putting on a brave face —

Intel promises Full Memory Encryption in upcoming CPUs

Intel's security plans sound a lot like "we're going to catch up to AMD."

At Intel's Security Day event on Tuesday, the company laid down its present and future vision for security-focused features in its hardware.

Intel's Anil Rao and Scott Woodgate opened their presentation with a present-and-future discussion of Intel's SGX (Software Guard Extensions), but their coverage of the company's plans to bring Full Memory Encryption to future Intel CPUs was more interesting.

Software Guard Extensions

Intel SGX—announced in 2014, and launched with the Skylake microarchitecture in 2015—is one of the first hardware encryption technologies designed to protect areas of memory from unauthorized users, up to and including the system administrators themselves. SGX is a set of x86_64 CPU instructions which allows a process to create an "enclave" within memory which is hardware encrypted. Data stored in the encrypted enclave is only decrypted within the CPU—and even then, it is only decrypted at the request of instructions executed from within the enclave itself.

As a result, even someone with root (system administrator) access to the running system can't usefully read or alter SGX-protected enclaves. This is intended to allow confidential, high-stakes data processing to be safely possible on shared systems—such as cloud VM hosts. Enabling this kind of workload to move out of locally owned-and-operated data centers and into massive-scale public clouds allows for less expensive operation as well as potentially better uptime, scalability, and even lower power consumption.

Intel's SGX has several problems. The first and most obvious is that it is proprietary and vendor-specific—if you design an application to utilize SGX to protect its memory, that application will only run on Intel processors. The second is that you must design your application around SGX—you can't just flip a switch and turn it on.

SGX enclaves are also limited in size. All enclaves on a system must fit into the Enclave Page Cache, which is currently limited to 128MiB total—not 128MiB per process. Obviously, you can't fit entire operating systems—or even most containers—in only 128MiB, which means that application developers must make careful and extremely difficult decisions about which parts of memory are "confidential" and which are not.

IBM's Danny Harnik tested several functions inside SGX enclaves, including sgx_sha256_msg, provided by the Intel sgxsdk API.
IBM's Danny Harnik tested several functions inside SGX enclaves, including sgx_sha256_msg, provided by the Intel sgxsdk API.

Finally, there are potentially severe performance impacts to utilization of SGX. IBM's Danny Harnik tested SGX performance fairly extensively in 2017, and he found that many common workloads could easily see a throughput decrease of 20 to 50 percent when executed inside SGX enclaves.

Harnik's testing wasn't 100 percent perfect, as he himself made clear—in particular, in some cases his compiler seemed to produce less-optimized code with SGX than it had without. Even if one decides to handwave those cases as "probably fixable," they serve to highlight an earlier complaint—the need to carefully develop applications specifically for SGX use cases, not merely flip a hypothetical "yes, encrypt this please" switch.\

Full Memory Encryption

This looks like an advertisement for AMD Epyc processors, until you get to that bright yellow "solutions available today" box and realize we're talking about Intel.
Enlarge / This looks like an advertisement for AMD Epyc processors, until you get to that bright yellow "solutions available today" box and realize we're talking about Intel.

For the moment, Software Guard Extensions are the only Intel offering available. But after discussing real-world use of SGX, Rao moved on to future Intel technologies—specifically, full-memory encryption. Intel refers to its version of full-memory encryption as TME (Total Memory Encryption) or MKTME (Multi-Key Total Memory Encryption). Unfortunately, those features are vaporware for the moment. Although Intel submitted an enormous Linux kernel patchset last May for enabling those features, there are still no real-world processors that offer them.

With no TME or MKTME enabled processors available, it makes sense to explain the basic technological concepts using the similar technologies that do exist today—AMD's SME (Secure Memory Encryption) and SEV (Secure Encrypted Virtualization). For obvious reasons, this wasn't a part of Intel's presentation—but it's the only way to talk about the concepts in an already-implemented, real-world sense.

In 2016, AMD proposed a new technology to secure memory from unauthorized users, called SME (Secure Memory Encryption). Unlike Intel's SGX, SME would allow any page in RAM to be encrypted and decrypted in hardware. Any page marked for encryption would be encrypted with an ephemeral 128-bit AES key—generated via hardware RNG (random number generator) at each reboot. These ephemeral keys are only accessible to the CPU hardware itself and cannot be exposed to users (including root or system administrator level users).

SME, like SGX, requires some planning on the part of developers. However, a stricter subset of SME, called TSME—Transparent Secure Memory Encryption—would allow for the entirety of system RAM to be encrypted using SME. As an entire-system feature, TSME is enabled or disabled in system BIOS (or UEFI), and it requires no special planning on the part of application developers—once enabled, everything's encrypted, and that's all there is to say about it.

In this HASP 2018 presentation, researchers from Wayne State University and the University of Houston demonstrated negligible performance impact from enabling AMD Secure Encrypted Virtualization.
Enlarge / In this HASP 2018 presentation, researchers from Wayne State University and the University of Houston demonstrated negligible performance impact from enabling AMD Secure Encrypted Virtualization.

AMD's approach to memory encryption also involves far less performance impact than Intel SGX. In a 2018 presentation, researchers from Wayne State University and the University of Houston showed most workloads entirely unimpacted by Secure Encryption Virtualization (a subset of AMD's SME that allows whole-VM encryption, with a separate key used for each covered virtual machine), despite significant performance impacts with Intel's SGX.

Since Intel's TME and MKTME are—for the moment—still hypothetical, it's too soon to make any bold predictions about what their performance impact will be. But with AMD's example in front of us, it seems reasonable to expect they should have little real performance impact in use, unlike SGX.

Conclusions

This is probably a difficult time to give exciting presentations on Intel's security roadmap. Speculative prediction vulnerabilities have hurt Intel's processors considerably more than their competitors', and the company has been beaten significantly to market by faster, easier-to-use hardware memory encryption technologies as well.

Rao and Woodgate put a brave face on things by talking up how SGX has been and is being used in Azure. But it seems apparent that the systemwide approach to memory encryption already implemented in AMD's Epyc CPUs—and even in some of their desktop line—will have a far greater lasting impact. Intel's slides about their own upcoming full memory encryption are labeled "innovations," but they look a lot more like catching up to their already-established competition.

Listing image by Intel Corporation

Channel Ars Technica