
Intel Memory Encryption Technologies [pdf] - ingve
https://software.intel.com/sites/default/files/managed/a5/16/Multi-Key-Total-Memory-Encryption-Spec.pdf
======
mtgx
Seems similar to the technologies already adopted by AMD's Ryzen (EPYC):

[https://www.anandtech.com/show/11551/amds-future-in-
servers-...](https://www.anandtech.com/show/11551/amds-future-in-servers-
new-7000-series-cpus-launched-and-epyc-analysis/3)

------
Sephr
I'd rather they opened up Intel CAT to consumer products to help protect
against side channel attacks. Memory encryption isn't enough and doesn't
address current exploits that are already being used against VM providers.

~~~
ENOTTY
I'm not aware of any stories of side-channel attacks being executed in the
wild. Do you have links to any such post-mortems?

~~~
cperciva
The sorts of organizations which get targeted by attackers sophisticated
enough to use side channel attacks generally don't publish post-mortems.

But I've heard enough through unofficial channels to be very very confident
that such attacks are indeed taking place.

------
cypherpunks01
Can someone explain the context here? Is the intended use for this to prevent
a cold boot attack, or also provides protection against an active buffer
overflow attack or something?

Intel ME can obviously still lookup this key..

~~~
tedunangst
VM isolation. Once the key is set, a subverted hypervisor won't be able to
read other machines' memory. (Modulo side channels...)

------
vectorEQ
too many interfaces for applications to control keys / entropy imo. risky
considering attacks against previous low level interfaces. i'd prefer to see
less control by/from applications. it's even stated in the spec there's a lot
for the programmer to consider and implement to make it really secure.
probarbly itl or "that bald guy who breaks all low level things" (forget his
name, sorry guy!) will show how to subvert / break this when it gets
implemented more widely.

in my eyes: a root mode hypervisor can break al lthe things for it's guests
(nothing new, but no added benefit for that.) pconfig command might be used to
influence system if BIOS is compromised early on. SOC vulnerabilities will
break this for sure. (and they seem common enough _glares at ME_ ).

Ofcourse, can't complain that they try to add these kinds of layer. change has
to start somewhere! :-)

------
djcapelis
I’m going to keep posting this short tech report until people stop making new
broken shit:
[https://www.ssrc.ucsc.edu/Papers/wasptr-15-03.pdf](https://www.ssrc.ucsc.edu/Papers/wasptr-15-03.pdf)

------
pulse7
IBM z14 (released on July 17, 2017) comes to mind...

