Intel, OpenStack, & Trust in the Open Cloud Intel Introduction 1
Intel enables OpenStack Cloud Deployments 2
Intel Contributions to OpenStack Telemetry (Ceilometer) Object Store (Swift) Erasure Code Metrics Object Storage Policy Image Store (Glance) OVF Meta-Data Import User Interface (Horizon) Compute (Nova) Enhanced Platform Awareness (EPA) Trusted Compute Pools (Extended with Geo Tagging) Intelligent Workload Scheduling Expose Enhancements Block Storage (Cinder) Filter Scheduler Network Services (Neutron) Intel DPDK vswitch VPN-as-a-Service (Accelerated with Intel QuickAssist Technology) Key Encryption & Management Legend: Compute Network Storage Other Focus for today: Trusted Compute Pools (TCP) with OpenAttestation, Enhanced Platform Awareness (EPA) 3 3
OpenStack Release Cadence Intel Contributions First Deployments 6 month cadence KEYSTONE HORIZON CINDER QUANTUM KEYSTONE HORIZON CINDER QUANTUM KEYSTONE HORIZON HEAT CEILOMETER CINDER NEUTRON^ KEYSTONE HORIZON MARCONI SAVANNAH TROVE IRONIC TRIPLE O BARBICAN HEAT CEILOMETER CINDER NEUTRON KEYSTONE HORIZON Queuing Hadoop Database Bare Metal Deployment/Management Key Management Orchestration Measurement Block Storage Networking Identity Dashboard Image Store Object Store Compute AUSTIN Oct 2010 BEXAR Feb 2011 CACTUS Apr 2011 DIABLO Sep 2011 ESSEX Apr 2012 FOLSOM Sep 2012 GRIZZLY Apr 2013 HAVANA Oct 2013 ICEHOUSE Apr 2014 Planned / Incubation ^ Component name change Intel continues to strengthen existing modules while contributing to new ones 4 4
Server Security Technologies A Fresh Look at Intel VT Hardware Provides Stronger Isolation of VMs Traditional server VMM-based uses Isolation needed for: Separation of development and production environments Intel Virtualization Technology Intel VT for IA- 32 and Intel 64 (Intel VT-x) HW support for isolated execution Intel VT for Directed I/O (Intel VT-d) HW support for isolated I/O Technology demonstrations New cloud security-related uses Isolation of workloads in multi-tenant cloud Memory monitoring for malware detection VM1 VM2 Device isolation for protection against DMA attacks VMM 5
Server Security Technologies Intel Trusted Execution Technology (Intel TXT) Hardens and Helps Control the Platform Enables isolation and tamper detection in boot process Complements runtime protections Hardware based trust provides verification useful in compliance Trusted Launch Verified platform integrity reduces malware threat Trusted, Tagged Compute Pools Control VMs based on platform trust and location to better protect data Internet Trust status and geolocation usable by security and policy applications to control workloads Compliance Hardware support for compliance reporting enhances auditability of cloud environment 6
Enhanced Platform Awareness Allows OpenStack* to have a greater awareness of the capabilities of the hardware platforms Expose CPU & platform features to OpenStack Nova scheduler Use ComputeCapabilities filter to select hosts with required features Processor Unencrypted Data ABCDEFGH IJKLMNOP QRSTUVW Faster Encryptions Faster Decryptions Data In Motion Encrypted Data #@$%&%@#& %@#$@&%$@ #$@%&& - Intel Advanced Vector Extensions (Intel AVX) for workloads requiring heavy numerical computation - Intel AES-NI or PCI Express accelerators for security and I/O workloads - Up to 10x encryption & 8x decryption performance improvement observed 1 Intel CPU features exposed in Oct 13 Havana release, PCI Express support expected soon Intel AES-NI = Intel Advanced Encryption Standard New Instructions 1 - See http://www.oracle.com/us/corporate/press/173758 7
Intel Red Hat OpenStack Collaboration Common vision: Open Hybrid Cloud Common goals: Enterprise grade OpenStack built on enterprise grade Linux Build a unified ecosytem aligned behind the OpenStack community (avoid fragmentation) Positioned for success: 10+ yrs of history of delivering enterprise grade features & performance via collaboration in Linux, Virtualization and now OpenStack. August 2012: Red Hat announces Red Hat OpenStack Preview and collaboration with Intel begins. Initial project: Validate Trusted Compute Pool (TCP) use case with RHEL/OSP 8 *Other names and brands may be claimed as the property of others.
Intel and Red Hat: Better Together Driving synchronized innovation and comprehensive solutions Delivering enterprise-grade features, including security, reliability, scalability, and performance, to Red Hat Enterprise Linux Working to optimize kernel-based virtual machine (KVM) and enhance KVM virtualization management in ovirt and Red Hat Enterprise Virtualization. Now working together to drive enterprise adoption of OpenStack by delivering secure, trusted, high performance private and hybrid clouds 9
Intel, OpenStack, & Trust in the Open Cloud Intel Contributions In Depth 10
Intel TXT Components = SW/FW = HW From Intel From OEM From ISV Intel TXT relies on a set of enhanced hardware, software, and firmware components designed to protect sensitive information from software-based attacks Intel VT-x and Intel TXT support (VMX+SMX) Intel VT-x and Intel TXT support Xeon Xeon Intel TXT and Intel VT-d support in IOH IOH/PCH Intel Software BIOS AC Module SINIT AC module AC modules and platform initialization BIOS TPM v1.2 TPM by 3 rd Party (TCG* compliant) TPM Support Intel TXT Toolkit 3rd Party SW MLE, Hosted OS Apps etc. 11
Trusted Compute Pools (TCP) Enhance visibility, control and compliance Today: TCP Solution Platform Trust - new attribute for Management Intel TXT initiates Measured Boot as basis for Platform Trust Open Attestation (OAT) SDK Remote Attestation Mechanism https://github.com/openattestation/openattestation TCP-aware scheduler controls placement & migration of workloads in trusted pools Future: TCP with Geo-Tagging Use geo-location descriptor stored in TPM on Trusted Servers to control workload placement & migration Work in progress targeting a future release beyond Icehouse 1 source: McCann what s holding the cloud back? cloud security global IT survey, sponsored by Intel, May 2012 TCP is enabled in OpenStack since Sep 12 release (Folsom) No computer system can provide absolute security under all conditions. Intel Trusted Execution Technology (Intel TXT) requires a computer system with Intel Virtualization Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched environment (MLE). The MLE could consist of a virtual machine monitor, an OS or an application. In addition, Intel TXT requires the system to contain a TPM v1.2, as defined by the Trusted Computing Group and specific software for some uses. For more information, see here 12
Open Attestation Software (OAT) OpenAttestation (OAT) SDK Add cloud management tools capable of establishing hosts' integrity information Remotely retrieve and verify hosts' integrity with TPM quotes Cloud/virtualization management tools which are currently enabled for OAT OpenStack, ovirt 13
Intel Red Hat collaboration on TCP Red Hat and Intel Validation of TCP use case with with Red Hat Enterprise Linux Openstack Platform: Completed March 2013 Packaging of OAT for Fedora: Completed June 2013 OAT Repo for Red Hat Enterprise Linux OpenStack Platform: Completed October 2013 available here: http://repos.fedorapeople.org/repos/gwei3/oat/ep el-6/ OAT=Open Attestation Server 14 *Other names and brands may be claimed as the property of others.