TL;DR
Europe is investing over €2 billion in sovereign cloud infrastructure to reduce US legal exposure. However, most data centers still rely on Intel and AMD processors with embedded management engines that pose security risks. This oversight could undermine Europe’s digital sovereignty efforts.
European countries’ efforts to establish sovereign cloud infrastructure are advancing with over €2 billion in funding, aiming to reduce dependence on US-controlled technology. However, most data centers still rely on Intel or AMD processors containing management engines that operate below the operating system, posing significant security risks. This reliance could undermine the security and sovereignty goals of these initiatives.
Europe’s sovereign cloud projects, funded through the EU’s IPCEI-CIS program and France’s SecNumCloud framework, aim to meet strict technical standards promising immunity from extraterritorial laws. Despite these efforts, the core hardware—primarily Intel’s Management Engine (ME) and AMD’s Platform Security Processor (PSP)—remains a vulnerability. These management engines operate at a privilege level below the host OS, with independent memory, network, and processing capabilities, making them difficult to monitor or control.
Security researchers, including John Goodacre and Aurélien Francillon, have documented how these management engines can be exploited for covert backdoors, data exfiltration, and remote management bypassing host security. Notably, the US legislation RISAA 2024 classifies hardware manufacturers as service providers subject to secret government orders, complicating efforts to ensure hardware security. Recent demonstrations, such as the Fabricked attack against AMD’s SEV-SNP technology, have shown that these vulnerabilities are not just theoretical but actively exploitable.
Why It Matters
This situation raises critical concerns about the security of Europe’s sovereign cloud infrastructure. Despite legal and technical frameworks to certify sovereignty, reliance on US-made processors with embedded management engines could allow covert surveillance, backdoors, or data breaches, potentially undermining Europe’s digital independence and security.
hardware root of trust security modules
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
European efforts to develop sovereign cloud infrastructure have gained momentum over recent years, with substantial investments and strict certification processes. However, the underlying hardware architecture, particularly the management engines in Intel and AMD processors, has remained largely unexamined in these sovereignty frameworks. Past incidents, including the use of Intel’s Serial-over-LAN for covert channels and demonstrations of vulnerabilities in AMD’s SEV-SNP, highlight the persistent risks associated with these components. This ongoing technical challenge complicates Europe’s goal of fully autonomous and secure digital infrastructure.
“It’s a computer inside your computer. The Management Engine has its own memory, clock, and network stack, operating below the host OS and outside its control.”
— John Goodacre, Professor of Computer Architectures
“Yes, it can probably be used as a backdoor, like many other firmwares, including BMCs. The real question is whether operational controls can make it unreachable in practice.”
— Aurélien Francillon, security researcher at EURECOM
US-made processors with management engines
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It remains unclear how widespread and effectively these vulnerabilities are being mitigated across Europe’s sovereign cloud deployments. The extent to which supply chain tampering or firmware tampering could enable exploitation in operational environments is still under investigation. Additionally, the impact of future legislation on hardware security practices is uncertain.
secure enterprise server processors
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
European policymakers and security agencies are expected to increase scrutiny of hardware supply chains and incorporate hardware security assessments into sovereignty frameworks. Further research and demonstration of exploits could influence hardware procurement policies. Meanwhile, efforts to develop or certify processors without management engines may accelerate.
privacy-focused cloud hardware
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Why are management engines in processors a security concern?
Management engines operate at a privilege level below the operating system, with independent memory and network access, making them difficult to monitor and potentially exploitable for covert activities or backdoors.
Are European cloud providers using processors without management engines?
Currently, most rely on standard Intel and AMD processors with embedded management engines. Developing or sourcing processors without these components is an ongoing challenge and not yet widespread.
What are the risks of relying on US-made hardware for European sovereignty?
The embedded management engines could be exploited for covert surveillance, remote control, or data exfiltration, potentially undermining Europe’s efforts to maintain independent and secure digital infrastructure.
Will legislation or certification frameworks address hardware-level vulnerabilities?
While current frameworks focus on legal and operational compliance, addressing hardware vulnerabilities at the silicon level remains a technical challenge. Future policies may need to include hardware security assessments explicitly.
