CPU's - Integrated Security Measures

[luciddream]

Lately I got a new/old box, mainly because I wanted a CPU that supported Hardware DEP & Virtualization. And it got me looking into the topic. And now I'm seeing other measures integrated into CPU's as well. For instance there are 2 types of virtualization techs from what I see... VT-x, and VT-d. And sometimes the VT-x variety comes along with something called EPT (Extended Page Tables)... and sometimes it doesn't. With Intels newer Core-i3/5/7 CPU's it does. So I got to looking at this site for info on the subject:

http://ark.intel.com/Products/VirtualizationTechnology

... and I'm seeing all sorts of other stuff too.

Trusted Execution Technology
AES New Instructions
Anti-Theft Technology (seriously?...)
My Wifi Technology
Execute Disable Bit
... and of course the aforementioned 3 different varieties of virtualization

So I was hoping someone could help me cut through the fluff here and tell me which of these are actually useful from a security standpoint... and not just marketing gimics/hype.

[Hungry Man]

AES just speeds up encryption.

TET uses TPM to store keys. It's used for things like secureboot, or that's its goal at least.

No idea about antitheft or wifi.

Execute Disable Bit is just N^X/DEP.

There's also SMEP and SMAP, which together are quite useful, but SMAP won't be supported until Haswell.

[luciddream]

Thanks. One would think that judging by that site VT-x & EPT are the 2 most important for virtualization, since they both have their own columns... it's only after clicking on a specific CPU for more info the other stuff pops up.

And I've noticed that a lot of brand spanking new CPU's, even, don't have VT-d... yet some older ones (like Core 2 Duo's) do. But unlike say the Core 2 Duo's, they do have EPT... so I was thinking maybe EPT like took it's place, and/or that VT-d was redundant with EPT in place.

But then I saw that "some" new CPU's indeed do have both, EPT & VT-d. So that theory went out the window.

What I did learn is that you can't just assume that because your CPU is newer, it just must have these technologies built into them. Some newer ones lack features older (much older even) ones have. And sometimes even the same type of CPU, but a different model # (like 8000 instead of 7000) can make a huge difference.

I came to find that my old Core 2 Duo CPU has some things that even the new Core i3's & 5's lack... but not the i7's, they have everything but the kitchen sink built into them.

[luciddream]

I dunno though... from what I read EPT seems to just be a hardware assisted boost of speed for VM's. Whereas VT-d seems to be an actual added protection/security measure. Unless I'm not getting the whole picture here (and I'm probably not), given the choice, I'd rather have the VT-d.

I just realized today that I was wrong about what CPU I had. I was looking at the manual from dell.com for that Service Tag, but he must have upgraded the CPU. Since he's a PC gamer, not unlikely. That's why he has so many extra parts just lying around. Oh, how one persons trash is another's treasure...

And this CPU has the VT-d, unlike the 6750 I thought was in there. That's the only difference (as far as this thread goes). I didn't notice the model # when I ran "secureable" either... I was just looking for those big, green YES's under Hardware DEP & Virtualization.

[J_L]

Info about anti-theft: http://www.intel.com/content/www/us/...echnology.html

According to their app (which appears to be portable), my laptop isn't supported.

[luciddream]

Unless my laptop got stolen while turned on and logged in/unlocked, basically right out from under my nose, that wouldn't do me much good... with an encrypted OS, BIOS PW, and non-local syskey required. If someone swept all that aside, quite frankly they deserve my box.

But hey... it's one more thing to add to that list. I'd enable it.