Epyc win for AMD in the server security battle

The Epyc server chip’s built-in security may prove as advantageous as its performance

Epyc win for AMD in the server security battle
Gary Silcott/AMD

While everyone is talking about the impressive performance potential and scale of AMD’s new Epyc server chips, overlooked in all the hoopla are the security features of the chip that may prove just as appealing.

To start off, there is the tag team of Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV). Secure Memory Encryption allows for full encryption of data stored in DRAM, and SEV allows individual virtual machines to be assigned a unique cryptographic key, thus isolating them from each other as well as the OS hypervisor and administrator layer. These functions are based on a hardware security processor attached to the memory controller with a 128-bit AES encryption engine.

+ Also on Network World: AMD launches its Epyc server chip to take on Intel in the data center +

That means you can have full memory encryption on virtualized machines, something that will be greatly appreciated by cloud services providers. It will let them assure customers that the memory and the virtual machines that live on their clouds are completely secured in a multi-tenant environment.

Where SME is designed for memory, SEV is specifically aimed at VMs and is designed to keep them from cross-contamination, since each VM has its own encryption key. It also allows unencrypted VMs to run alongside encrypted ones, which is a new option. Up to now, it’s been either/or, all-or-nothing. The keys are transparent to the VMs and managed by the protected hypervisor.

SVE doesn’t just work for static VMs; it also supports migrating VMs from one server to another while maintaining encryption throughout the process.

Then there is the Platform Security Processor (PSP), an ARM Cortex-A5 core on the Epyc die that controls the boot process and system security, and basically operates similar to Intel’s Management Engine in the Xeon. It provides secure boot and has full TPM functionality.

The one question unanswered is how much of a performance hit this will incur. Encryption is never a fast process regardless of processor, and now you are talking about encrypting the contents of memory, which are going to be constantly changing. AMD does give the option of turning SEV and SME on or off, and you can do it while the server is running without a restart.

Of course, this hardware isn’t terribly useful until Microsoft, VMware, Citrix, Red Hat and other Linux distros support it. Once the software enters the market, then that encryption will be truly useful. For now, though, AMD has a security story that Intel can’t quite match.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10