrypted barrier to data in transit. Intel Xeon chips come with technology that ensures the code is genuine.
During last Tuesday’s Xeon launch event, Mark Russinovich, Chief Technology Officer at Microsoft’s Azure, said, “We look forward to being one of the first cloud providers later this year to be one of the first cloud providers to offer confidential services based on 4th Gen Intel Xeon Scalable processors offer Intel TDX.”
“This allows organizations to achieve confidentiality by seamlessly lifting and moving their workloads without requiring any code changes,” Russinovich said
Businesses that prioritize protecting their valuable information and operations and need robust protection could be very attracted to this new confidential on-chip computing solution.
During a press conference on the new chips, Lisa Spelman, corporate vice president and general manager for Xeon products at Intel said, “Confidential computing strengthens compliance with privacy and governance regulations and helps create a more private controlled infrastructure, itself when using the public cloud”
Intel’s 4th Gen Xeon chips will be connected to a cloud service called Project Amber, which will provide support for validating the reliability of data from the cloud to the edge, starting as a separate authentication service for Intel’s sensitive computing technologies.
The new Xeon processors will also appear in virtual machine instances in cloud services from Google, IBM and Alibaba. However, Intel did not comment on whether the cloud providers would specifically offer TDX instructions.
Intel® Trust Domain Extensions (Intel® TDX)
Intel® Trust Domain Extensions (Intel® TDX) introduces new architectural elements to support the deployment of hardware isolated virtual machines (VMs) called Trust Domains (TDs).
Intel TDX is designed to isolate VMs from the Virtual Machine Manager (VMM)/hypervisor and other non-TD software on the platform to protect TDs from a wide range of software.
These hardware isolated TDs include:
- Secure-Arbitration Mode (SEAM) – a new mode of the CPU designed to host an Intel-provided, digitally-signed security services module called the Intel TDX module.
- Shared bit in GPA to allow TD access to shared memory.
- Secure EPT to help translate private GPA to ensure address translation integrity and prevent TD code fetches from shared memory. Encryption and integrity protection of access to private storage using a TD private key is the goal.
- Physical-Address-Metadata Table (PAMT) to track page allocation, page initialization, and TLB consistency.
- Multi-key Total Memory Encryption (MKTME) engine designed to provide memory encryption with AES-128-XTS and integrity with 28-bit MAC and a TD ownership bit.
- Remote confirmation to prove running TD on a real Intel TDX system and its TCB version.
According to Anil Rao, vice president and general manager for systems architecture and engineering at Intel’s CTO’s office, the TDX instructions add a boundary around the virtual machine and everything in it, including the guest operating system and the apps it contains, and remove the cloud service providers or other cloud tenants from a trust boundary.
TDX leverages a security feature on Xeon chips called Software Guard Extensions (SGX), which is now widely used as a secure enclave to protect data in execution environments. However, TDX is much broader in scope and covers a broader range of applications, such as AI in virtualized environments.
According to Mercury Research, Intel is a strong player in the server hardware market with an 82.5% x86 server market share in the third quarter of last year; its closest competitor AMD had a 17.5% market share.
As of 2023, there are over 100 million Intel Xeon processors worldwide, powering server platforms and enterprise desktop computing hardware.