AMD Infinity Guard - Max Fang's Notes

# AMD Infinity Guard Links: [[AMD]], [[AMD SEV]], [[EPYC]], [[Confidential Computing]] ## See also ### - [[AMD SEV]] ### - [[AMD SEV-SNP]] ### - [[AMD SME]] ### - [[EPYC]] **Differentiation** ![[AMD SEV#Differentiation]] ## [AMD Infinity Guard Infographic](https://www.amd.com/en/campaigns/epyc-infinity-guard-infographic) *AMD EPYC™ processors are designed with a sophisticated suite of security features called AMD Infinity Guard. Built-in at the silicon level, it offers the advanced capabilities required to help defend against internal and external threats – all with minimal impact to system performance.* - very high level intro ## [AMD Infinity Guard](https://www.amd.com/en/technologies/infinity-guard) (Main page) *A modern multi-faceted approach to data center security.* #### Integrated cloud providers - **[[Google Cloud]]:** Google’s Confidential VMs and Confidential GKE Nodes enable AMD Secure Encrypted Virtualization to help deliver confidential computing for the cloud. - [Blog](https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms) - [Product brief](https://www.amd.com/en/processors/google-cloud-platform-confidential-vms) - **[[VMware]]:** VMware® [vSphere 7.0U1](https://blogs.vmware.com/vsphere/2020/09/vsphere-7-update-1-amd-sev-es.html) enables SEV and SEV-ES to provide customers with a high-performance and security-enhanced virtualization experience for the modern data center. - [Blog](https://community.amd.com/community/amd-business/blog/2020/09/29/introducing-confidential-computing-for-private-clouds) - **[[Azure|Microsoft Azure]]:** Ensure your business-critical data is secured while in use by leveraging Azure’s leading confidential computing infrastructure and services. - [Blog](http://aka.ms/AMDCCBlog) ### Overview **AMD Infinity Guard** Built-in at the silicon level, AMD Infinity Guard offers the advanced capabilities required to help defend against internal and external threats and keep your data safe with virtually zero impact to system performance. **Secure Encrypted Virtualization** With Secure Encrypted Virtualization (SEV), AMD EPYC™ processors helps safeguard privacy and integrity by encrypting each virtual machine with one of up to 509 unique encryption keys known only to the processor. This aids in protecting confidentiality of your data even if a malicious virtual machine finds a way into your virtual machine’s memory, or a compromised hypervisor reaches into a guest virtual machine. [WATCH VIDEO (5 COMMON QUESTIONS ABOUT SEV)](https://www.youtube.com/watch?v=ext3DF_O-5E&feature=youtu.be) **Secure Nested Paging** The new 3rd Gen AMD EPYC™ processors feature the latest advancement in AMD SEV technologies called Secure Nested Paging (SEV-SNP). SEV-SNP adds strong memory integrity protection capabilities to help prevent malicious hypervisor based attacks like data replay, memory re-mapping, and more in order to create an isolated execution environment. [READ THE WHITE PAPER](https://www.amd.com/en/processors/amd-secure-encrypted-virtualization) **Secure Memory Encryption** Today, many security threats come from inside an organization’s walls. Secure Memory Encryption (SME) helps protect against attacks on the integrity of main memory (such as cold-boot attacks) because it encrypts the data. High-performance encryption engines integrated into the memory channels help speed performance. All of this is accomplished without modifications to your application software. **AMD Shadow Stack** With 3rd Gen AMD EPYC™ Processors, AMD Shadow Stack provides hardware-enforced stack protection capabilities to help guard against malware attacks. This security feature addresses threat vectors such as return oriented programming attacks. It helps by keeping a record of the return addresses so a comparison can be made to ensure integrity is not compromised. In addition, AMD Shadow Stack enables Microsoft® hardware enforced stack protection. **AMD Secure Boot2** The AMD Secure Boot feature (or platform secure boot) is a mitigation for firmware advanced persistent threats. It is a defense-in-depth feature designed to provide greater security in response to growing firmware-level attacks being seen across the industry. AMD Secure Boot extends the AMD silicon root of trust to help protect the system BIOS. This helps the system establish an unbroken chain of trust from the AMD silicon root of trust to the BIOS using AMD Secure Boot, and then from the system BIOS to the OS Bootloader using UEFI secure boot. This feature helps defend against remote attackers seeking to embed malware into firmware. In virtualized environments, it can also be used when cryptographically verifying the software stack loaded on a cloud server. AMD believes that the powerful layer of defense provided by enabling AMD Secure Boot provides an improved layer of security to platforms.