Today I’m speaking at the Open Compute Project (OCP) U.S. Summit 2018 in San Jose where we are announcing a next generation specification for solid state device (SSD) storage, Project Denali. We’re also discussing Project Cerberus, which provides a critical component for security protection that to date has been missing from server hardware: protection, detection and recovery from attacks on platform firmware. Both storage and security are the next frontiers for hardware innovation, and today we’re highlighting the latest advancements across these key focus areas to further the industry in enabling the future of the cloud.
A new standard for cloud SSD storage
Storage paradigms have performed well on-premises, but they haven’t resulted in innovation for increasing performance and cost efficiencies needed for cloud-based models. For this reason, we’re setting out to define a new standard for flash storage specifically targeted for cloud-based workloads and I’m excited to reveal Project Denali, which we’re establishing with CNEX Labs. Fundamentally, Project Denali standardizes the SSD firmware interfaces by disaggregating the functionality for software defined data layout and media management. With Project Denali, customers can achieve greater levels of performance, while leveraging the cost-reduction economics that come at cloud scale.
Project Denali is a standardization and evolution of Open Channel that defines the roles of SSD vs. that of the host in a standard interface. Media management, error correction, mapping of bad blocks and other functionality specific to the flash generation stays on the device while the host receives random writes, transmits streams of sequential writes, maintains the address map, and performs garbage collection. Denali allows for support of FPGAs or microcontrollers on the host side.
This provides an architectural framework that is truly cloud first. The modular architecture proposed will enable agility for new non-volatile media adoption (both NAND and Storage class memory), along with improved workload performance, through closer integration between the application and the SSD device. It also defines a model for using software-defined data placement on SSDs to disaggregate older, monolithic storage models. When management of data placement is separated from the NAND management algorithms, non-volatile storage media is freed up to follow its own schedule for innovation. Project Denali will allow hardware companies to build simpler, less complicated hardware which will lower costs, decrease time to market, allow for workload specific tuning and enable rapid development of new NAND and memory technologies.
After maturing Project Denali with a full array of ecosystem partners, we intend to contribute the Project Denali standard to the industry to help foster even broader adoption.
Enabling hardware security
Microsoft Azure represents the cutting edge of cloud security and privacy. Microsoft spends one billion dollars per year on cybersecurity, and much of that investment goes to fundamental improvements that make Azure a trusted cloud platform. With such an intense focus on security, we recognize the need for an industry standard for hardware security. Microsoft’s Project Cerberus has been developed with the intent of creating an open industry standard for platform security.
Project Cerberus is a security co-processor that establishes a root of trust in itself for all of the hardware devices on a computing platform and helps defend platform firmware from:
- Malicious insiders with administrative privilege or access to hardware
- Hackers and malware that exploit bugs in the operating system, application, or hypervisor
- Supply chain attacks (manufacturing, assembly, in-transit)
- Compromised firmware binaries
Cerberus consists of a cryptographic microcontroller running secure code which intercepts accesses from the host to flash over the SPI bus (where firmware is stored), so it can continuously measure and attest these accesses to ensure firmware integrity and hence protect against unauthorized access and malicious updates. This enables robust pre-boot, boot-time and runtime integrity for all the firmware components in the system.
The specification is CPU and I/O architecture agnostic and is intended to easily integrate into various vendor designs over time, thus enabling more secure firmware implementations on all platform types across the industry, ranging from datacenter to IoT devices. The specification also supports hierarchical root of trust so that platform security can be extended to all I/O peripherals using the same architectural principles.
Since the introduction of Project Cerberus in late 2017, the ecosystem supporting the standard has continued to grow and we’re on the verge of contributing the hardware implementation to the community for greater collaboration and adoption.
Since 2015, we’ve been sharing the server and datacenter designs that power Microsoft Azure with the OCP community, working to empower the industry to take advantage of innovations that improve datacenter performance, efficiency, and power consumption.