Cloud Hosting

Andy Patrizio is a freelance technology writer based in Orange County, California. He's written for a variety of publications, ranging from Tom's Guide to Wired to Dr. Dobbs Journal.

Your message has been sent.

There was an error emailing this page.

While everyone is talking about the impressive performance potential and scale of AMDs new Epyc server chips, overlooked in all the hoopla are the security features of the chip that may prove just as appealing.

To start off, there is the tag team of Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV). Secure Memory Encryption allows for full encryption of data stored in DRAM, and SEV allows individual virtual machines to be assigned a unique cryptographic key, thus isolating them from each other as well as the OS hypervisor and administrator layer. These functions are based on a hardware security processor attached to the memory controller with a 128-bit AES encryption engine.

That means you can have full memory encryption on virtualized machines, something that will be greatly appreciated by cloud services providers. It will let them assure customers that the memory and the virtual machines that live on their clouds are completely secured in a multi-tenant environment.

Where SME is designed for memory, SEV is specifically aimed at VMs and is designed to keep them from cross-contamination, since each VM has its own encryption key. It also allows unencrypted VMs to run alongside encrypted ones, which is a new option. Up to now, its been either/or, all-or-nothing. The keys are transparent to the VMs and managed by the protected hypervisor.

SVE doesnt just work for static VMs; it also supports migrating VMs from one server to another while maintaining encryption throughout the process.

Then there is the Platform Security Processor (PSP), an ARM Cortex-A5 core on the Epyc die that controls the boot process and system security, and basically operates similar to Intels Management Engine in the Xeon. It provides secure boot and has full TPM functionality.

The one question unanswered is how much of a performance hit this will incur. Encryption is never a fast process regardless of processor, and now you are talking about encrypting the contents of memory, which are going to be constantly changing. AMD does give the option of turning SEV and SME on or off, and you can do it while the server is running without a restart.

Of course, this hardware isnt terribly useful until Microsoft, VMware, Citrix, Red Hat and other Linux distros support it. Once the software enters the market, then that encryption will be truly useful. For now, though, AMD has a security story that Intel cant quite match.

Andy Patrizio is a freelance journalist based in southern California who has covered the computer industry for 20 years and has built every x86 PC hes ever owned, laptops not included.

Sponsored Links

Read more:
Epyc win for AMD in the server security battle - Network World