Intel®, OpenStack, & Trust in the Open Cloudfiles.meetup.com/6653182/3.OnRamp_workshops_intel _...
Transcript of Intel®, OpenStack, & Trust in the Open Cloudfiles.meetup.com/6653182/3.OnRamp_workshops_intel _...
33
User Interface (Horizon)
Intel Contributions to OpenStack
Expose Enhancements
Object Store (Swift)
Image Store (Glance)
Compute (Nova)Block Storage (Cinder)
Network Services (Neutron)
Trusted Compute Pools(Extended with Geo Tagging)
OVF Meta-Data Import
Intel® DPDK vSwitch
Enhanced Platform Awareness (EPA)Erasure
Code
Filter Scheduler
Telemetry (Ceilometer)
Object Storage Policy
Key Encryption & Management
VPN-as-a-Service(Accelerated with Intel® QuickAssist
Technology)Intelligent Workload Scheduling
Metrics
Legend: Compute Network Storage
Focus for today: Trusted Compute Pools (TCP) with OpenAttestation, Enhanced Platform Awareness (EPA)
Other
44
OpenStack Release Cadence
NOVANOVA
SWIFTSWIFT
NOVANOVA
SWIFTSWIFT
GLANCEGLANCE
NOVA
SWIFT
GLANCE
NOVA
SWIFT
GLANCE
NOVA
SWIFT
GLANCE
HORIZON
KEYSTONE
NOVA
SWIFT
GLANCE
HORIZON
KEYSTONE
QUANTUM
CINDER
NOVA
SWIFT
GLANCE
HORIZON
KEYSTONE
QUANTUM
CINDER
NOVA
SWIFT
GLANCE
HORIZON
KEYSTONE
NEUTRON^
CINDER
CEILOMETER
HEAT
NOVA
SWIFT
GLANCE
HORIZON
KEYSTONE
NEUTRON
CINDER
CEILOMETER
HEAT
TRIPLE O
IRONIC
TROVE
SAVANNAH
MARCONI
AUSTINOct 2010
BEXARFeb 2011
CACTUSApr 2011
DIABLOSep 2011
ESSEXApr 2012
FOLSOMSep 2012
GRIZZLYApr 2013
HAVANAOct 2013
ICEHOUSEApr 2014
Queuing
Hadoop
Database
Bare Metal
Deployment/Management
First Deployments
6 month cadence
^ Component name change
Planned / Incubation
Orchestration
Measurement
Block Storage
Networking
Identity
Dashboard
Image Store
Object Store
Compute
Intel ContributionsIntel Contributions
BARBICAN Key Management
Intel continues to strengthen existing modules while contributing to new ones
5
Intel® Virtualization Technology
Intel® VT for IA-
32 and Intel® 64
(Intel® VT-x)HW support for
isolated execution
Intel® VT for
Directed I/O
(Intel® VT-d)HW support for
isolated I/O
Server Security Technologies
A Fresh Look at Intel® VTHardware Provides Stronger Isolation of VMs
Traditional server VMM-based usesIsolation needed for:
• Separation of development and production environments
• Technology demonstrations
New cloud security-related uses
• Isolation of workloads in multi-tenant cloud
• Memory monitoring for malware detection
• Device isolation for protection against DMA attacks VMM
VM2VM1
6
Server Security Technologies
Intel® Trusted Execution Technology (Intel® TXT)Hardens and Helps Control the Platform
• Enables isolation and tamper detection in boot process
• Complements runtime protections
• Hardware based trust provides verification useful in compliance
• Trust status and geo-location usable by security and policy applications to control workloads
Internet
Compliance
Hardware support for compliance reporting
enhances auditability of cloud environment
Trusted Launch
Verified platform integrity
reduces malware threat
Trusted, Tagged Compute Pools
Control VMs based on platform trust and
location to better protect data
7
Enhanced Platform AwarenessAllows OpenStack* to have a greater awareness of the capabilities of the hardware platforms
Expose CPU & platform features to OpenStack Nova scheduler
Use ComputeCapabilities filter to select hosts with required features
- Intel® Advanced Vector Extensions (Intel AVX) for workloads requiring heavy numerical computation
- Intel® AES-NI or PCI Express acceleratorsfor security and I/O workloads
- Up to 10x encryption & 8x decryption performance improvement observed 1
Intel® AES-NI = Intel® Advanced Encryption Standard New Instructions
1 - See http://www.oracle.com/us/corporate/press/173758
Intel CPU features exposed in Oct’13 Havana release, PCI Express support expected soon
Processor
Unencrypted Data
ABCDEFGHIJKLMNOPQRSTUVW
Faster Encryptions
Faster Decryptions
Data In Motion
Encrypted Data
#@$%&%@#&%@#$@&%$@#$@%&&
8
Intel – Red Hat OpenStack Collaboration
Common vision: Open Hybrid Cloud
Common goals:
• Enterprise grade OpenStack built on enterprise grade Linux
• Build a unified ecosytem aligned behind the OpenStack community (avoid fragmentation)
Positioned for success: 10+ yrs of history of delivering enterprise grade features & performance via collaboration in Linux, Virtualization and now OpenStack.
• August 2012: Red Hat announces Red Hat OpenStack Preview and collaboration with Intel begins.
• Initial project: Validate Trusted Compute Pool (TCP) use case with RHEL/OSP
*Other names and brands may be claimed as the property of others.
9
Intel and Red Hat: Better Together
• Driving synchronized innovation and comprehensive solutions
• Delivering enterprise-grade features, including security, reliability, scalability, and performance, to Red Hat Enterprise Linux
• Working to optimize kernel-based virtual machine (KVM) and enhance KVM virtualization management in oVirt and Red Hat Enterprise Virtualization.
• Now working together to drive enterprise adoption of OpenStack by delivering secure, trusted, high performance private and hybrid clouds
11
Intel® TXT Components
TPM by 3rd Party(TCG* compliant)
AC modules and platform initialization
IOH/PCH
BIOS
Intel® TXT and Intel®VT-d support in IOH
TPM Support
Intel® VT-x and Intel®TXT supportIntel® VT-x and
Intel® TXT support (VMX+SMX)
Intel SoftwareBIOS AC ModuleSINIT AC module
3rd Party SW MLE, Hosted OS Apps etc.
Xeon®Xeon®
TPM v1.2
““““Intel TXT relies on a set of enhanced hardware, software,
and firmware components designed to protect sensitive information from software-based attacks”
Intel®TXT
Toolkit
= SW/FW
= HW
From Intel
From OEM
From ISV
12
Trusted Compute Pools (TCP) Enhance visibility, control and compliance
Today: TCP Solution
• Platform Trust - new attribute for Management
• Intel® TXT initiates Measured Boot as basis for Platform Trust
• Open Attestation (OAT) SDK – Remote Attestation Mechanism
• https://github.com/OpenAttestation/OpenAttestation
• TCP-aware scheduler controls placement & migration of workloads in trusted pools
Future: TCP with Geo-Tagging
• Use geo-location descriptor stored in TPM on Trusted Servers to control workload placement & migration
• Work in progress – targeting a future release beyond Icehouse1source: McCann “what’s holding the cloud back?” cloud security global IT survey, sponsored by Intel, May 2012
No computer system can provide absolute security under all conditions. Intel® Trusted Execution Technology (Intel® TXT) requires a computer system with
Intel® Virtualization Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched
environment (MLE). The MLE could consist of a virtual machine monitor, an OS or an application. In addition, Intel TXT requires the system to contain a TPM
v1.2, as defined by the Trusted Computing Group and specific software for some uses. For more information, see here
TCP is enabled in OpenStack since Sep’12 release (Folsom)
13
Open Attestation Software (OAT)
• OpenAttestation (OAT) SDK • Add cloud management
tools capable of establishing hosts' integrity information
• Remotely retrieve and verify hosts' integrity with TPM quotes
• Cloud/virtualization management tools which are currently enabled for OAT
• OpenStack, oVirt
14
• Red Hat and Intel Validation of TCP use case with with Red Hat Enterprise Linux Openstack Platform: Completed March 2013
• Packaging of OAT for Fedora: Completed June 2013
• OAT Repo for Red Hat Enterprise Linux OpenStackPlatform: Completed October 2013 available here: http://repos.fedorapeople.org/repos/gwei3/oat/epel-6/
*Other names and brands may be claimed as the property of others.
Intel – Red Hat collaboration on TCP
OAT=Open Attestation Server