Skip to main content

Intel is finally improving its CPU security

(Image credit: Intel)

Intel is promising to bring full memory encryption to it processors, a revelation it made at the company's Security Day event this week. The feature is similar to what AMD already offers on its CPUs, though it won't necessarily make Intel's chips less susceptible to side-channel attacks similar to Spectre and Meltdown.

Those kinds of exploits leverage vulnerabilities in various techniques employed by processors, including out-of-order execution (OOOE), branch prediction, and speculative execution, all of which are designed to improve performance. We posted an in-depth guide on what you need to know about Meltdown and Spectre CPU exploits, and you should check it out if you haven't already.

Memory encryption can help with those kinds of attacks, but as pointed out by our friends at Tom's Hardware, researchers have warned (PDF) that it is not enough to completely thwart side-channel attacks. However, it's not without its benefits.

One way Intel protects its chips from attacks is through a feature called Software Guard eXtensions (SGX). Available in both enterprise and consumer processors, SGX is a hardware encryption technology that acts as a "secure enclave" within a memory section, but only for small amounts of data.

Arstechnica offers a thorough rundown of the technical details, but in short, SGX has some limitations—it can only run on Intel processors, developers have to design their applications to specifically leverage SGX, and developers must also choose which parts of data are marked "confidential" since they have to work with a memory limit of just 128MB.

In contrast, AMD's Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV) features are more flexible. All system RAM can be encrypted with SME, without any special considerations imposed on application developers. And not only is AMD's implementation more flexible than SGX, the performance impact is smaller, too.

Intel is looking to rectify this with a pair of features called Total Memory Encryption (TME) and Multi-Key Total Memory Encryption (MKTME). TME and MKTME do not exist in actual CPU hardware yet, but will at some point, according to Intel.

While not specifically mentioned at the Security Day event, this is about bringing parity to AMD's processors, and perhaps even surpassing AMD's method of protecting memory. When these arrive, they will support encrypting regular memory, volatile DRAM, and persistent/non-volatile memory such as 3D Xpoint.

It's too early to tell what this will mean for consumers, and it doesn't sound like it will be available with imminent CPU launches, such as Comet Lake. It's definitely something we'll be keeping our eyes on, though.

Paul has been playing PC games and raking his knuckles on computer hardware since the Commodore 64. He does not have any tattoos, but thinks it would be cool to get one that reads LOAD"*",8,1. In his off time, he rides motorcycles and wrestles alligators (only one of those is true).