Intel® Server Board M50CYP2SB Family Technical Product Specification
104
The Intel® Server Board M50CYP2SB family provides Intel® SGX. Intel® SGX provides fine grain data
protection via application isolation in memory. Data protected includes code, transactions, IDs, keys, key
material, private data, algorithms. Intel® SGX provides enhanced security protections for application data
independent of operating system or hardware configuration. Intel® SGX provides the following security
features:
•
Helps protect against attacks on software,
even if OS/drivers/BIOS/VMM/SMM are compromised.
•
Increases protections for secrets,
even when the attacker has full control of platform.
•
Helps prevent attacks
, such as memory bus snooping, memory tampering, and “cold boot” attacks,
against memory contents in RAM.
•
Provides an option for hardware-based attestation
capabilities to measure and verify valid code and
data signatures.
Intel® SGX for Intel® Xeon® Scalable processors are optimized to meet the application isolation needs of
server systems in cloud environments:
•
Massively increased electronic product code (enclave) size (up to 1 TB for typical 2-socket server
system).
•
Significant performance improvements: minimal impact vs native non-encrypted execution
(significantly reduced overhead depending on workload).
•
Fully software and binary-compatibility with applications written on other variants of Intel® SGX.
•
Support for deployers to control which enclaves can be launched.
•
Provides deployers full control over Attestation stack, compatible with Intel® Data Center Attestation
primitives.
•
Full protection against cyber (software) attacks, some reduction in protection against physical attacks
(no integrity/anti-replay protections) vs other Intel SGX variants.
•
Designed for environments where the physical environment is still trusted.
Note:
Intel® SGX can only be enabled when Intel® TME is enabled. See
Section 12.4
To enable/disable Intel® SGX, access the BIOS Setup menu by pressing the
<F2>
key during POST. Navigate
to the following menu:
Advanced >
Processor Configuration
Important Note:
When either Intel® TME or Intel® TME-MT is enabled, a subset of memory RAS features and
Intel® Optane™
persistent memory 200 series (if installed) will be disabled. See
For more information on Intel® SGX, refer to the
BIOS Setup Utility User Guide for the Intel® Server Board
D50TNP, M50CYP, and D40AMP Families
and the
BIOS Firmware External Product Specification (EPS) for the
Intel® Server Board D50TNP, M50CYP, and D40AMP Families.
12.6
Trusted Platform Module (TPM) Support
The Trusted Platform Module (TPM) option is a hardware-based security device that addresses the growing
concern about boot process integrity and offers better data protection. TPM protects the system startup
process by ensuring it is tamper-free before releasing system control to the operating system. A TPM device
provides secured storage to store data, such as security keys and passwords. In addition, a TPM device has
encryption and hash functions. The server board implements TPM as per
TPM PC Client Specifications
revision 2.0,
published by the Trusted Computing Group (TCG).
A TPM device is optionally installed on the server board and is secured from external software attacks and
physical theft. A pre-boot environment, such as the BIOS and operating system loader, uses the TPM to
collect and store unique measurements from multiple factors within the boot process to create a system