AMD vs Intel - security primer
Front-up: you want a "security AMD vs intel shootout"? You'll be disappointed because intels and AMDs SEs ("security engines") address completely different use cases. But as there are just discussions (or cajoling) of intels newest security nightmare of the month you might want to read on anyway ...
So, what do the two "security engines" address?
- intel addresses typical desktop/end user worries. To put it in an easily understandable picture, intels SE addresses problems like securing online banking access or your password manager.
- AMD (Epyc) addresses servers and in particular VMs.
So evidently one can't really compare those two.
But security is way more complicated than a superficial comparison of SEs. Some relevant points are
- If some processor manufacturer basically runs a monopoly since decades there are of course major differences in attitude, stringency, quality of engineering.
- If there is very high demand from the market a manufacturer will likely shift its perspective from tech ("let's build really good products!") to "let's somehow fill the massive needs of the market!", possibly hand in hand with a shift towards marketing and sales defining the company rather than engineering. Intel seems to be a painfully clear example of that.
- Against what do you want to protect?
- Against whom do you want to protect? Hackers for example are quite different from state agencies.
- What is the political and legal context? Example: in a country where (a) some agencies can demand pretty much everything and force you to be silent about it, and (b) a sufficiently high level of mistrust (incl. from foreign markets) exists a chip company will have to take that into account.
- Do the customers really demand (real) security or is them believing they are secure enough?
and finally of particular importance for us: in what environment are the systems used? In our context we can differentiate between 3 main types:
- private - e.g. consumer desktops, smartphones
- (quasi) public but controlled - e.g. company servers (inhouse), agency desktops
- public, not controlled - pretty much all kinds of hosting
Intels SGX addresses mostly the first one and to a small degree the second one. AMD clearly addresses the third one - which is the context we care about here.
Side note: AMDs SE is also much faster - but both SEs bring high performance losses in most workloads.
TL;DR If you are concerned - either as provider or as customer - about server and in particular VM security AMD is it. If you are concerned about the password manager on your personal device intel is it - theoretically, because practically intels security is very fragile. Btw. intels SGX is ring 3 accessible while AMDs SE is ring 0 (read: very considerably more secure and well thought out).
TL;DR 2 Be warned! intel is a giant and controls the market since decades while AMD is almost a "new player again" - hence intels products of course have been scrutinized and attacked by far more than AMDs. Keep in mind that "There are no/very few known attack vectors" != "there are no/very few attack vectors"! It seems though that AMD has understood and taken care of the security problems far better than intel.