下一代AWS云計算架構(gòu)Nitro

1、The Nitro Project Next Generation AWS Infrastructure下一代AWS云計算架構(gòu)NitroAgendaNitro OverviewEvolution of NitroNitro Security Chip Deep DiveAWS OutpostsAfter ten years of Amazon Elastic Compute Cloud (Amazon EC2), if we applied alof our learnings, what would a hypervisor look like?Nitro: Two years laterL

2、aunched in November 2017In development since 2013 All new launches use NitroPurpose-built hardware/softwareHypervisor built for AWSAWS Nitro:e9 59 e1 17 000f 1f 00jmpq noplffff82d08037e15e (%rax)0 x31bad(%rax),%dh%al,(%rax)add add sti: 02 b0 ad 1b 03 0000 00fb 4f 52e4 0frex.WRXB push %r10 in$0 xf,%a

3、l: 0f 1f 40 00nopl0 x0(%rax): d65052e8 00 00 00 0088 00(bad) push push callq mov%rax%rdx ffff82d080200020%al,(%rax)Virtualization:e9 59 e1 17 000f 1f 00jmpq noplffff82d08037e15e (%rax)0 x31bad(%rax),%dh%al,(%rax)add add sti: 02 b0 ad 1b 03 0000 00fb 4f 52e4 0frex.WRXB push %r10 in$0 xf,%al: 0f 1f 40

4、 00nopl0 x0(%rax): d65052e8 00 00 00 0088 00(bad) push push callq mov%rax%rdx ffff82d080200020%al,(%rax)Virtualization:e9 59 e1 17 000f 1f 00jmpq noplffff82d08037e15e (%rax)0 x31bad(%rax),%dh%al,(%rax)add add sti: 02 b0 ad 1b 03 0000 00fb 4f 52e4 0frex.WRXB push %r10 in$0 xf,%al: 0f 1f 40 00nopl0 x0

5、(%rax): d65052e8 00 00 00 0088 00(bad) push push callq mov%rax%rdx ffff82d080200020%al,(%rax)Virtualization:e9 59 e1 17 000f 1f 00jmpq noplffff82d08037e15e (%rax)0 x31bad(%rax),%dh%al,(%rax)add add sti: 02 b0 ad 1b 03 0000 00fb 4f 52e4 0frex.WRXB push %r10 in$0 xf,%al: 0f 1f 40 00nopl0 x0(%rax): d65

6、052e8 00 00 00 0088 00(bad) push push callq mov%rax%rdx ffff82d080200020%al,(%rax)Virtualization:e9 59 e1 17 000f 1f 00jmpq noplffff82d08037e15e (%rax)0 x31bad(%rax),%dh%al,(%rax)add add sti: 02 b0 ad 1b 03 0000 00fb 4f 52e4 0frex.WRXB push %r10 in$0 xf,%al: 0f 1f 40 00nopl0 x0(%rax): d65052e8 00 00

7、 00 0088 00(bad) push push callq mov%rax%rdx ffff82d080200020%al,(%rax)VirtualizationWhathappened?The VMM is the heart of a hypervisor.As long as a statistical majority of instructions execute natively, we call this virtualization.Not all emulation can be handled by the VMM.:e9 59 e1 17 000f 1f 00jm

8、pq noplffff82d08037e15e (%rax)0 x31bad(%rax),%dh%al,(%rax)add add sti: 02 b0 ad 1b 03 0000 00fb 4f 52e4 0frex.WRXB push %r10 in$0 xf,%al: 0f 1f 40 00nopl0 x0(%rax): d65052(bad) push push%rax%rdxe800 00 00 00callqffff82d0802000208800mov%al,(%rax)VirtualizationEMULATEVMMTRAPDeviceModel lDeviceModelWha

9、thappened?A hypervisor consists of:Virtual Machine MonitorMany device models (10 to 100s)Scheduler, memory manager, etc.This was state of the art in 1974Not all of the assumptions held true though.Evolution of the Nitro SystemNitro in three partsNitro CardsNitro Security ChipNitro HypervisorVPC Netw

10、orking Amazon Elastic Block Store(Amazon EBS)Instance Storage System ControllerIntegrated into motherboard Protects hardware resources Hardware Root of TrustLightweight hypervisor Memory and CPU allocation Bare Metal-like performanceNitro CardsNitro Contro lInstance StorageENA PCIe ControllerVPC Dat

11、a PlaneNVMe PCIe ControllerEBS Data PlaneNVMe PCIe ControllerTransparent EncryptionSystem ControlRoot of TrustNitro Card for VPCENA ControllerDrivers available for all major operating systems Independent of fabricVPC Data PlaneEncapsulation Security Groups Limiters RoutingNitro Card for EBSNVMe Cont

12、rollerStandard drivers broadly availableEBS Data PlaneEncryption supportNVM to remote storage protocolNitro Card for Instance StorageNVMe ControllerStandard drivers broadly availableInstance StorageInstance Storage Data PlaneTransparent Encryption LimitersDrive monitoringNitro Card Control erSystem

13、ControlProvides passive API endpoint Coordinates all other Nitro Cards Coordinates with Nitro Hypervisor Coordinates with Nitro Security ChipNitro ControllerHardware Root of TrustProvides measurement and attestationNitro Security Chip Custom microcontroller that traps all I/O to non- volatile storag

14、e Controllable from the Nitro Controller to hold system bootProvides a simple, hardware-based root of trustUEFI Secure BootBoot starts untrusted and must prove that system is trustworthy.Deep complexity with millions of lines of code.Unavoidable complexity due to need to support legacy and general p

15、urpose workloads.Properly Signed?PK/KEKEarly FirmwareFail Boot!YesNoUEFI Secure BootBoot starts untrusted and must prove that system is trustworthy.Deep complexity with millions of lines of code.Unavoidable complexity due to need to support legacy and general purpose workloads.Properly Signed?Proper

16、ly Signed?PK/KEKEarly FirmwareUEFI Boot ManagerFail Boot!YesNoNoYesUEFI Secure BootBoot starts untrusted and must prove that system is trustworthy.Deep complexity with millions of lines of code.Unavoidable complexity due to need to support legacy and general purpose workloads.Properly Signed?Properl

17、y Signed?Properly Signed?PK/KEKEarly FirmwareUEFI Boot ManagerFail Boot!UEFI ApplicationsYesNoNoNoYesYesUEFI Secure BootBoot starts untrusted and must prove that system is trustworthy.Deep complexity with millions of lines of code.Unavoidable complexity due to need to support legacy and general purp

18、ose workloads.Properly Signed?Properly Signed?Properly Signed?PK/KEKEarly FirmwareUEFI Boot ManagerFail Boot!Properly Signed?UEFI ApplicationsUEFI DriversYesNoNoNoNoYesYesYesUEFI Secure BootBoot starts untrusted and must prove that system is trustworthy.Deep complexity with millions of lines of code

19、.Unavoidable complexity due to need to support legacy and general purpose workloads.Properly Signed?Properly Signed?Properly Signed?PK/KEKEarly FirmwareUEFI Boot ManagerFail Boot!Properly Signed?UEFI ApplicationsProperly Signed?UEFI DriversProperly Signed?Operating SystemYesNoNoNoNoNoNoYesYesYesYesNitro Hardware Root of TrustRadical simplification enabled by Nitro Cards.All write access to non-volatile storage is blocked in hardware.Simple to understand security due to lack of