4 min read
Just over a year ago at Zettastructure, the European digital infrastructure conference hosted by Datacenter Dynamics, we introduced Microsoft’s Project Olympus – our next generation hyperscale cloud hardware design and a new model for open source hardware development with the Open Compute Project (OCP) community. We envisioned a leading-edge server design with the flexibility to accommodate a broad variety of workloads for the cloud of today and tomorrow, and one that could easily scale to datacenters across the globe. To accomplish this, we contributed a design that was only half-complete to enable rapid community-driven innovation.
Today, I’m back at Zettastructure to share the tremendous progress achieved through downloading, modifying, and forking the hardware design just like open source software, and by bootstrapping a diverse and broad ecosystem to make Project Olympus the de facto open source cloud hardware design for the next generation of scale computing. The design is now 100% complete and open sourced via OCP contributions. It is proven in scale production via deployments in Microsoft Azure, and solution providers are ready to bring the benefits of this design to the broader OCP ecosystem.
We’re also entering the next phase of Project Olympus with the introduction of Project Cerberus – a new open sourced industry standard for platform security which will be collaboratively developed with the OCP community in a manner similar to the hardware design.
Deployed in Azure
Project Olympus hardware is now deployed in volume production with the Fv2 virtual machine (VM) family. The Fv2 family are the fastest VMs in Azure and offer the fastest Intel® Xeon® Scalable processors in the public cloud. It addresses the growing demand for massive large-scale computation from customers doing financial modeling, scientific analysis, genomics, geothermal visualization, and deep learning.
The Fv2 VM family is among the first Project Olympus designs productized in Azure. More deployments and silicon innovation will follow to support the exploding growth of cloud services and computing power needed for emerging cloud workloads such as big data analytics, machine learning, and Artificial Intelligence (AI).
Open Sourced and Commercially Available
All Project Olympus design specifications have been open source and contributed to OCP (documentation covering 19 specifications, 8 designs, chassis, and management). The OCP community can now utilize these specifications to create derivative designs for meeting varied datacenter needs and to drive innovation on top of this base platform architecture.
We are also pleased to announce that Project Olympus hardware is now commercially available for procurement via OCP Solution Providers including Wiwynn, and ZT Systems, with more to follow. This is an important milestone in bringing the benefits of open source hardware to the broader industry enabling IT and datacenter operators to leverage community-developed innovation and scale-proven hardware designs for their specific usage models. Solution providers also benefit through the ability to reach a broader market for open source hardware.
Continuing to Evolve… Platform Security
Today, we’re also introducing Project Cerberus, which provides a critical component for security protection that to date has been missing from server hardware – protection, detection and recovery from attacks on platform firmware. Project Cerberus envisions that data can be processed in the cloud with the confidence that it’s running on hardware with uncompromised firmware.
With Project Olympus established as a base hardware platform upon which we can to build, we’re turning our attention to cybersecurity to continue to expand value to both Microsoft and the OCP community. Microsoft spends one billion dollars per year on cybersecurity, and much of that goes to making Azure the most trusted cloud platform. From strict physical datacenter security, working to ensure data privacy, encrypting data at rest and in transit, novel uses of machine learning for threat detection, and the use of stringent operational software development integrity controls, Azure represents the cutting edge of cloud security and privacy.
Project Cerberus is a NIST 800-193 compliant hardware root of trust specifically designed to provide robust security for all platform firmware. It provides a hardware root of trust for firmware on the motherboard (UEFI BIOS, BMC, Options ROMs) as well as on peripheral I/O devices by enforcing strict access control and integrity verification from pre-boot and continuing to runtime.
Specifically, Project Cerberus can help defend platform firmware from the following threats:
- Malicious insiders with administrative privilege or access to hardware
- Hackers and malware that exploit bugs in the operating system, application, or hypervisor
- Supply chain attacks (manufacturing, assembly, in-transit)
- Compromised firmware binaries
Project Cerberus consists of a cryptographic microcontroller running secure code which intercepts accesses from the host to flash over the SPI bus (where firmware is stored), so it can continuously measure and attest these accesses to ensure firmware integrity and hence protect against unauthorized access and malicious updates. This enables robust pre-boot, boot-time and runtime integrity for all the firmware components in the system. The specification is CPU and I/O architecture agnostic and is intended to easily integrate into various vendor designs over time, thus enabling more secure firmware implementations on all platform types across the industry, ranging from datacenter to IoT devices. The specification also supports hierarchical root of trust so that platform security can be extended to all I/O peripherals using the same architectural principles.
We are collaborating with Intel to explore optimal implementation models for platform firmware security. In the spirit of community empowerment, we plan on open sourcing the draft Project Cerberus specifications (still under development) to OCP. In addition, we are also working with NIST and Intel to provide feedback on the 800-193 draft specification.
Just as with the Project Olympus open source model, we anticipate that contributing Project Cerberus specifications will enable robust participation from the OCP ecosystem for community development amongst industry participants, and this open collaboration will lead to a more secure model for platform security which will benefit the industry. The initial draft being contributed today covers motherboard firmware (UEFI BIOS, BMC, Options ROMs) and the vision is to work with the OCP community to extend the specifications over time to cover all peripheral I/O components such as HDD, SSD, NIC, FPGA, GPU, etc.
We’re encouraging the industry to collaborate on Project Cerberus to drive a new level of security for future hardware platforms, and invite you to learn more about Project Olympus through our previous blog detailing the ecosystem, and through the Open Compute Project contribution.