White Papers
Copyright © 2019 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries
The very first time a CPU is powered on (typically in the Dell EMC factory) the AMD Secure Processor
permanently stores a unique Dell EMC ID inside the CPU. This is also the case when a new off-the-shelf
CPU is installed in a Dell EMC server. The unique Dell EMC ID inside the CPU binds the CPU to the Dell
EMC server. Consequently, the AMD Secure Processor may not allow a PowerEdge server to boot if a
CPU is transferred from a non-Dell EMC server (and CPU transferred from a Dell EMC server to a non-Dell
EMC server may not boot).
AMD EPYC Generation 2 processors also offer the AMD Secure Processor --- for cryptographic
functionality for secure key generation and key management. This provides full stack encryption without
any overhead for the processor. In addition, for hardware-accelerated memory encryption for data-in-use
protection, the security components in Rome processors include the AES-128 encryption engine, which is
embedded in the memory controller and automatically encrypts and decrypts data in main memory with an
appropriate key.
The AMD EPYC processors also include these two unique security features:
1. Secure Memory Encryption (SME):
SME uses a single key to encrypt system memory, which is generated by the AMD Secure Processor
at boot. SME requires enablement in the system BIOS or operating system; when enabled in the BIOS,
memory encryption is transparent and can be run with any operating system
2. Secure Encrypted Virtualization (SEV):
In addition to what SME capabilities, SEV provides Virtual Machine (VM) level encryption, which
protects against hypervisor corruption with hardware protection – a more robust solution than software
protection. The EPYC Generation 2 (Rome) processors also offer 509 keys per hypervisor for SEV,
versus 16 in EPYC (Naples)-based servers
a. Secure Encrypted Virtualization – Encrypted State (SEV ES):
Encrypts all CPU register contents when a VM stops running, preventing leakage of information in
CPU registers to components like the hypervisor, and it can detect malicious modifications to a CPU
register state. Some technical details:
• Guest register state is encrypted with guest encryption key and integrity protected
• Only the guest can modify its register state
• Guest must explicitly share register state with the hypervisor
• Guest-Hypervisor Communication Block (GHCB)
• Protects the guest register state from the hypervisor
• Adds additional protection against VM state related attacks (exfiltration, control flow, rollback)
For more information, see this technical brief on EPYC first generation security:
AMD CPU Security Features in PowerEdge 14G Servers