Total Memory Encryption from Intel – Intel TME for Ice Lake CPUs

The competition between AMD and Intel regarding security technologies is something all of us are aware of. As you would have witnessed already, AMD has provided three security technologies for enterprise customers.

One such option includes Secure Memory Encryption (SME) and its subsets Transparent SME (TSME) and Secure Encrypted Virtualization (SEV).

High-level Architecture of MKTME

SME is designed as per-page memory encryption using a dedicated AES Engine. The other options would include Transparent SME (TSME) for their Ryzen PRO workstation processors.

The TSME is designed to work precisely in the same manner as the SME but does not modify the legacy software whatsoever. The third option, SEV, is what is intended to be an option to let the guest virtual machines run under SME.

They do so with a private key. These keys are managed and handled by the Secure Processor (AMD-SP), an ARM Cortex-A5 MCU by AMD. You would find it working as a dedicated security subsystem.

The Total Memory Encryption from Intel – Intel’s answer to AMD

Designed to rival the AMDs new security technologies, the Total Memory Encryption from Intel should be the first revision of the new memory encryption feature from the brand.

The technology comes with two new extensions for x86 –

• Total Memory Encryption (TME) – The base extension which provides full physical memory encryption
• Multi-Key Total Memory Encryption (MKTME) – An extension of TME that adds support for multiple keys

It should be noticed that these two new extensions have nothing to do with the Software Guard Extensions (SGX) and are entirely different.

The TME, which acts as a base extension, works to provide the basic functionality for memory encryption in its entirety. It involves creating a single 128-bit key for encrypting all the data sent on the external memory bus.

This key is generated by the microprocessors and is unknown to the software. The second extension, the Multi-Key Total Memory Encryption (MKTME), crates on the TME and offers an option for multiple keys. This will help achieve page-level granular encryption of the data.

The extension can be an excellent option for multiple virtualization requirements as well. These extensions tend to be highly flexible and work with even the non-volatile memory.

How are these technologies implemented?

If you are someone who knows the chips and extensions, you would indeed find that the TME and MKTME extensions are pretty complex when you compare them to the SME and relevant technologies from AMD.

The AMD encryption technique uses a single C-bit to mark encrypted pages, and the SEV extends this capability to guest page tables. In the case of the Intel implementation, Intel prefers a whole KeyID to be stored in the physical address.

This can be a great option that can help let a few complex programs operate with their private memory. You will also achieve multiple different private pages with multiple keyIDs.

You would also find that the two have flexibility involved them. Even when they have the option for one mode, there are provisions for future algorithms.

The Intel implementation is designed and is currently focused on DRAM and NVRAM. However, we expect the technology to be extended to other storage devices.

Intel has not yet implemented this extension, and there is no word on when it wants to implement the same. The specifications and details are currently at a very early stage, and we will look ahead to the changes when it is finally implemented.

You can find more details on the new extension here.