CPU's - Integrated Security Measures

Discussion in 'hardware' started by luciddream, Feb 27, 2013.

Thread Status:
Not open for further replies.
  1. luciddream
    Offline

    luciddream Registered Member

    Lately I got a new/old box, mainly because I wanted a CPU that supported Hardware DEP & Virtualization. And it got me looking into the topic. And now I'm seeing other measures integrated into CPU's as well. For instance there are 2 types of virtualization techs from what I see... VT-x, and VT-d. And sometimes the VT-x variety comes along with something called EPT (Extended Page Tables)... and sometimes it doesn't. With Intels newer Core-i3/5/7 CPU's it does. So I got to looking at this site for info on the subject:

    http://ark.intel.com/Products/VirtualizationTechnology

    ... and I'm seeing all sorts of other stuff too.

    Trusted Execution Technology
    AES New Instructions
    Anti-Theft Technology (seriously?...)
    My Wifi Technology
    Execute Disable Bit
    ... and of course the aforementioned 3 different varieties of virtualization

    So I was hoping someone could help me cut through the fluff here and tell me which of these are actually useful from a security standpoint... and not just marketing gimics/hype.
  2. Hungry Man
    Offline

    Hungry Man Registered Member

    AES just speeds up encryption.

    TET uses TPM to store keys. It's used for things like secureboot, or that's its goal at least.

    No idea about antitheft or wifi.

    Execute Disable Bit is just N^X/DEP.

    There's also SMEP and SMAP, which together are quite useful, but SMAP won't be supported until Haswell.
  3. luciddream
    Offline

    luciddream Registered Member

    Thanks. One would think that judging by that site VT-x & EPT are the 2 most important for virtualization, since they both have their own columns... it's only after clicking on a specific CPU for more info the other stuff pops up.

    And I've noticed that a lot of brand spanking new CPU's, even, don't have VT-d... yet some older ones (like Core 2 Duo's) do. But unlike say the Core 2 Duo's, they do have EPT... so I was thinking maybe EPT like took it's place, and/or that VT-d was redundant with EPT in place.

    But then I saw that "some" new CPU's indeed do have both, EPT & VT-d. So that theory went out the window.

    What I did learn is that you can't just assume that because your CPU is newer, it just must have these technologies built into them. Some newer ones lack features older (much older even) ones have. And sometimes even the same type of CPU, but a different model # (like 8000 instead of 7000) can make a huge difference.

    I came to find that my old Core 2 Duo CPU has some things that even the new Core i3's & 5's lack... but not the i7's, they have everything but the kitchen sink built into them.
  4. luciddream
    Offline

    luciddream Registered Member

    I dunno though... from what I read EPT seems to just be a hardware assisted boost of speed for VM's. Whereas VT-d seems to be an actual added protection/security measure. Unless I'm not getting the whole picture here (and I'm probably not), given the choice, I'd rather have the VT-d.

    I just realized today that I was wrong about what CPU I had. I was looking at the manual from dell.com for that Service Tag, but he must have upgraded the CPU. Since he's a PC gamer, not unlikely. That's why he has so many extra parts just lying around. Oh, how one persons trash is another's treasure...

    And this CPU has the VT-d, unlike the 6750 I thought was in there. That's the only difference (as far as this thread goes). I didn't notice the model # when I ran "secureable" either... I was just looking for those big, green YES's under Hardware DEP & Virtualization.
    Last edited: Feb 28, 2013
  5. J_L
    Offline

    J_L Registered Member

  6. luciddream
    Offline

    luciddream Registered Member

    Unless my laptop got stolen while turned on and logged in/unlocked, basically right out from under my nose, that wouldn't do me much good... with an encrypted OS, BIOS PW, and non-local syskey required. If someone swept all that aside, quite frankly they deserve my box.

    But hey... it's one more thing to add to that list. I'd enable it.
Thread Status:
Not open for further replies.