Alliances
cancel
Showing results for 
Search instead for 
Did you mean: 

Advanced Security of HPE Servers with AMD EPYC™ processors

Alex_Haddock

HPE and AMD deliver an end-to-end security portfolio that includes protection, detection, and recovery, and is arguably the most comprehensive in the industry.

Infrastructure security has been causing rather a buzz in the industry recently both with respect to CPUs (Meltdown/Spectre and Foreshadow) and systems management (the Bloomberg allegations). These attack vectors require new mitigations to become standard security practice mandated from CISO level through to architects to procurement to administration. Failing to understand this landscape will leave businesses open to potentially terminal downtime from malware, denial of service attacks and data breaches; let alone resulting legal ramifications via regulations such as GDPR.

For further information on the security landscape and to maintain brevity in this blog I’d highly recommend reviewing the following session with Europol and the FBI regarding the ever changing focuses of hackers.


Whilst nobody should have the hubris to claim they are fully secure, HPE placed a major focus on lifecycle security in designing the current Gen10 server family in order to create the HPE Secure Compute Lifecycle. HPE delivers end-to-end security that includes protection, detection, and recovery. HPE's Silicon Root of Trust—embedded technology (built into the HPE DL325 and HPE DL385 Gen10 families) validates essential server firmware at bootup. The server leverages silicon for an immutable fingerprint that verifies all the firmware code is valid and uncompromised, halting the server otherwise. At that point, HPE Secure Recovery can save the day, allowing roll back of server firmware to a valid state, quickly restoring secure data-center operation. HPE is also unique with hardware based server monitoring that alerts you to suspicious user activity and insecure or suspect data communications, in real-time, before the hackers can get in, not just at system boot.

The great thing is that AMD also placed a high developmental priority on systems security when they created the AMD EPYC™ CPU, building a discrete Secure Processor enclave within the EPYC CPU itself. This allows for hardware validated boot and provides added virtual machine security (particularly relevant for multitenant Cloud Service Providers).

With scalable hardware-based 128-bit encryption, HPE’s AMD systems protect sensitive data, in flight, with virtually no performance penalty. For service providers that need to guarantee each customer’s virtual machines are sandboxed, HPE and AMD Secure Run coupled with Secure Encrypted Virtualization (SEV) provides cryptographic isolation for VMs, tenants, and the hypervisor. You can also quickly and securely migrate virtual machine instances with AMD Secure Move technology.

And because you can never be too safe, HPE security goes even deeper, leveraging AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES) to prevent malicious data leakage and modification within the CPU and server hardware.

Even better together
Bringing both HPE’s Secure Compute Lifecycle and AMD’s built in security together results in what we believe to be the most secure industry standard server platform currently available:

HPE_AMD_3.jpg

 

AMD EPYC™ provides memory and virtualisation encryption not available elsewhere whilst HPE iLO5 uniquely protects the server even before Server Platform Services are started and when the server is running. AMD’s Secure Run also provides an extra level of validation to the HPE Silicon Root of Trust technology during boot, giving an extra layer of protection not yet available in other platforms.

We aren’t for slowing down…
To add some further icing to the cake then the AMD EPYC™ platform also offers significant performance benefits when the mitigations for the aforementioned Meltdown and Foreshadow threats are applied, namely AMD does not currently believe to be affected by them. The default Linux kernel security mitigations for these threats degrade other x86 processors’ performance but leave the AMD EPYC™ processor running at close to 100% of its normal processing speed, with no real performance penalty.


Setting new standards of security and performance
The best thing is that accessing this belt and braces approach (belt and suspenders for our American friends?) doesn’t mean a compromise in other areas.

The secure and versatile 1P / 1U HPE ProLiant DL325 Gen10 powered by AMD EPYC™, and the even more powerful HPE ProLiant DL385 Gen10 server both deliver industry leading balance of processor cores, memory, and I/O for virtualization (and as for Rome, oh wow…).

Even better, from HPE iLO5 firmware 1.40 and above the full suite of iLO5 security including the features previously requiring premium security have been made available to holders and purchasers of the HPE iLO Advanced License. This is a reflection of how seriously HPE is taking infrastructure security now and in the future.

AMD blog series:

  1. HPE and AMD Deliver A Competitive Edge  
  2. A new era of compute – driving power and efficiency gains  
  3. Advanced Security of HPE Servers with AMD EPYC™ processors  
  4. Use Cases for AMD EPYC™ based HPE servers 
  5. HPE & AMD: The Road to Future Innovation 

 

Thanks for reading and safe computing!


Alex Haddock
Hewlett Packard Enterprise

twitter.com/HPE_UKI
linkedin.com/company/hewlett-packard-enterprise
hpe.com/UK

 

About the Author

Alex_Haddock

I span HPE HybridIT solutions with a strong background in Compute and Composable infrastructure. Focus on partnering.