AMD's Xbox, PlayStation Work Led To A Big Security Feature In EPYC

'We had 16 keys in a cryptographic isolation on a game console, and that's one of the principal reasons they've never been hacked, even though they're physically in the hands of a lot of people that would love to hack it,' AMD exec Forrest Norrod tells CRN of how a virtualization security feature in EPYC came to be.

Forrest Norrod thinks one of the new security features in AMD's EPYC server processors will become a must-have in the cloud and virtualization market — and its development started in an unlikely place: the chipmaker's work on the Xbox One and PlayStation 4 video game consoles.

The EPYC feature referenced by Norrod, AMD's top data center executive, is Secure Encrypted Virtualization, or SEV, which uses an Arm secure co-processor embedded within EPYC chips to cryptographically isolate virtual machines from each other and the hypervisor. SEV doesn't require any modifications to applications, so the Santa Clara, Calif.-based chipmaker is hoping it will gain wide acceptance as a crucial way to protect VMs from malicious actors.

[Related: AMD EPYC Rome Server CPUs: 6 Important Things To Know]

"I think that it in three to four years, it will be ridiculous to even consider deploying a VM in the cloud if you can't control and isolate that thing cryptographically from the cloud provider," said Norrod, AMD's senior vice president and general manager of Data Center and Embedded Solutions Business Group.

The roots of SEV's development started back when AMD was working on custom chips for Microsoft's Xbox One and Sony's PlayStation 4, which both came out in 2013. These chips addressed the computing and graphical needs of the modern game consoles, but AMD also included a new security feature that addressed what had been a problem for older generations of devices: piracy.

"Previous generations of the game consoles could be hacked, and so you could go down to probably any number of places within a 10-mile radius [and] buy a 4-terabyte hard drive [with] every PlayStation 3 game ever written on that hard drive," Norrod said.

When Norrod, a former Dell server executive, joined AMD in 2014, he was put in charge of the company's semi-custom division, which focuses on chips for video game consoles, in addition to the chipmaker's enterprise and embedded businesses.

During his first day at AMD, Norrod said, he received a walkthrough of the company's technologies, including those developed within the semi-custom business. One of them was cryptographic isolation, which AMD used as a security measure for Xbox One and PlayStation 4 so that "the game developer doesn't have to trust the person who physically controls the box," ensuring that console owners couldn't pirate games, according to Norrod.

The executive said that's when he saw the potential cryptographic isolation could have for the server market.

"So we had 16 keys in a cryptographic isolation on a game console, and that's one of the principal reasons they've never been hacked, even though they're physically in the hands of a lot of people that would love to hack it," he said. "And so that tech, I was like, 'OK, you can run a container or virtual machine on this box, and you don't have to trust the person that physically controls the box, that's cool. We're putting that in our server road map.' So that's where it came from."

One important aspect of the feature was that it worked without impacting performance.

"It had to be highly performant, because you can't you can't take a performance penalty playing games," Norrod said. “And it had to be completely secure, because the entire business model of that industry relies on licenses for selling the software."

Microsoft and Sony did not respond to requests to comment.

The anti-piracy feature went on to become AMD's Secure Memory Encryption technology, or SME, which was extended to virtualization use cases with SEV. Both features were introduced in first-generation EPYC, but the chipmaker has since expanded SEV's capabilities in second-generation EPYC.

While SEV only supported 15 encryption keys in first-generation EPYC, it now supports 509 with the second-generation processors, significantly increasing the number of virtual machines that can be protected. These keys are generated by EPYC's Arm secure co-processor, and they cannot be accessed by guest VMs or the hypervisor.

Norrod, who is no longer in charge of AMD's semi-custom business, said the chipmaker worked with VMware to improve SEV in second-generation EPYC, which the virtualization giant will support in an upcoming version of vSphere. He said Red Hat and other Linux distributions support it as well.

"You're going to be able to have a whole new level of security that you can control independent of your cloud provider," he said.

Dominic Daninger, vice president of engineering at Nor-Tech, a Burnsville, Minn.-based system builder and AMD partner, said SEV, combined with the second-generation EPYC's high core count, makes the processor line interesting to "anyone doing serious virtualization."

"It's probably going to help them gain attention where they wouldn't have otherwise," he said.