What is Intel TME (Total Memory Encryption)?

Memory attacks have quietly emerged as a new class of hacking techniques to undermine conventional security measures, posing a threat to all data that passes through a system. 

In this blog, you'll learn how Intel TME (Total Memory Encryption) acts as a necessary safeguard for protecting a system's memory and preserving functionality to ensure optimal performance. 

What is Intel TME?

Intel TME (Total Memory Encryption) encrypts all data passing to and from a computer's CPU with a single transient key. Such information includes customer credentials, encryption keys, and other IP or personal information. 

Why is Intel TME important? 

Memory attacks have quietly emerged as a new class of hacking techniques to undermine conventional security measures. 

This new threat includes attacks at the hardware level such as removal and reading of dual in-line memory modules (DIMMs) or the installation of attack hardware.

Without Intel TME, hackers can access critical data, encryption keys, or install malware, compromising the security of a system.

How does Intel TME work?

Intel TME begins in the early stages of the boot process. Once configured and locked, it will encrypt all the data on the external memory buses of a CPU with the NIST Standard AES-XTS algorithm with 128-bit keys.

(NIST is the National Institute of Standards and Technology, AES is the Advanced Encryption Standard, and XTS stands for Tweakable Block Ciphertext Stealing, used for encryption and decryption.) 

The encryption key is generated using a hardened random number generator in the CPU and never exposed to software, allowing existing software to run unmodified while better protecting memory. A new platform key is generated by the processor on every boot. 

Data in memory and on the external memory buses is encrypted and is only in plain text while inside the CPU, similar to storage encryption on hard disks or SSDs.

There are, however, some instances where it would be better to not encrypt a portion of memory, so Intel TME allows the BIOS to specify a physical address range to remain unencrypted. TME can be enabled or disabled by IT admins in the BIOS settings. 

The AES-XTS mode, which is usually used for block-based storage devices, takes the physical address of the data into account when encrypting each cacheline block. This ensures that the effective key is different for each cacheline.

Moving encrypted content across physical addresses results in garbage on read, mitigating block-relocation attacks. 

Benefits of Intel TME

Intel TME's memory encryption capabilities provide protection of AES-XTS to the external memory buses and DIMMs.

The AES-XTS encryption engine is in the direct data path to external memory buses and, therefore, all the memory data entering and/or leaving the CPU on memory buses is encrypted using AES-XTS. 

Intel TME also provides an extra layer of protection in the event that a computer is stolen, as the data is turned into garbage text (ciphertext) that is of no use to hackers. 

Read more about a TME use case here. 

Intel TME and Trenton Systems 

As cyberattacks increase in sophistication, traditional security measures like usernames and passwords are proving to be relatively ineffective against digital and physical threats. 

Additionally, hackers are now targeting both data and memory, further highlighting the need for advanced cybersecurity measures. 

At Trenton, our engineers work to equip our solutions with multi-layer cybersecurity and the latest Intel technologies, including SGX and PFR, across the hardware, firmware, and software layer stack. 

With Intel TME and FIPS 140-2 SEDs, our small form factor and rack mount servers thwart hacker attacks to ensure protection of critical data at the highest level. 

Want to learn more? Get in touch to craft a secure, USA-made, high-performance compute solution, ensuring you operate with complete confidence across all domains of the modern battlespace, no matter where the mission leads.