At the Open Compute Project (OCP) U.S. Summit 2018 in San Jose, Microsoft announced today a next generation specification for solid state device (SSD) storage, Project Denali.
The company also discussed Project Cerberus, which provides a critical component for security protection that to date has been missing from server hardware: protection, detection and recovery from attacks on platform firmware.
A new standard for cloud SSD storage
Microsoft is defining a new standard for flash storage specifically targeted for cloud-based workloads: Established with CNEX Labs, Project Denali standardizes the SSD firmware interfaces by disaggregating the functionality for software defined data layout and media management. With Project Denali, Microsoft says customers can achieve greater levels of performance, while leveraging the cost-reduction economics that come at cloud scale.
Project Denali is a standardization and evolution of Open Channel that defines the roles of SSD vs. that of the host in a standard interface. Media management, error correction, mapping of bad blocks and other functionality specific to the flash generation stays on the device while the host receives random writes, transmits streams of sequential writes, maintains the address map, and performs garbage collection. Denali allows for support of FPGAs or microcontrollers on the host side.
The modular architecture proposed will enable agility for new non-volatile media adoption (both NAND and Storage class memory), along with improved workload performance, through closer integration between the application and the SSD device. It also defines a model for using software-defined data placement on SSDs to disaggregate older, monolithic storage models. When management of data placement is separated from the NAND management algorithms, non-volatile storage media is freed up to follow its own schedule for innovation. Project Denali will allow hardware companies to build simpler, less complicated hardware which will lower costs, decrease time to market, allow for workload specific tuning and enable development of new NAND and memory technologies.
After maturing Project Denali with a full array of ecosystem partners, Microsoft intends to contribute the Project Denali standard to the industry.
Microsoft has collaborated with CNEX to build a prototype system. While the interface change opens up opportunities to optimize across many layers of the storage stack, the companies modified only two components: the firmware and the lowest level device driver in Azure's OS. This allowed for a quick evaluation of the ideas, provides infrastructure for legacy applications and sets up the system for future optimizations.
According to Microsoft, the memory, write amplification and CPU overheads that are typically in the drive moved to the host (as expected), and the system's throughput and latency were slightly better than standard SSDs.
Project Cerberus
Microsoft's Project Cerberus has been developed with the intent of creating an open industry standard for platform security.
Project Cerberus is a security co-processor that establishes a root of trust in itself for all of the hardware devices on a computing platform and helps defend platform firmware from:
- Malicious insiders with administrative privilege or access to hardware
- Hackers and malware that exploit bugs in the operating system, application, or hypervisor
- Supply chain attacks (manufacturing, assembly, in-transit)
- Compromised firmware binaries
Cerberus consists of a cryptographic microcontroller running secure code which intercepts accesses from the host to flash over the SPI bus (where firmware is stored), so it can continuously measure and attest these accesses to ensure firmware integrity and hence protect against unauthorized access and malicious updates. This enables robust pre-boot, boot-time and runtime integrity for all the firmware components in the system.
The specification is CPU and I/O architecture agnostic and is intended to easily integrate into various vendor designs over time, thus enabling more secure firmware implementations on all platform types across the industry, ranging from datacenter to IoT devices. The specification also supports hierarchical root of trust so that platform security can be extended to all I/O peripherals using the same architectural principles.