Intel To Expand SGX Support For Xeon, Extend Hardware Security Capabilities

'This will greatly expand the number of usages that will be able to leverage advanced application isolation capabilities,' says Anil Rao, Intel's vice president of data center security and systems architecture, in a blog post on the security enhancements..

Intel is promising greater hardware security capabilities for the company's Xeon server processors that include full memory encryption and virtual machine isolation.

At RSA 2020, the Santa Clara, Calif.-based company unveiled plans to extend Intel Software Guard Extensions (SGX)—the chipmaker's hardware-based method for executing applications in trusted enclaves—to a "broader line of mainstream server platforms, with larger protected enclaves."

[Related: Intel Makes 5G Play With Wide Range Of New Chips]

The company also promised to extend SGX to accelerator products like FPGAs in the future.

"This will greatly expand the number of usages that will be able to leverage advanced application isolation capabilities," Anil Rao, Intel's vice president of data center security and systems architecture, said in a blog post announcing the security enhancements.

An Intel spokesperson told CRN that the company will share more specific details on which Intel products will receive the extended hardware security capabilities closer to launch.

As for other security enhancements coming to Intel processors, the company promised virtual machine and container isolation, so that virtual machines and containers can be isolated from each other as well as the cloud service provider and hypervisor without the need to modify application code.

Full memory encryption is also coming to Intel processors, granting the ability to protect against physical memory attacks through hardware-based encryption.

"To provide even more choice, we’ll also bring full memory encryption to help protect against additional styles of physical-based attacks and streamline VM [virtual machine] and container isolation, which will bring 'easy button' memory protections for virtualized environments," Rao said.

To protect against firmware-based attacks, Intel plans to introduce a new FPGA-based offering called Intel Platform Firmware Resilience. Also known as PFR, the new offering protects platform firmware components by "monitoring and filtering malicious traffic on the system business, verifying the integrity of platform firmware images before any firmware code is executed, and even restoring corrupted firmware to a known-good state from a protected gold recovery image," according to Rao.

"We like to simplify this all by saying Intel Platform Firmware Resilience protects, detects and corrects," he said.

Kent Tibbils, vice president of marketing at ASI, a Fremont, Calif.-based Intel partner, said if Intel can introduce security improvements without impacting performance, it will be embraced by the channel.

"The more they can do that at a hardware level, that always makes things a lot stronger, or should we say 'more difficult,' for someone to hack [into a server]," he said.