Share this
Intel Platform Firmware Resilience (PFR) Overview [Infographic + Q&A]
by Brett Daniel on Jul 27, 2020 12:30:00 PM
Graphic: Intel's Platform Firmware Resilience (PFR) technology is one of several ways that you can protect your server or workstation at the firmware level.
Table of Contents
- What is firmware?
- Why is firmware security important?
- What is Platform Firmware Resilience (PFR)?
- How does PFR work?
- How does PFR protect server firmware from an attack?
- Why is PFR so important to the high-performance computing industry?
- Trenton Systems: A Longtime Intel Partner
According to firmware security company Eclypsium, firmware attacks constitute some of the most high-impact cybersecurity threats facing organizations today. Firmware vulnerabilities have also increased five-fold over the last few years, according to the National Institute of Standards and Technology’s National Vulnerability Database.
Couple these harrowing stats with the fact that firmware threats are notoriously difficult to detect due to their low platform level, not to mention that hackers can exploit firmware to bypass antivirus software, and you’ve got a recipe for security-related disaster, if adequate firmware security precautions aren’t implemented, that is.
For servers and workstations using Xeon processors, Intel addresses firmware security concerns with its Platform Firmware Resilience (PFR) technology, which aims to prevent firmware interception and corruption primarily in mission-critical sectors, such as government, finance and critical infrastructure.
Before we get into what exactly this technology does, however, it's important to have a firm - yes, we said it - understanding of firmware and why firmware security is important.
What is firmware?
Firmware is low-level software found in a server's read-only memory, also known as flash ROM. It facilitates communication between other devices and is responsible for basic input/output tasks.
Basically, firmware is the software that powers your server's hardware, and unfortunately, without proper security precautions, it is highly vulnerable to malware, which has the ability to modify the firmware to gain access to the operating system and other software.
In other words, malicious software can manipulate unsecured firmware and gain access to your critical data. It can even render your server completely inoperable.
Why is firmware security important?
Unsecured firmware leaves server platforms extremely vulnerable to low-level attacks.
Without proper firmware security measures, industries, the military and other critical government sectors are leaving their sensitive data vulnerable to theft, alteration or deletion.
The Information Systems Audit and Control Association (ISACA) has led groundbreaking research on firmware security, some of which is depicted in the infographic below.
You can also take ISACA's Firmware Security Assessment. Just print out the quiz, grade yourself and refer to the final score at the end to determine your enterprise's overall threat resiliency.
What is Platform Firmware Resilience (PFR)?
Intel’s Platform Firmware Resilience (PFR) technology is designed to protect a server against firmware attacks using a built-in Intel MAX 10 Field-Programmable Gate Array (FPGA), which functions as a confirmation of firmware safety and even enables automatic recovery of corrupted firmware.
The FPGA helps protect the firmware by attesting that it is safe prior to executing the code. It also engages in boot and runtime monitoring to assure the server is running known good firmware for various aspects of the system, such as the BIOS, BMC, Intel ME, SPI Descriptor and the firmware on the power supply.
- Intel, Third Generation Intel Xeon Processor Scalable Family Technical Overview
Given that PFR is designed to protect server platforms, it's important to note that the technology is exclusive to Intel's Xeon processors.
Now, we'll hand things off to Nate Young, director of engineering at Trenton Systems, for a technical Q&A on PFR and its benefits.
Q&A: The Basics & Benefits of Intel PFR
Photo: Nate Young, director of engineering at Trenton Systems, answers frequently asked questions about PFR and its benefits.
How does PFR work?
PFR is an architecture designed by Intel to protect a server's firmware from various attack vectors, including malware, zero-day exploits and unauthorized firmware tampering.
PFR can audit the programmable portions of multiple components within the system and detect suspicious or rogue activity prior to releasing the server from reset, often referred to as t=0 protection.
PFR also provides a unified, robust and secure update mechanism for various components within the system.
Trenton Systems' firmware development capabilities allows our products to leverage PFR in select products, on top of traditional security mechanisms, such as UEFI SecureBoot, SecureFlash, Intel TXT, Intel SGX and BootGuard.
How does PFR protect server firmware from an attack?
PFR protects against unauthorized firmware updates, tampering and provides real-time monitoring of various interfaces between internal components in the system. Any suspicious or unexpected activity can be filtered or blocked, and the system can enter recovery mode to default the system back to a known factory-reset condition.
PFR also extends the chain of trust of the whole firmware and software stack earlier than previously possible, just before the system is released from reset.
Read more about a PFR use case here.
Why is PFR so important to the high-performance computing industry?
Our security-conscientious customers expect Trenton Systems' servers to include the highest levels of protection possible with the latest technologies.
PFR is the next generation in protection to identify, isolate and mitigate malicious activity at the firmware level. Industry standards, such as NIST SP 800-193, also define clear, stringent requirements for protecting system-level firmware, and PFR provides a key component for a compliant solution.
Trenton Systems: A Longtime Intel Partner
Trenton Systems is a longtime member of Intel's IoT Solutions Alliance, which provides us with access to the latest Intel technologies, including PFR, SGX, and TME, which we will be offering in some of our forthcoming high-performance computing solutions.
For more of information on PFR, check out these Intel resources:
- Intel Data Center Block with Firmware Resilience Solution Brief
- Third Generation Intel Xeon Processor Scalable Family Technical Overview
- Trusted Infrastructure Enabled by Intel Technology
For more information on firmware security and attacks, check out these articles and guides:
Share this
- High-performance computers (42)
- Military computers (38)
- Rugged computers (32)
- Cybersecurity (25)
- Industrial computers (25)
- Military servers (24)
- MIL-SPEC (20)
- Rugged servers (19)
- Press Release (17)
- Industrial servers (16)
- MIL-STD-810 (16)
- 5G Technology (14)
- Intel (13)
- Rack mount servers (12)
- processing (12)
- Computer hardware (11)
- Edge computing (11)
- Rugged workstations (11)
- Made in USA (10)
- Partnerships (9)
- Rugged computing (9)
- Sales, Marketing, and Business Development (9)
- Trenton Systems (9)
- networking (9)
- Peripheral Component Interconnect Express (PCIe) (7)
- Encryption (6)
- Federal Information Processing Standards (FIPS) (6)
- GPUs (6)
- IPU (6)
- Joint All-Domain Command and Control (JADC2) (6)
- Server motherboards (6)
- artificial intelligence (6)
- Computer stress tests (5)
- Cross domain solutions (5)
- Mission-critical servers (5)
- Rugged mini PCs (5)
- AI (4)
- BIOS (4)
- CPU (4)
- Defense (4)
- Military primes (4)
- Mission-critical systems (4)
- Platform Firmware Resilience (PFR) (4)
- Rugged blade servers (4)
- containerization (4)
- data protection (4)
- virtualization (4)
- Counterfeit electronic parts (3)
- DO-160 (3)
- Edge servers (3)
- Firmware (3)
- HPC (3)
- Just a Bunch of Disks (JBOD) (3)
- Leadership (3)
- Navy (3)
- O-RAN (3)
- RAID (3)
- RAM (3)
- Revision control (3)
- Ruggedization (3)
- SATCOM (3)
- Storage servers (3)
- Supply chain (3)
- Tactical Advanced Computer (TAC) (3)
- Wide-temp computers (3)
- computers made in the USA (3)
- data transfer (3)
- deep learning (3)
- embedded computers (3)
- embedded systems (3)
- firmware security (3)
- machine learning (3)
- Automatic test equipment (ATE) (2)
- C6ISR (2)
- COTS (2)
- COVID-19 (2)
- Compliance (2)
- Compute Express Link (CXL) (2)
- Computer networking (2)
- Controlled Unclassified Information (CUI) (2)
- DDR (2)
- DDR4 (2)
- DPU (2)
- Dual CPU motherboards (2)
- EW (2)
- I/O (2)
- Military standards (2)
- NVIDIA (2)
- NVMe SSDs (2)
- PCIe (2)
- PCIe 4.0 (2)
- PCIe 5.0 (2)
- RAN (2)
- SIGINT (2)
- SWaP-C (2)
- Software Guard Extensions (SGX) (2)
- Submarines (2)
- Supply chain security (2)
- TAA compliance (2)
- airborne (2)
- as9100d (2)
- chassis (2)
- data diode (2)
- end-to-end solution (2)
- hardware security (2)
- hardware virtualization (2)
- integrated combat system (2)
- manufacturing reps (2)
- memory (2)
- mission computers (2)
- private 5G (2)
- protection (2)
- secure by design (2)
- small form factor (2)
- software security (2)
- vRAN (2)
- zero trust (2)
- zero trust architecture (2)
- 3U BAM Server (1)
- 4G (1)
- 4U (1)
- 5G Frequencies (1)
- 5G Frequency Bands (1)
- AI/ML/DL (1)
- Access CDS (1)
- Aegis Combat System (1)
- Armed Forces (1)
- Asymmetric encryption (1)
- C-RAN (1)
- COMINT (1)
- CPUs (1)
- Cloud-based CDS (1)
- Coast Guard (1)
- Compliance testing (1)
- Computer life cycle (1)
- Containers (1)
- D-RAN (1)
- DART (1)
- DDR5 (1)
- DMEA (1)
- Data Plane Development Kit (DPDK) (1)
- Defense Advanced Research Projects (DARP) (1)
- ELINT (1)
- EMI (1)
- EO/IR (1)
- Electromagnetic Interference (1)
- Electronic Warfare (EW) (1)
- FIPS 140-2 (1)
- FIPS 140-3 (1)
- Field Programmable Gate Array (FPGA) (1)
- Ground Control Stations (GCS) (1)
- Hardware-based CDS (1)
- Hybrid CDS (1)
- IES.5G (1)
- ION Mini PC (1)
- IP Ratings (1)
- IPMI (1)
- Industrial Internet of Things (IIoT) (1)
- Industry news (1)
- Integrated Base Defense (IBD) (1)
- LAN ports (1)
- LTE (1)
- Life cycle management (1)
- Lockheed Martin (1)
- MIL-S-901 (1)
- MIL-STD-167-1 (1)
- MIL-STD-461 (1)
- MIL-STD-464 (1)
- MOSA (1)
- Multi-Access Edge Computing (1)
- NASA (1)
- NIC (1)
- NIC Card (1)
- NVMe (1)
- O-RAN compliant (1)
- Oil and Gas (1)
- OpenRAN (1)
- P4 (1)
- PCIe card (1)
- PCIe lane (1)
- PCIe slot (1)
- Precision timestamping (1)
- Product life cycle (1)
- ROM (1)
- Raytheon (1)
- Remotely piloted aircraft (RPA) (1)
- Rugged computing glossary (1)
- SEDs (1)
- SIM Card (1)
- Secure boot (1)
- Sensor Open Systems Architecture (SOSA) (1)
- Small form-factor pluggable (SFP) (1)
- Smart Edge (1)
- Smart NIC (1)
- SmartNIC (1)
- Software-based CDS (1)
- Symmetric encryption (1)
- System hardening (1)
- System hardening best practices (1)
- TME (1)
- Tech Partners (1)
- Total Memory Encryption (TME) (1)
- Transfer CDS (1)
- USB ports (1)
- VMEbus International Trade Association (VITA) (1)
- Vertical Lift Consortium (VLC) (1)
- Virtual machines (1)
- What are embedded systems? (1)
- Wired access backhaul (1)
- Wireless access backhaul (1)
- accredidation (1)
- aerospace (1)
- air gaps (1)
- airborne computers (1)
- asteroid (1)
- authentication (1)
- autonomous (1)
- certification (1)
- cognitive software-defined radios (CDRS) (1)
- command and control (C2) (1)
- communications (1)
- cores (1)
- custom (1)
- customer service (1)
- customer support (1)
- data linking (1)
- data recording (1)
- ethernet (1)
- full disk encryption (1)
- hardware monitoring (1)
- heat sink (1)
- hypervisor (1)
- in-house technical support (1)
- input (1)
- integrated edge solution (1)
- international business (1)
- licensed spectrum (1)
- liquid cooling (1)
- mCOTS (1)
- microelectronics (1)
- missile defense (1)
- mixed criticality (1)
- moving (1)
- multi-factor authentication (1)
- network slicing (1)
- neural networks (1)
- new headquarters (1)
- next generation interceptor (1)
- non-volatile memory (1)
- operating system (1)
- output (1)
- outsourced technical support (1)
- post-boot (1)
- pre-boot (1)
- private networks (1)
- public networks (1)
- radio access network (RAN) (1)
- reconnaissance (1)
- secure flash (1)
- security (1)
- self-encrypting drives (SEDs) (1)
- sff (1)
- software (1)
- software-defined radios (SDRs) (1)
- speeds and feeds (1)
- standalone (1)
- storage (1)
- systems (1)
- tactical wide area networks (1)
- technical support (1)
- technology (1)
- third-party motherboards (1)
- troposcatter communication (1)
- unlicensed spectrum (1)
- volatile memory (1)
- vpx (1)
- zero trust network (1)
- August 2024 (1)
- July 2024 (1)
- May 2024 (1)
- April 2024 (3)
- February 2024 (1)
- November 2023 (1)
- October 2023 (1)
- July 2023 (1)
- June 2023 (3)
- May 2023 (7)
- April 2023 (5)
- March 2023 (7)
- December 2022 (2)
- November 2022 (6)
- October 2022 (7)
- September 2022 (8)
- August 2022 (3)
- July 2022 (4)
- June 2022 (13)
- May 2022 (10)
- April 2022 (4)
- March 2022 (11)
- February 2022 (4)
- January 2022 (4)
- December 2021 (1)
- November 2021 (4)
- September 2021 (2)
- August 2021 (1)
- July 2021 (2)
- June 2021 (3)
- May 2021 (4)
- April 2021 (3)
- March 2021 (3)
- February 2021 (9)
- January 2021 (4)
- December 2020 (5)
- November 2020 (5)
- October 2020 (4)
- September 2020 (4)
- August 2020 (6)
- July 2020 (9)
- June 2020 (11)
- May 2020 (13)
- April 2020 (8)
- February 2020 (1)
- January 2020 (1)
- October 2019 (1)
- August 2019 (2)
- July 2019 (2)
- March 2019 (1)
- January 2019 (2)
- December 2018 (1)
- November 2018 (2)
- October 2018 (5)
- September 2018 (3)
- July 2018 (1)
- April 2018 (2)
- March 2018 (1)
- February 2018 (9)
- January 2018 (27)
- December 2017 (1)
- November 2017 (2)
- October 2017 (3)
No Comments Yet
Let us know what you think