AMI TruE® Trusted Environment Platform Security Solution for Confidential Computing in Cloud and Edge

Overview

A quick scan of recent news headlines, such as the attack on US company SolarWinds that reportedly affected hundreds of enterprises and government agencies, confirms that hackers continue to develop innovative ways to gain a persistent and undetectable way to control systems with valuable information and to siphon that information for nefarious purposes.

Due to its privileged level of execution and difficulty for operating systems and security software to detect unauthorized changes, system firmware is quickly becoming the newest and most prominent target for malicious actors – making it an area that demands increasing focus from security experts, system manufacturers and others. Intel TXT and TPM, coupled with complying BIOS provides firmware integrity assurance through remote attestation, giving confidence that the current firmware is not compromised.

Yet is that sufficient? What if a malicious hacker can access RAM content, exposing any data or workload running on that platform? Is there a more reliable solution that protects data in use?

Securing Cloud & Edge Workloads

Cloud adoption has accelerated, thanks in part to recent COVID-induced remote work and learning needs. One result of this growth is that workloads from competing businesses are often running on the same hardware that is hosted by a cloud vendor. The overarching question for administrators in these datacenters and cloud service providers is how to assure their customers that their workloads are protected from other tenants running on the same platform. What options are available to these customers to confidently move their compute workloads to the cloud?

For similar reasons, end users’ expectations on network bandwidth and latency have increased tremendously. To meet this demand, telco and datacenter operators continue to add edge infrastructure. Yet with increased remote infrastructure comes the concern of securing the workloads running on this remote hardware. How can a telco service provider be confident that their workloads are secure even if their remote infrastructure is compromised?

To address these security and trust challenges, the AMI TruE™ Trusted Environment Platform Security Solution leverages Intel® Software Guard Extensions (Intel® SGX) and Intel® Security Libraries for Data Centers to deliver a true trusted environment for confidential computing and secure cloud and edge workloads – read on to learn how!

Intel® Software Guard Extensions

Intel® Software Guard Extensions (Intel® SGX) delivers runtime protection of workloads using hardware-based memory encryption that isolates specific application code and data in memory. It allows user-level code to allocate private regions of memory, called SGX enclaves, that are designed to be protected from processes running at higher privilege levels.

Code and data in an SGX enclave are encrypted by a cryptographic key generated in the CPU package. They are decrypted only when they reach the confines of the CPU package. The code and data in an enclave cannot be leaked to any software on the platform – including privileged software like the OS kernel, the Virtual Machine Manager (VMM), the system BIOS or other system firmware. SGX attestation allows a remote party to verify that an SGX enclave is genuine. To support attestation at runtime, specific actions need to be taken by the enclave’s developer, the datacenter owner, and the remote party.

Cloud and telco vendors can use Intel SGX to confidently offload their sensitive data processing to remote untrusted edge infrastructure. Likewise, customers can also be assured that their workloads will be isolated and protected even with cloud and telco service providers. To learn more about how SGX works, visit https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html.

AMI TruE: A Solution for Confidential Computing and Trusted Cloud Execution

Innovation in firmware security demands a deep understanding of firmware and its development. With over 35 years of BIOS, UEFI and BMC firmware development experience, AMI is perfectly positioned to enhance firmware security for the industry and deliver trust at the platform level. As a longstanding partner of Intel Corporation, AMI collaborates closely with Intel in the delivery of leading-edge firmware and security technologies such as Intel SGX.

AMI also strives for and takes pride in easing the adoption of Intel solutions and technologies by customers and end users. AMI TruE is great example of this winning collaboration – a holistic data center security solution from AMI that provides a Trusted Environment for cloud execution using Intel® Security Technologies and Intel® Security Libraries for Data Centers that is scalable, extensible and is built for cloud-to-edge applications. Leveraging Intel® SGX, AMI TruE enables confidential computing, eases deployment of workload attestation and secures application keys without compromising confidentiality. AMI TruE™ also establishes and tracks servers’ trusted compute status in the data center, enables compliance with data sovereignty regulations, runs sensitive workloads on trusted servers and provides remediation measures for untrusted platforms.

Deploying AMI TruE automatically installs required Intel® Sec-L components including SGX Quote Verification Service (SQVS), SGX Caching Service (SCS) and SGX Agent on hosts. Once deployed and configured, AMI TruE starts discovering servers and collects detailed asset information of all discovered servers.

Other key features and benefits of AMI TruE include:

  • Dashboard displaying trust and workload confidentiality details of managed infrastructure
  • Management of secure workloads on SGX enabled platforms
  • Provisioning of PCK certificates for SGX enabled platforms and SGX collateral
  • Labeling of nodes in a Kubernetes® cluster with trust status and SGX support
  • Discovery of manageable platforms with security features including TPM and Intel SGX
  • Remote provisioning of Trust Agents and SGX Agents
  • Platform Integrity Assurance to ensure the system boots in a trusted state
  • Data sovereignty to guarantee that geographic specific workloads only run where they are intended to
  • Monitoring of the Trust status of all TPM enabled platforms
  • Alerts when platform trust status is compromised.
  • Telemetry and instrumentation for management and remediation: Remotely update BIOS or BMC firmware, install Operating System, rebooting the platform, etc.
  • REST APIs for automation and integration

Finally, using Intel® Security Libraries for Datacenters (Intel® SecL-DC), AMI TruE supports Kubernetes® orchestration for launching workloads in secure enclaves.

For more information on the AMI TruE Platform Security Solution, visit ami.com/true, contact AMI via ami.com/contact or call 1-800-828-9264 to speak with an AMI Security Solutions Expert.

KUBERNETES® is a registered trademark of the Linux Foundation in the United States and other countries and is used pursuant to a license from the Linux Foundation. All other trademarks and registered trademarks are the property of their respective owners.

Trusted for What’s Critical

AMI is your low-risk partner for high-stakes innovation. Our firmware solutions drive performance, reliability and time to market when it matters most.

When you work with AMI, you get deep expertise, proven stability and hands-on support throughout your development journey. Contact us to learn how AMI firmware solutions can help you reduce risk, simplify complexity and scale with confidence.

Contact Us

DOWNLOAD LICENSE AGREEMENT

NOTICE SPECIFIC TO SOFTWARE AVAILABLE ON THIS WEBSITE (ami.com) OR ANY OTHER AMI OWNED, OPERATED, LICENSED OR CONTROLLED SITE

 Any software that is made available to download from this server ("Software") is the copyrighted work of AMI and/or its suppliers. Use of the Software is governed by the terms of the end user license agreement, if any, which accompanies or is included with the Software ("License Agreement"). An end user will be unable to install any Software that is accompanied by or includes a License Agreement, unless he or she first agrees to the License Agreement terms.

 The Software is made available for downloading solely for use by end users according to the License Agreement. Any reproduction or redistribution of the Software not in accordance with the License Agreement is expressly prohibited by law and may result in severe civil and criminal penalties. Violators will be prosecuted to the maximum extent possible.

 WITHOUT LIMITING THE FOREGOING, COPYING OR REPRODUCTION OF THE SOFTWARE TO ANY OTHER SERVER OR LOCATION FOR FURTHER REPRODUCTION OR REDISTRIBUTION IS EXPRESSLY PROHIBITED, UNLESS SUCH REPRODUCTION OR REDISTRIBUTION IS EXPRESSLY PERMITTED BY THE LICENSE AGREEMENT ACCOMPANYING SUCH SOFTWARE.

 THE SOFTWARE IS WARRANTED, IF AT ALL, ONLY ACCORDING TO THE TERMS OF THE LICENSE AGREEMENT. EXCEPT AS WARRANTED IN THE LICENSE AGREEMENT, AMI HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH REGARD TO THE SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.

 FOR YOUR CONVENIENCE, AMI MAY MAKE AVAILABLE ON THIS SERVICE OR IN ITS SOFTWARE PRODUCTS, TOOLS AND UTILITIES FOR USE AND/OR DOWNLOAD. AMI DOES NOT MAKE ANY ASSURANCES WITH REGARD TO THE ACCURACY OF THE RESULTS OR OUTPUT THAT DERIVES FROM SUCH USE OF ANY SUCH TOOLS AND UTILITIES. PLEASE RESPECT THE INTELLECTUAL PROPERTY RIGHTS OF OTHERS WHEN USING THE TOOLS AND UTILITIES MADE AVAILABLE ON THIS SERVICE OR IN AMI SOFTWARE PRODUCTS.

 RESTRICTED RIGHTS LEGEND. Any Software which is downloaded from this Server (ami.com) any other AMI owned, operated, licensed or controlled site for or on behalf of the United States of America, its agencies and/or instrumentalities ("U.S. Government"), is provided with Restricted Rights. Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c)(1) and (2) of the Commercial Computer Software - Restricted Rights at 48 CFR 52.227-19, as applicable. Manufacturer is AMI 3095 Satellite Boulevard, Building 800, Suite 425, Duluth, GA 30096.

NOTICE SPECIFIC TO DOCUMENTS AVAILABLE ON THIS WEBSITE

 Permission to use Documents (such as white papers, press releases, datasheets and FAQs) from this server (ami.com) any other AMI owned, operated, licensed or controlled site ("Server") is granted, provided that (1) the below copyright notice appears in all copies and that both the copyright notice and this permission notice appear, (2) use of such Documents from this Server is for informational and non-commercial or personal use only and will not be copied or posted on any network computer or broadcast in any media and (3) no modifications of any Documents are made. Educational institutions ( specifically K-12, universities and state community colleges) may download and reproduce the Documents for distribution in the classroom. Distribution outside the classroom requires express written permission. Use for any other purpose is expressly prohibited by law and may result in severe civil and criminal penalties. Violators will be prosecuted to the maximum extent possible.

 Documents specified above do not include the design or layout of the ami.com website or any other AMI owned, operated, licensed or controlled site. Elements of AMI websites are protected by trade dress, trademark, unfair competition and other laws and may not be copied or imitated in whole or in part. No logo, graphic, sound or image from any AMI website may be copied or retransmitted unless expressly permitted by AMI.

 AMI AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS SERVER FOR ANY PURPOSE. ALL SUCH DOCUMENTS AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. AMI AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL AMI AND/OR ITS RESPECTIVE SUPPLIERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE FROM THIS SERVER.

 THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS SERVER COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. AMI AND/OR ITS RESPECTIVE SUPPLIERS MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED HEREIN AT ANY TIME.

NOTICES AND PROCEDURE FOR MAKING CLAIMS OF COPYRIGHT INFRINGEMENT

 Pursuant to Title 17, United States Code, Section 512(c)(2), notifications of claimed copyright infringement should be sent to Service Provider's Designated Agent. ALL INQUIRIES NOT RELEVANT TO THE FOLLOWING PROCEDURE WILL NOT RECEIVE A RESPONSE.

 See Notice and Procedure for Making Claims of Copyright Infringement.

LINKS TO THIRD PARTY SITES

 THE LINKS IN THIS AREA WILL LET YOU LEAVE AMI'S SITE. THE LINKED SITES ARE NOT UNDER THE CONTROL OF AMI AND AMI IS NOT RESPONSIBLE FOR THE CONTENTS OF ANY LINKED SITE OR ANY LINK CONTAINED IN A LINKED SITE, OR ANY CHANGES OR UPDATES TO SUCH SITES. AMI IS NOT RESPONSIBLE FOR WEBCASTING OR ANY OTHER FORM OF TRANSMISSION RECEIVED FROM ANY LINKED SITE. AMI IS PROVIDING THESE LINKS TO YOU ONLY AS A CONVENIENCE, AND THE INCLUSION OF ANY LINK DOES NOT IMPLY ENDORSEMENT BY AMI OF THE SITE.

UNSOLICITED IDEA SUBMISSION POLICY

 Neither AMI, nor its employees, agents and/or subsidiaries, shall accept or consider unsolicited ideas, including but not limited to ideas for new advertising campaigns, new promotions, new products or technologies, processes, materials, marketing plans or new product names. Submission of any original creative artwork, samples, demos, or other works to AMI is expressly prohibited. In the event a submission including unsolicited materials of any nature is received by AMI, said submission shall be destroyed and AMI shall not be liable for any direct or consequential damages suffered by the sender, nor shall AMI be under any obligation to treat such material as confidential or proprietary. It is expressly understood that the rationale for AMI's policy on unsolicited idea submission is to prevent a third party from making a claim of infringement against AMI on the basis of an idea, product, or other material that is developed by AMI, that may be similar to or the same as an idea, product, or other material contained in an unsolicited submission that may have been submitted to and/or received by AMI.

FEEDBACK AND INFORMATION

 ANY FEEDBACK YOU PROVIDE AT THIS SITE SHALL BE DEEMED TO BE NON-CONFIDENTIAL. AMI IS FREE TO USE SUCH INFORMATION ON AN UNRESTRICTED BASIS.

Terms & Conditions