Establishing Platform Trust in Edge Environments

AMI TruE Platform Attestation

Overview of AMI

AMI provides foundational technology and security solutions so the world’s compute platforms Power Up, Stay On, and Run Secure from on-premises to the cloud to the edge, each time, every time.

AMI is a crucial provider to the Open Compute ecosystem and is a member of numerous industry associations and standards groups, such as the Unified EFI Forum (UEFI), National Institute of Standards and Technology (NIST), National Cybersecurity Excellence Partnership (NCEP), and the Trusted Computing Group (TCG).

AMI’s unwavering customer support have generated lasting partnerships and spurred innovation for the most prominent brands and providers on the market.

Prerequisites

Smart Edge Open Controller Node: Desktop or VM with 4 Core 2.66 GHz CPU, 16 GB Memory, 200 GB Disk Space, Gbps Network with IPv4, CentOS 7.9 or Ubuntu 20.04, Kubernetes Control Plane, Docker Registry, Ansible Controller, NFS Server.

Smart Edge Open Worker Node: Desktop or VM with 4 Core 2.66 GHz CPU, 16 GB Memory, 200 GB Disk Space, Gbps Network with IPv4, CentOS 7.9 or Ubuntu 20.04.

Smart Edge Open Edge Node with Security: Physical Server, Intel® Ice lake Class, 4 Core 2.66 GHz CPU, Minimum 16 GB Memory, All Memory Modules Populated, 200 GB Disk Space, Gbps Network with IPv4, UEFI BIOS, TPM 2.0 Enabled and Cleared, Intel® TXT, UEFI Secure Boot, Intel® SGX, CentOS 7.9 or Ubuntu 20.04

AMI TruE Overview

The use of firmware in the data center has increased over the years. With the increase of firmware in the data center comes an increase in firmware vulnerability, which drives interest in firmware security and integrity to a new high. AMI TruE delivers holistic data center security solutions using Intel® Security Libraries for data centers and Intel SGX technology to establish and track all servers’ trusted compute status.

Benefits include:

Complete Data Center and Edge Security Solution

•Foundational Security based on Intel® Security Libraries for Data Centers

•Establishes and tracks all server’s trusted compute status

•Provides remediation measures for untrusted platforms

•Enables workload launch time protection using Kubernetes

Confidential Computing with Intel® SGX

•Enables workload launch time protection including SGX enabled systems

•Eases deployment of SGX attestation of workload, protection of keys, etc.

Remediation with Provisioning

•Redfish based provisioning features

•In-band Provisioning

•Action Service Framework

Out-of-band Management with DMTF® Redfish Standards

•Resource discovery and management

•Continuous monitoring

•Remediation actions

Deployment Model

AMI TruE supports a scalable and distributed deployment model, the diagram below shows the deployment model.

The Intel Smart Edge Open Controller Node hosts the control plane components, the platform security service is hosted on the worker node. The platform security agent is running on each edge node managed by AMI TruE.

Use Case1: Launch Time Protection

Problem: Edge infrastructure hardware/firmware/software are not typically tracked by the infrastructure providers. Edge infrastructure admins are less aware of whether the hosts on which they are launching the workloads is verified, compromised, or susceptible to outside attacks.

Solution: Cloud orchestrators like Kubernetes can label server nodes with the key value attributes. AMI TruE remote attestation services can publish trust and informational attributes to the orchestrator for use in workload launching decisions like launch sensitive workloads on trusted edge servers only.

Value: Edge infrastructure admins can schedule their application workloads with orchestrator policy, ensuring they land on trusted hardware. With custom asset tag labeling, they can launch every workload on the host that is categorized to meet specific requirements.

Where to Purchase

Follow us on