The AMI TruE™ Trusted Environment Platform Security Solution enables confidential computing that isolates sensitive data in an encrypted CPU enclave during processing, using Intel® Software Guard Extensions (Intel® SGX) and Intel® Security Libraries for Data Centers (Intel® SecL-DC) found in the latest Intel® Xeon™ Processors to enable a true trusted environment for confidential computing and secure cloud execution.
AMI TruE enables secure computing, easy to deploy workload attestation and secure application keys without compromising confidentiality or adding cost. It delivers a holistic, secure datacenter solution that is scalable, extensible and built for cloud-to-edge applications. It establishes and tracks the servers’ trusted compute status in the data center, complies with data sovereignty regulations, runs sensitive workloads on trusted servers and provides remediation measures for untrusted platforms.
AMI TruE helps datacenters secure platforms throughout the entire platform life cycle, by providing end-to-end firmware security and verification across the datacenter and integrating with other datacenter management and orchestration tools to provide a holistic view of platform firmware security for all servers in use. Supply chain attacks can be easily avoided by attesting the shipped firmware and software hash information of new platforms. After deployment, server trust validation continues to attest the integrity of the firmware and software running across the enterprise.
Features and Benefits
Modern platforms have numerous components running their own firmware. It used to be just the Server BIOS, BMC and Option ROM firmware. Today, it's every component. This includes Non-Volatile DIMMs, Power Supplies, NICs and every other component that you can think of. This broadens the attack surface, opening up multiple vectors for intrusion into the platform's chain of trust.
The future of trusted hardware is here now. Running sensitive workloads in a black box, such as in an Intel® SGX secure enclave, furthers data privacy, sovereignty and protection in the cloud by reducing the attack surface in the data center.
Intel® Software Guard Extensions (Intel® SGX), Intel® Security Libraries for Data Centers (Intel® SecL-DC) and AMI TruE enables Platform Trust and Runtime Encryption.
(Roll over image below)
AMI TruE uses a trust agent running at the OS level to collect firmware and software hash information from the Trusted Platform Module (TPM), which is used to determine platform trust by comparing this hash information to known trusted hashes. A customer installed and managed attestation server will keep all the various hashes collected across the data center and track which ones are trusted or untrusted. When a node is found to be untrusted, it can be scheduled for automatic firmware updates based upon data center policy.
Leveraging Intel® SGX secure enclaves, AMI TruE enables secure computing, easy to deploy workload attestation and secure application keys without compromising confidentiality – to deliver a secure data center solution that is scalable, extensible and built for cloud-to-edge applications. It establishes and tracks the servers’ trusted compute status in the data center, complies with data security regulations and provides remediation for untrusted platforms. Adding support for these key security features makes AMI TruE a reliable and easily deployed solution for data centers and cloud service providers that delivers functional computing, attestation, confidential computing and cloud execution without compromise.
(Roll over image below)
AMI TruE enables data centers and businesses the ability to comply with privacy laws and data sovereignty regulations by binding the server's geographic location to its asset tag information – creating what is called a geo-tag. With AMI TruE, protected personal data can be identified and separated, and compliance with data sovereignty regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), can be assured.
Combine platform requirements in any combination to create flavors.
Flavors help determine whether a particular compute node is suitable for certain workloads. Apply one or more flavors to any subset of your managed environment to enforce platform trust requirements, operating system requirements, geographic location requirements, and more. AMI TruE even gives you the ability to create custom attributes for your flavors.
By assuring that your environment is running only trusted firmware and software, integration with popular industry cloud orchestration software, such as KUBERNETES®, allows AMI TruE to ensure that workloads containing sensitive information or data requiring data sovereignty compliance are run only on trusted compute nodes in the required geographic location. KUBERNETES® integration allows for the enforcement of flavors to be automated by the data center workload orchestration environment.
AMI TruE helps data centers secure platforms throughout the entire product life cycle. Supply chain attacks can be easily avoided by attesting the shipped firmware and software hash information with the attestation server upon installation into an existing trusted environment. After deployment, server trust validation continues to attest the integrity of the firmware and software running throughout the data center.
Please visit the National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSCR) Publication site to download the NISTIR 8320 (PUBLIC DRAFT) Report on Hardware-Enabled Security: Container Platform Security Prototype.
Founded in 1985 and known worldwide for AMIBIOS®, the mission of AMI is to power, manage and secure the world’s connected digital infrastructure by providing best-in-class UEFI and remote management firmware, security solutions, development tools and utilities to top-tier manufacturers of desktop, server, mobile and embedded/IoT systems.
