Intel® Security Libraries for Data Center (Intel® SecL-DC)
Intel® SecL-DC News Update: 1.6 GA Release 12/22/19
- Added the Signed Flavor feature
- Allows the Verification Service to sign Flavors and verify the signature at attestation time to maintain the integrity of the Flavors.
- Added the Workload Confidentiality feature
- Allows image owners for virtual machines or Docker containers to encrypt the source images of their workloads. Encryption keys remain under the image owner's control, and are released to specific servers, sealed to that server's TPM, upon a successful integrity attestation with attributes that meet policy requirements determined by teh workload image owner. Because the image decryption key is sealed to the TPM of the host that was attested, this means that only a server that meets the requirements of the image owner as proven by an attestation report can successfully access the image.
- Adds the new Workload Service (WLS)
- The Workload Service manages mapping image IDs (as they exist in image storage, ie OpenStack Glance) to key IDs
- Adds the new Workload Agent (WLA)
- Manages the compute node/worker node operation, intercepting attempted launch of encrypted workloads, makes requests for keys, and manages crypto volumes for accessed images
- Adds the new Key Broker Service (KBS)
- Acts as the policy manager for handling key requests. Verifies that received attestation reprots are signed by a known Verification Service and that the attestation attributes match policy requirements.
- Adds the new Workload Policy Manager (WPM)
- Application that encrypts a new workload image
- Authentication for new components (WLS, WLA) now uses token-based authentication provided by the new Authentication and Authorization service (AAS). This is planned to replace the existing authenticatyion mechanisms for all Intel SecL services in the 1.6 release version.
- Added the new Certificate Management Service (CMS). This service will replace and centralize all existing certificate management functions in all Intel SecL services for the 1.6 release version. In the BETA release, this is currently integrated for the AAS and WLS.
Intel® SecL-DC News Update: 1.5 GA Release 7/24/19
1.5GA Release Supporting below Use Cases:
- Added support for additional Root of Trust options – Intel BootGuard and UEFI SecureBoot – including removing the tboot requirement if UEFI SecureBoot is enabled (due to incompatibility)
- Added the Application Integrity feature
1.5GA Release Supporting below Key Features:
- Updated algorithms to use SHA384 instead of SHA256
- Updated key generation to use RSA-3K
Intel® SecL-DC News Update: First generation 1.4 GA Release 5/22/19
First version 1.4GA Release supporting the below Use Cases:
- Hardware-rooted Platform Trust Attestation
Intel Security Libraries leverage Intel Trusted Execution Technology and the Trusted Compute Group standards to establish a measured boot environment for servers that use Intel Xeon processors and a Trusted Platform Module. This measured boot environment allows a server's actual boot state to be compared to known-good values, which enables the detection of malicious code injection, rootkits, unacceptable firmware or software version, etc. Remote attestation of this comparison through ISecL allows a clear audit report of the boot state of servers in the datacenter to ensure compliance and improve security.
- Asset Tag Attestation
Intel Security Libraries allow the generation and provisioning of user-defined key/value pairs that can be securely provisioned into the physical TPM of a host and included in the remote attestation process. This allows datacenter administrators or cloud consumers to gain visibility into tagged attributes, such as the location of the server hardware.
Intel® SecL-DC News Update: First generation Beta Release 4/2/19
Building atop hardware-based security, software-based security continues to be essential, which is why we are launching Intel® Security Libraries for Data Center (Intel® SecL-DC). Beta version is made available 4/2/2019. The GA version will be made available before the end of May’19.