AMD’s secure CPUs & cloud hosting - SEV, TSME & SME

As we continue to progress and constantly evolve in terms of the technology surrounding us, privacy and security are becoming quite the expensive commodity that not many of us can afford. There are dangers and exploits lurking in every device, be it inside of its software, operating system or hardware.

Consequently, this leads to us as users needing to find a suitable and sustainable way to protect ourselves, which is why a large majority of online users have begun to utilize encryption and implement it where possible into their daily lives, devices and applications that they use.

The field of hosting and servers in general are no exception to this. When it comes to hosting, there are many concerns and problems that are circulating in relation to server and information security.

Cloud hosting and virtual machine instances are usually the most discussed point of concern owing to the popularity of this hosting option and its many presumed ‘exploits’ and ‘vulnerabilities’. This is because virtual machine (VM) instances can be susceptible to being compromised, which can lead to sensitive information such as credit card details and user data being obtained and stolen.

However, with AMD’s 7000 series processors, these concerns should no longer be worrying, because of the new and improved security technology that the CPUs implement to encrypt data and prevent it from falling into the wrong hands.

What led to such encryption standards being implemented?

Hardware bugs and software errors have been a very hotly-debated topic over the last couple of years, especially due to the events featuring the public reveal of the Spectre and Meltdown vulnerabilities. But what are these so-called vulnerabilities? 

Spectre allows random allocated memory locations to be read, while Meltdown refers to a process that can read all of the memory inside of a given system. Both of them enable hackers to extract sensitive information and encryption keys, which can then be utilized to compromise the entire system. Such vulnerabilities, in addition to other factors such as physical attacks and software breaches have pushed the industry to develop new CPUs that needed to be stronger and substantially more secure. This is where AMD’s CPUs come to the forefront, being labeled as the next generation of security.

AMD’s secure processing units

In order to step up their game and ensure that their CPUs will be designed to protect information at the hardware level, AMD implemented a number of innovative solutions into their processing units.

Firstly, they introduced a separate security core processor - the ARM Cortex-A5, whose main function is to manage encryption key generation and their storage. Not only that, but it is also instructed to ensure that the process of loading a trusted operating system is also done efficiently and securely.

Secondly, the CPUs from these series have a built-in DRAM encryption function that uses the AES-128 algorithm. The encryption in itself is fully performed at the level of the hardware by the memory controllers and it ensures that data stored in the dynamic random access memory is also safe.

TSME, SME and AMD’s initial answer to security concerns

To secure the memory of any machine utilizing AMD CPUs, the company introduced TSME, abbreviated from transparent secure memory encryption, is an instruction set, developed to protect against physical memory attacks. One such example of a physical memory incursion is the infamous cold-boot attack. It involves spraying memory modules with special cooling sprays to bring their temperature down to a significantly low number, which ultimately prevents the system from resetting any information that is contained in the memory cells during the time of the attack. This, consequently, allows the attacker to attach an external module to the system and extract information that the memory dump might contain such as passwords, other credentials and most importantly encryption keys.

With TSME active, the CPU changes said encryption keys every time it is loaded, meaning that such cold-boot attacks are useless, thanks to the fact that even if the information is somehow obtained, it will still be in an encrypted format.

SME - secure memory encryption, essentially is what TSME builds on. SME also helps protect versus physical attacks on memory but it involves having a single key that is used to encrypt system memory. This key, however, does not change once the system is booted. This process  of encrypting using SME is quite dependent on the OS. The Linux kernel for example does support SME, but disables it by default, meaning that it needs to be manually activated. Windows, on the other hand, does not support it, resulting in the OS needing to use TSME, hence why it was developed as an extension.

Memory scrambling, which involves splitting up the data into random patterns, is also supported, which in turn, makes it even more difficult for data inside of the DRAM to be obtained. You can also make use of this feature along with the others to enhance the overall security. Memory scrambling can be enabled by accessing a secret tab in the BIOS.

Overall, TSME, SME encryption & memory scrambling do not impact the performance of any application, hosted on a virtual machine, making AMD’s security-oriented CPUs a very good option for cloud hosting. But what really makes such CPU’s the ideal choice for hosting provider is actually the secure encrypted virtualization, referred to as SEV, feature that CPUs from the series come equipped with.

Secure encrypted virtualization - perfect for virtual machines

AMD’s SEV feature is designed to help protect virtual machines from not only themselves, but also from unwanted administrator tampering as well as from the hypervisor by encrypting data at a hardware level.

The way in which SEV works is simple - a special key is generated for each virtual machine (or groups of VMs) and for the hypervisor. This enables the hypervisor to be cryptographically isolated from the virtual machines, ensuring that it does not have access to any of the keys of the VMs.

This is important because even if a hacker does manage to breach the hypervisor, they will not be able to extract the information associated with any given VM instance. Even if they are somehow capable of grabbing a hold of the information, it will remain in its encrypted format, because when the CPU processes data from any virtual machine, it marks the information with specific tags, which are only relevant to that particular VM instance.

Furthermore, when data is received or created within the CPU, it remains available and accessible for only that concrete VM in spite of the location. This access also includes all levels of cache, meaning  that the data is thoroughly encrypted throughout all sections of memory. Moreover, SEV also encrypts the section of RAM that is allocated to each VM, which again goes to show that it covers all memory areas.

Due to all of this encryption, neither the operating system, nor the hypervisor can get access to the memory sections of the virtual machine that is being processed by the CPU. And as we mentioned already, this ultimately results in the data being safeguarded from other VMs while also being protected and shielded from the environment.

Finally, SEV works independently from both TSME & SME, meaning that you can easily combine both mechanisms to ensure maximum protection from physical and internal attacks.