So-called data centers or data centers are usually not found in homes, but in companies that process a large amount of data and need it for their daily work. So there is one in your bank, possibly in the hospital next to you and even in large companies in each sector.
Data protection is therefore not only important, but also remote operation, since many of them allow multiple users to access their content and performance. They do this in virtual machines that run remotely on the server, which keeps the data on the server secure. But let’s not forget that this means that a series of security measures must be implemented at the server level.
Doing it at the software level is much less efficient than doing it at the hardware level, and that’s where we come into AMD’s solution for its EPYC CPUs, the so-called Infinity Guard, which is really usage-based of certain hardware technologies. So let’s see what it is based on and how it works.
What is AMD Infinity Guard?
To begin with, we must clarify that this is not software related to an exclusive function of the processor. Nor is it a specific material that is given such a name. Instead, Infinity Guard is based on a series of modifications to existing CPU elements to improve security and data integrity on the server.
AMD EPYC processors are based on two elements within the processor, the first is the AMD Secure Processor which is located in the Northbridge or SDF of the processor. This microcontroller is the hardware component with the highest level of privilege of all components in the unit when it comes to accessing both RAM and peripherals and is responsible, among other things, for providing the data encryption, password generation and management.
The second element is a data encryption system in AES-128 format that is located in the memory controller or IMC, which is responsible for encrypting and decrypting data when provided with the necessary key. There are up to 8 encryption and decryption codecs in total, one for each memory channel used by the processor. This change is not small, because if it were made directly from the CPU it would not only be less secure, but it would also require the power of several cores, let’s not forget that we are talking about tens of encrypted gigabytes per second in terms of bandwidth.
These changes are exclusive to AMD’s line of server and data center processors and are not found in its Ryzen laptop and desktop processors or Threadripper workstation processors.
How it works?
The AMD Secure processor in EPYC processors performs a series of security measures to ensure data security and not hand over control of the data center to a virtual machine running with malicious intent. In combination with the memory controller and AES-128 encryption, it always performs the following measures transparently to the operating system and applications.
- When the system is started internally, it generates a private-use key, which is generated in the secure processor and passed to the memory controller to encrypt all system information. This is done without any involvement of the operating system and completely transparent to it.
- Each virtual machine running on the server not only runs in isolation, but also has its own key. Thus, the data that each of them handles can only be those encrypted with their key. This prevents them from accessing the memory space of the hypervisor, which would be detrimental to security.
- When a virtual machine is closed on a server with an AMD EPYC processor, it encrypts the information in the processor registers and from the secure processor, it runs a check on their state to verify that an illegal operation has not been carried out.
Additionally, the memory controller keeps track of all the physical addresses accessed by the various virtual machines on the server. This gives it strength against so-called Return-Oriented Programming type attacks. These are extremely common in environments where access to RAM is closely guarded and monitored.
Transparent to the operating system
The AMD EPYC Infinity Guard, by working completely transparently and performing all of its functions at the hardware level, requires no intervention from the operating system. In addition, the secure processor and the integrated memory controller work hand in hand so that the central processor does not even have to intervene in the various Infinity Guard processes.
So whether the server uses GNU/Linux, Windows or even a version of Unix BSD as its operating system, Infinity Guard will always work. In the same way, you also don’t need to use the apps to benefit from it. Of course, it is necessary to activate it in the BIOS of the server for it to work, since it is not activated by default.
In conclusion, this is a series of hardware-level security measures that AMD implements in its AMD EPYC processors that have been designed for the highest possible security in a data center. Which is a point that doesn’t matter to a typical PC user, but at the corporate and state level where totally sensitive data is handled.