1

Intel®, OpenStack,

& Trust in the Open Cloud

Intel Introduction

2

Intel enables OpenStack Cloud Deployments

33

User Interface (Horizon)

Intel Contributions to OpenStack

Expose Enhancements

Object Store (Swift)

Image Store (Glance)

Compute (Nova)Block Storage (Cinder)

Network Services (Neutron)

Trusted Compute Pools(Extended with Geo Tagging)

OVF Meta-Data Import

Intel® DPDK vSwitch

Enhanced Platform Awareness (EPA)Erasure

Code

Filter Scheduler

Telemetry (Ceilometer)

Object Storage Policy

Key Encryption & Management

VPN-as-a-Service(Accelerated with Intel® QuickAssist

Technology)Intelligent Workload Scheduling

Metrics

Legend: Compute Network Storage

Focus for today: Trusted Compute Pools (TCP) with OpenAttestation, Enhanced Platform Awareness (EPA)

Other

44

OpenStack Release Cadence

NOVANOVA

SWIFTSWIFT

NOVANOVA

SWIFTSWIFT

GLANCEGLANCE

NOVA

SWIFT

GLANCE

NOVA

SWIFT

GLANCE

NOVA

SWIFT

GLANCE

HORIZON

KEYSTONE

NOVA

SWIFT

GLANCE

HORIZON

KEYSTONE

QUANTUM

CINDER

NOVA

SWIFT

GLANCE

HORIZON

KEYSTONE

QUANTUM

CINDER

NOVA

SWIFT

GLANCE

HORIZON

KEYSTONE

NEUTRON^

CINDER

CEILOMETER

HEAT

NOVA

SWIFT

GLANCE

HORIZON

KEYSTONE

NEUTRON

CINDER

CEILOMETER

HEAT

TRIPLE O

IRONIC

TROVE

SAVANNAH

MARCONI

AUSTINOct 2010

BEXARFeb 2011

CACTUSApr 2011

DIABLOSep 2011

ESSEXApr 2012

FOLSOMSep 2012

GRIZZLYApr 2013

HAVANAOct 2013

ICEHOUSEApr 2014

Queuing

Hadoop

Database

Bare Metal

Deployment/Management

First Deployments

6 month cadence

^ Component name change

Planned / Incubation

Orchestration

Measurement

Block Storage

Networking

Identity

Dashboard

Image Store

Object Store

Compute

Intel ContributionsIntel Contributions

BARBICAN Key Management

Intel continues to strengthen existing modules while contributing to new ones

5

Intel® Virtualization Technology

Intel® VT for IA-

32 and Intel® 64

(Intel® VT-x)HW support for

isolated execution

Intel® VT for

Directed I/O

(Intel® VT-d)HW support for

isolated I/O

Server Security Technologies

A Fresh Look at Intel® VTHardware Provides Stronger Isolation of VMs

Traditional server VMM-based usesIsolation needed for:

• Separation of development and production environments

• Technology demonstrations

New cloud security-related uses

• Isolation of workloads in multi-tenant cloud

• Memory monitoring for malware detection

• Device isolation for protection against DMA attacks VMM

VM2VM1

6

Server Security Technologies

Intel® Trusted Execution Technology (Intel® TXT)Hardens and Helps Control the Platform

• Enables isolation and tamper detection in boot process

• Complements runtime protections

• Hardware based trust provides verification useful in compliance

• Trust status and geo-location usable by security and policy applications to control workloads

Internet

Compliance

Hardware support for compliance reporting

enhances auditability of cloud environment

Trusted Launch

Verified platform integrity

reduces malware threat

Trusted, Tagged Compute Pools

Control VMs based on platform trust and

location to better protect data

7

Enhanced Platform AwarenessAllows OpenStack* to have a greater awareness of the capabilities of the hardware platforms

Expose CPU & platform features to OpenStack Nova scheduler

Use ComputeCapabilities filter to select hosts with required features

- Intel® Advanced Vector Extensions (Intel AVX) for workloads requiring heavy numerical computation

- Intel® AES-NI or PCI Express acceleratorsfor security and I/O workloads

- Up to 10x encryption & 8x decryption performance improvement observed 1

Intel® AES-NI = Intel® Advanced Encryption Standard New Instructions

1 - See http://www.oracle.com/us/corporate/press/173758

Intel CPU features exposed in Oct’13 Havana release, PCI Express support expected soon

Processor

Unencrypted Data

ABCDEFGHIJKLMNOPQRSTUVW

Faster Encryptions

Faster Decryptions

Data In Motion

Encrypted Data

#@$%&%@#&%@#$@&%$@#$@%&&

8

Intel – Red Hat OpenStack Collaboration

Common vision: Open Hybrid Cloud

Common goals:

• Enterprise grade OpenStack built on enterprise grade Linux

• Build a unified ecosytem aligned behind the OpenStack community (avoid fragmentation)

Positioned for success: 10+ yrs of history of delivering enterprise grade features & performance via collaboration in Linux, Virtualization and now OpenStack.

• August 2012: Red Hat announces Red Hat OpenStack Preview and collaboration with Intel begins.

• Initial project: Validate Trusted Compute Pool (TCP) use case with RHEL/OSP

*Other names and brands may be claimed as the property of others.

9

Intel and Red Hat: Better Together

• Driving synchronized innovation and comprehensive solutions

• Delivering enterprise-grade features, including security, reliability, scalability, and performance, to Red Hat Enterprise Linux

• Working to optimize kernel-based virtual machine (KVM) and enhance KVM virtualization management in oVirt and Red Hat Enterprise Virtualization.

• Now working together to drive enterprise adoption of OpenStack by delivering secure, trusted, high performance private and hybrid clouds

10

Intel®, OpenStack,

& Trust in the Open Cloud

Intel Contributions In Depth

11

Intel® TXT Components

TPM by 3rd Party(TCG* compliant)

AC modules and platform initialization

IOH/PCH

BIOS

Intel® TXT and Intel®VT-d support in IOH

TPM Support

Intel® VT-x and Intel®TXT supportIntel® VT-x and

Intel® TXT support (VMX+SMX)

Intel SoftwareBIOS AC ModuleSINIT AC module

3rd Party SW MLE, Hosted OS Apps etc.

Xeon®Xeon®

TPM v1.2

““““Intel TXT relies on a set of enhanced hardware, software,

and firmware components designed to protect sensitive information from software-based attacks”

Intel®TXT

Toolkit

= SW/FW

= HW

From Intel

From OEM

From ISV

12

Trusted Compute Pools (TCP) Enhance visibility, control and compliance

Today: TCP Solution

• Platform Trust - new attribute for Management

• Intel® TXT initiates Measured Boot as basis for Platform Trust

• Open Attestation (OAT) SDK – Remote Attestation Mechanism

• https://github.com/OpenAttestation/OpenAttestation

• TCP-aware scheduler controls placement & migration of workloads in trusted pools

Future: TCP with Geo-Tagging

• Use geo-location descriptor stored in TPM on Trusted Servers to control workload placement & migration

• Work in progress – targeting a future release beyond Icehouse1source: McCann “what’s holding the cloud back?” cloud security global IT survey, sponsored by Intel, May 2012

No computer system can provide absolute security under all conditions. Intel® Trusted Execution Technology (Intel® TXT) requires a computer system with

Intel® Virtualization Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched

environment (MLE). The MLE could consist of a virtual machine monitor, an OS or an application. In addition, Intel TXT requires the system to contain a TPM

v1.2, as defined by the Trusted Computing Group and specific software for some uses. For more information, see here

TCP is enabled in OpenStack since Sep’12 release (Folsom)

13

Open Attestation Software (OAT)

• OpenAttestation (OAT) SDK • Add cloud management

tools capable of establishing hosts' integrity information

• Remotely retrieve and verify hosts' integrity with TPM quotes

• Cloud/virtualization management tools which are currently enabled for OAT

• OpenStack, oVirt

14

• Red Hat and Intel Validation of TCP use case with with Red Hat Enterprise Linux Openstack Platform: Completed March 2013

• Packaging of OAT for Fedora: Completed June 2013

• OAT Repo for Red Hat Enterprise Linux OpenStackPlatform: Completed October 2013 available here: http://repos.fedorapeople.org/repos/gwei3/oat/epel-6/

*Other names and brands may be claimed as the property of others.

Intel – Red Hat collaboration on TCP

OAT=Open Attestation Server