Intel's New SGX Card Gives Data Centers Hardware-Based Security

Intel is giving data center operators a new way to add hardware-based security to their servers that allows applications to securely run in untrusted environments.

The Santa Clara, Calif.-based company announced on Wednesday ahead of RSA 2019 that it will release a new server component called the Intel SGX Card, which gives servers the security capabilities offered by Intel Software Guard Extensions, a technology also known as Intel SGX that has had two reported vulnerabilities within the last six months.

[Related: Intel Hardware Fixes For Spectre, Meltdown & More: What We Know]

Introduced in 2013, Intel SGX is a set of instruction codes within a processor that protects SGX-enabled applications from disclosure or modification by running them in "processor-hardened enclaves." The instruction set is meant to improve the security of the application, so that they can even run on untrusted platforms that become compromised.

However, SGX is only included in Intel's Xeon E and Xeon E3 processors on the server side at the moment, meaning that data center operators using other kinds of Xeon CPUs, including Xeon Scalable Processors, cannot benefit from SGX-enabled applications.

Jim Gordon, general manager of Intel's security ecosystem strategy and development, told CRN that the Intel SGX Card is meant to give data center operators the ability to benefit from SGX-enabled applications without having to wait for future Xeon CPUs that support the technology.

"Many partners and customers want it now," Gordon said of SGX, "but they don't have the intent to refresh their entire infrastructure to get that [capability]."

The Intel SGX Card, which will fit in a PCI slot, is due out later this year. The company said pricing details will be available at a later date.

Supported use cases for Intel SGX includes protecting keys on a local file system, securing analytics workloads, securing edge devices and cloud communications and hardening endpoint security, according to an Intel webpage. Cloud providers that support Intel SGX include Microsoft Azure, IBM Cloud Data Guard, Alibabe Cloud and Baidu.

One software vendor that supports Intel SGX is Fortanix, a San Francisco-based startup that has raised funding from Intel's venture capital arm, Intel Capital. Fortanix's products include the Runtime Encryption Platform, SGX-enabled software that allows organizations to run sensitive workloads in untrusted environments, such as public cloud servers.

As part of Wednesday's announcement, Intel said that Fortanix has launched the Enclave Development Platform, an open-source software development kit that allows developers to build SGX enclaves using the Rust programming language.

Intel also announced a new SGX capability called "flexible launch control" that allows data center operators to set and manage "their own unique security policies for launching enclaves as well as providing controlled access to sensitive platform identification information."

Barrett Lamothe, federal sales team lead at MicroAge, a Tempe, Ariz.-based Intel partner, said he was intrigued by the benefits Intel SGX could bring to data center operators and their customers. With Intel planning to release more Xeon processors that support SGX, he said he wouldn't be surprised if adoption ramps up in the data center.

"If Intel builds the chips with the functionality on it, then the question becomes, 'why aren’t you taking advantage of this reference architecture to further secure data?'" he said.

Dominic Daninger, vice president of engineering at Nor-Tech, a Burnsville, Minn.-based Intel partner that sells high-performance computing servers, noted that Intel SGX has been in the news recently because of two vulnerabilities reported by research groups.

The first vulnerability, known as Foreshadow, was among the group of speculative executive exploits reported last year that included Meltdown and Spectre. One variant of Foreshadow, also known as L1 Terminal Fault, involved a security hole in Intel SGX. The company at the time of Foreshadow's disclosure said that the vulnerability could be mitigated through new updates issued by operating system and hypervisor vendors, as well as patches from Intel.

The second vulnerability, reported in February, allows malicious code to run on SGX enclaves, meaning that it couldn't be detected or analyzed by antivirus programs. At the time of the vulnerability's disclosure, Intel said in a statement that it is "aware of this research which is based upon assumptions that are outside the threat model for Intel SGX."

"The value of Intel SGX is to execute code in a protected enclave; however, Intel SGX does not guarantee that the code executed in the enclave is from a trusted source," Intel said. "In all cases, we recommend utilizing programs, files, apps, and plugins from trusted sources."