Three key server hardware technologies are shaping the future of Desktop Virtualization:
1. Hardware-Assisted System Virtualization.
2. Hardware-Assisted System Security
3. Hardware Servers Physicalization.
The three are covered in this paper.
2. White paper 2
Executive Summary
Three key server hardware technologies are shaping the future of Desktop Virtualization:
1. Hardware-Assisted System Virtualization.
2. Hardware-Assisted System Security
3. Hardware Servers Physicalization.
Hardware-assisted virtualization is happening everywhere for CPUs, Memory, I/O and GPUs.
Virtualization allows XenDesktop to scale out taking best advantage of existing compute
power in system hardware. Microservers are driving innovation further letting desktop
physicalization scaling upward taking advantage of commodity low expensive hardware
yielding better performance per watt, higher density and lower cost. Lastly, hardware-
assisted security is changing the face of computing making IT infrastructure safer at the
bottom of the system architecture stack outside the reach of software. Citrix is actively
engaged with the hardware ecosystem vendors for better design and enablement of various
types of hardware-assisted features delivering unique unprecedented enterprise mobility
experience.
This paper provides the reader with enough technical insights covering those three emerging
server technology areas. The paper content is targeting those Citrix customers and field
engineers who have basic understanding of data centers infrastructure architecture as well
as system virtualization. The paper is not intended for those readers looking for deep
technical description of each technology or for those readers looking for high-level not so-
technical description.
Background
Introduction
For over two decades Desktop Virtualization has revolutionized IT industry through reduced
cost, simplified centralized management, better security, flexibility, visibility, scalability and
higher availability. Citrix XenDesktop has been the industry leading solution for both
desktops and applications virtualization in the data center and as a service in the cloud.
Hardware server technologies have played a key role in enabling desktop virtualization. This
paper talks about specific current and emerging server hardware technologies that make
desktop virtualization faster, simpler, safer, less expensive and highly scalable.
Intel, NVIDIA, AMD and HP
The paper covers many of Intel’s server hardware technologies, which is expected given
Intel’s market leadership as the provider of very large-scale hardware compute servers.
NVIDIA has recently come up with their technology for server GPU virtualization that will be
covered in the paper. AMD and HP have collaborated closely to deliver x86 Microservers
addressing the growing need for system physicalization and this line of technology will be
covered in the paper as well.
Hosted Desktops on x86, ARM microservers and HSA
This paper focuses on Citrix XenDesktop running on top of x86-based hardware servers.
XenDesktop manages Windows in the enterprise and as a cloud-based desktop service. ARM-
based Microservers are growing in popularity entering the market with specific focus on
web, cloud and big data workloads. Citrix has been active in the ARM microserver space:
3. White paper 3
1- Collaborating and engaging closely with ARM Corporation on server architecture and
specification.
2- Engaging with ARM hardware microserver providers like AppliedMicro, AMD and
Marvell.
3- Being an active member of Linaro Enterprise Group.
4- Porting the Citrix Xen Project Hypervisor to the ARM architecture.
The focus of ARM microserver products has been on Linux-based ARM microservers and not
on Windows as Windows server OS has not been made available yet on ARM architecture.
Microsoft has not come publicly with any disclosed plans for doing so in the near future as
well. Given those reasons, ARM architecture won’t be covered in this paper.
Evolution of Server Physicalization and Software Defined Servers
In this rapidly growing Internet of Things environment, many things that we do every day,
such as checking email accounts, posting onto social media sites, browsing web pages, and
searching web indexes or portals—are not compute-intensive. They do however; have high
I/O throughput and memory footprint requirements. IT architects working at this scale
typically use cluster techniques to run massively parallel workloads that distribute data
across many nodes, often in cloud environments. Using typical server x86 CPUs designed for
compute-intensive enterprise applications in these environments means underutilizing
compute capacity and wasting energy. Distributed workloads in cloud environments often
run at low processor utilization levels of 20% or less, yet administrators pay for the cost of a
premium CPU.
Virtualization has historically addressed the issue of low CPU and GPU utilization by allowing
IT architects to consolidate multiple workloads that are somewhat balanced, such as
enterprise applications or infrastructure-as-a-service. Physicalization, on the other hand
addresses the need to scale-up applications and web serving, where the I/O component is
much larger and the amount of processing required per unit of data is much smaller. In these
environments, consolidating through virtualization effectively reduces the network,
memory, and I/O bandwidth per unit of data, which makes the large I/O problem worse.
Physicalization takes the approach of using energy-efficient CPUs that balance performance
and cost to match the needs of data-intensive applications.
Scaling up through physical server nodes
App App
App App
App App
Windows OS
Windows Kernel
App App App
Physical Server Node
(CPU, memory, USB,
network, storage)
App App
App App
App App
Windows OS
Windows Kernel
App App App
Physical Server Node
(CPU, memory, USB,
network, storage)
App App
App App
App App
Windows OS
Windows Kernel
App App App
Physical Server Node
(CPU, memory, USB,
network, storage)
App App
App App
App App
Windows OS
Windows Kernel
App App App
Physical Server Node
(CPU, memory, USB,
network, storage)
XenDesktop on
Windows OS
Windows Kernel
Physical Server Node
(CPU, memory, USB,
network, storage)
Managed and
Secured Compute
Experience
XenDesktop/ XenServer
Management Consoles
Operating System
User Apps
Data
Per-VM Agents
Attestation Policies
User Profile
Corporate Apps
Figure 1: XenDesktop managing hosted desktops in physical data centers.
4. White paper 4
The data center environment is diversifying both in terms of the infrastructure and the
market segments including storage, communications, cloud, HPC, and traditional enterprise.
Each area has a unique requirement, which is providing an opportunity for targeted
solutions to best cover these needs. The microserver is comprised of many small one-socket
servers sharing a chassis; fans, power supplies and a common interconnect to achieve
improved flexibility, higher efficiency and density.
The Intel® Atom® processor C2000 product family,
is Intel’s second-generation 64-bit server System on
Chip (SoC) manufactured in a low power SoC 22nm
process. Their focus is on enabling high density with
high performance providing 2, 4, and 8 core product
models at 6-20 Watts of power consumption. That
extends Intel’s existing portfolio of products that
service the cloud service providers. Optimized for
parallel software that benefit most from more individual servers with sufficient I/O between
nodes including static web servers, simple content delivery node, distributed memory
caching (memcached), entry dedicated hosting, cold storage, and any of the afore-mentioned
uses that have an additional need for acceleration of cryptographic communications such as
entry level security appliances and switches.
Up to four Intel® Atom® SoC nodes can be added on to a Server System Infrastructure (SSI)
module. Multiple SSI modules can be added to a single microserver chassis to expand the
number of accessible nodes. This allows for optimization of rack density as compared to
other single unit servers. Figure 1 is a representation of the microserver at a high level.
HP® Moonshot Hyperscale Microservers
HP Moonshot System is a new server design that addresses the speed, scale and
specialization required for the new style of IT that is emerging around the converging trends
of mobility, cloud, social media, and big data. With billions of people connected with each
other and with businesses over the Internet, many of them from mobile devices, there is a
rapidly escalating demand for digital content and experiences. The connection of almost any
device to the Internet has become known as the Internet of Things (IoT). These devices can
gather and process data, provide a service, and seamlessly interact with other devices. The
IoT presents businesses with new ways to drive market differentiation, deepen customer
relationships, and deliver profitability. These specialized IoT solutions require a new style of
computing, one that can achieve optimal performance and efficient scaling.
A key issue that overwhelms IT managers in hyperscale environments is the sheer number of
devices they must manage, power, and cool. With today’s rack-mount x86 platforms, you can
have between 20 and 40 servers in a 42U rack. Scale-out optimized platforms like HP
ProLiant SL can increase the density to 80 servers in each rack. Each server comes with its
own management controller, network controllers, storage controllers, OS instance, device
drivers, and so on. So every time you add a server, you must also procure multiple I/O
devices and manage, secure, power, and cool them. While HP Blade System c-Class
enclosures also provide a shared infrastructure, the HP Moonshot System takes the sharing
to a new level by integrating the processor and chipset onto a single piece of silicon and
sharing other resources across the system.
Figure 2: Intel ATOM C2000 four SoCs Card
5. White paper 5
Dedicated hosting company use large numbers of traditionally architected servers, hitting
the wall for power, cooling and space. The HP Moonshot System uses an innovative new
architecture that results from one simple design tenet: to align purpose-built modules with
the right workload to provide optimal results for dedicated hosting environments.
HP Moonshot System is a software-defined server platform achieving efficiency and scale by
aligning just the right amount of compute, memory and storage to get the work done,
enabling IT to capitalize on the major growth trend of the IoT.
Traditional servers rely on dedicated components, including management, networking,
storage, and power cords and cooling fans in a single chassis. In contrast, the Moonshot
system shares these chassis components and is capable of supporting 45 servers per 4.3U
chassis. This provides the ability to generate greater revenue from a smaller footprint while
driving down operational costs.
Each software defined sever contains its own dedicated memory, storage, storage controller,
and two NICs (1Gb). For monitoring and management, each server contains management
logic in the form of a Satellite Controller with a dedicated internal network connection (100
Mb).
HP Moonshot System provides application-specific processing for targeted workloads. Creating a
fabric infrastructure capable of accommodating a wide range of application-specific workloads
requires highly flexible fabric connectivity. This flexibility allows the Moonshot System fabric
architecture to adapt to changing requirements of hyperscale workload interconnectivity.
Moonshot mangement is achived via support of the Command-Line (CLI) and Intelligent
Platform Management (IMPI) Interfaces. These provide the primary gateway for node
management, aggregation, inventory, power capping, firmware management and
aggregation along with asset management and deployment.
Citrix® XenDesktop® powering HP® - AMD® Microservers
At HP Discover 2013 in Barcelona, Spain, HP unveiled a new member of the Moonshot
platform called the Converged System 100 for Hosted Desktops designed exclusively with
AMD for Citrix XenDesktop. The system is supported for Citrix customers using XenDesktop
7.1 and Provisioning Services 7.1. Independent compute and graphics processing unit (GPU)
per user when combined with the high-density of the HP Converged System 100 for Hosted
Desktops delivers a full-powered PC desktop experience to all types of enterprise users.
Workers now enjoy consistent performance and quality of service, no matter what individual
workloads they are running and including business graphics and multimedia applications.
Figure 3: HP Moonshot 1500 Chassis rear view
Figure 4: HP Moonshot 1500 Chassis front view
6. White paper 6
The HP Converged System 100 for Hosted Desktops consists of a 4.3U HP Moonshot 1500
Chassis that holds up to 45 AMD-based cartridges. Each cartridge has four independent
servers (PC-on-a-chip), with each server supporting one desktop. The dedicated GPU per-
user enables PC-quality multimedia capabilities. Combined with HP Moonshot and data
center hosting efficiencies, this non-persistent delivery model provides a compelling cost per
user. A complete solution including compute, storage, and networking, the HP Converged System
100 for Hosted Desktops hosts up to 180 desktops per chassis. With no SAN or virtualization layer
to install and manage, IT administrators will experience less complexity. And with pre-determined
sizing and fewer workload images, desktop provisioning time is greatly reduced.
The main feature that only XenDesktop 7.1 provides is the capability for the Standard VDA to
leverage the native GPU for Direct X enabled applications, for example, without the need of
the HDX 3D Pro VDA that was always the case before for leveraging GPUs.
The HDX 3D Pro VDA is required for higher end CAD applications, which also require a
higher end GPU than what is inside the M700 cartridge. Consider the NVIDIA K2 and
XenServer GPU pass through with HP BL380 Gen 8 blades here for HDX 3D Pro for those
higher end users, which is a separate architecture than Moonshot.
Throughout the development of the Moonshot platform Citrix, HP, and AMD worked very
closely to ensure HDX compatibility. During that time Citrix developers were able to enhance
the XenDesktop 7.1 VDA WDDM driver to be able to provide optimizations that are now
capable of leveraging the AMD graphics cards, which are a standard on the Moonshot HDI
platform. This new WDDM driver enhancement now allows for a superior HDX experience
that can directly leverage the GPU for each node!.
Hardware-Assisted System Virtualization
Core benefits
Virtualization solutions allow multiple operating systems and applications to run in
independent partitions all on a single computer. Using virtualization capabilities, one
physical computer system can function as multiple "virtual" systems. Virtual partitioning
needs to be achieved from the hardware level at the very bottom and enabled all the way up
through upper software layers. System hardware is composed of CPUs, memory, GPUs and
I/O devices like networks and storage in particular. Every one of those hardware
components has to be pre-designed or capable of running multiple isolated virtual
environments on top. Server hardware and software hypervisors have evolved in the past
few years to provide virtualization assistance across CPUs, GPUs, memory, network and
storage.
For over two decades Citrix has been the industry leader in applications virtualization. Our
flagship product XenApp has been behind the streamlined operations in hospitals,
enterprises, schools, factories, airports, governments, etc. As server virtualization became
possible Citrix delivered a full desktop virtualization experience not only allowing apps to be
virtualized with isolated access but also desktops.
7. White paper 7
Virtualization provides the ability to isolate software components running them in isolated
containers with inbound and outbound access control. With such level of isolation and access
control virtualization allows companies like Citrix to revolutionize the way desktops and
apps are delivered and secured driving us into new era of safer and full enterprise mobility.
Hypervisor
Managed and
Secured Compute
Experience
XenDesktop Management
Console
Performance Security Virtualization
Operating System
User Apps
Data
Per-VM Agents
User Profile
Corporate Apps XenDesktop
Windows VM
Windows Kernel
App App App
Windows VM
Windows Kernel
App App App
Computer users
ITadmins
Windows VM
Windows Kernel
App App App
Windows VM
Windows Kernel
App App App
Figure 5: XenDesktop managing hosted desktops in virtual data centers
Intel’s family of Xeon server processors provides support for hardware-based technologies
enabling Desktop and Applications virtualization and security. The following section of the
paper will cover specifically the following technologies: Intel VT, VT-x, VT-d, TXT, OS Guard,
VMCS Shadowing (nesting of hypervisors) and AES-NI.
Responsive and secure desktop virtualization requires tight integration between the
virtualization machine monitor / hypervisor software that is used to deploy and manage
virtual machines and the underlying hardware platform. XenServer is the Citrix open source
hypervisor product for server and cloud virtualization. XenServer takes advantage of many
server hardware provided technologies. XenDesktop, which runs on top of many commercial
hypervisors, gets the benefits of many of those direct interfaces between XenServer, the
hypervisor and Intel server hardware. Some of those benefits will be covered in coming
sections.
Challenges with software based system virtualization
The design of the Intel’s protected mode architecture provides four protection rings, ring 0
to ring 3, out of which ring 0 is most privileged used for running operating system kernel
along with device drivers and ring 3 is used to run user mode applications. Software modules
running in ring 0 have enough privilege to directly access certain processor; memory and I/O
control structures, addresses and registers. One approach to software-based virtualization is
called ring deprivileging which involves running guest OS at a higher ring than ring 0.
Various techniques have been generally used for software-based virtualization: (1) binary
translation, inducing a trap and emulate model, (2) shadowing of memory and I/O pages and
(3) devices and chipset emulation. Those techniques increase software complexity affecting
its performance and reliability greatly, increase the size of what is needed to establish a
Trusted Computing base (TCB) and suffer from the absence of sufficient protection across
boundaries. Another popular technique is para-virtualization, which involves modifying and
porting the operating system to run within the target virtual machine environment. The
8. White paper 8
obvious price of para-virtualization is not being able to run operating systems code
unmodified in virtual environments.
Intel® Virtualization Technology (Intel® VT)
Intel® Hardware-based Virtualization Technology (Intel® VT) improves the fundamental
flexibility and robustness of traditional software-based virtualization solutions by
accelerating key functions of the virtualized platform. This efficiency offers benefits to the IT
as it speeds up the transfer of platform control between the guest operating systems (OSs)
and the virtual machine manager (VMM)/hypervisor. Enabling the VMM to uniquely assign
CPUs and Memory pages to guest OSs. Intel VT performs various virtualization tasks in
hardware, like memory address translation, which reduces the overhead and footprint of
virtualization software and improves its performance.
Intel® Virtualization Technology for Directed I/O (VT-D)
Intel VT-d is the other part of the Intel Virtualization Technology hardware architecture. VT-
d addresses the loss of native performance or of native capability of a virtualized I/O device
by providing hardware isolation and translation mechanisms that enable to VMM to directly
assign the device to a VM. In this model, the VMM restricts itself to a controlling function for
enabling direct assignment of devices to its partitions. Rather than invoking the VMM for all
(or most) I/O requests from a partition, the VMM is invoked only when guest software
accesses protected resources (such as I/O configuration accesses, interrupt management,
etc.) that impact system functionality and isolation.
Intel VT-d enables protection by restricting direct
memory access (DMA) of the devices to pre-
assigned domains or physical memory regions.
This is achieved by a hardware capability known
as DMA-remapping. The VT-d DMA-remapping
hardware logic in the chipset sits between the
DMA capable peripheral I/O devices and the computer’s physical memory. In a virtualization
environment the system software is the VMM. In a native environment where there is no
virtualization software, the system software is the native OS. DMA-remapping translates the
address of the incoming DMA request to the correct physical memory address and perform
checks for permissions to access that physical address, based on the information provided by
the system software.
GPU Virtualization: The art of sharing GPUs across virtual machines
As Intel made great advancements to hardware CPU and I/O
virtualization, parallel progress was made around GPU hardware
virtualization. NVIDIA® GRID™ vGPU™ brings the full benefit of
NVIDIA hardware-accelerated graphics to virtualized solutions.
This provides exceptional graphics performance for virtual
desktops by sharing a single GPU among multiple users.
GRID vGPU provides hardware acceleration across multiple virtual
desktops while delivering a high performance graphics experience,
with economical benefits over a dedicated GPU per each user.
Figure 6: NVIDIA vGPU GRID
9. White paper 9
Operating systems still uses NVIDIA native graphic drivers allowing seamless support
without impacting applications features or compatibility. Furthermore, the graphics
commands of each virtual machine are passed directly to the GPU, without requiring
additional translation by the hypervisor. This transparent support allows GPU hardware to
be virtually divided delivering ultimate shared virtualized graphics performance.
As said earlier, Citrix HDX 3D Pro uses the native NVIDIA GPU driver installed directly in the
guest OS. With NVIDIA GRID cards, this ensures full application-level compatibility. As a
result of that, any application certified to work with NVIDIA cards would be fully supported
on NVIDIA vGPU GRID.
Citrix HDX 3D Pro supports OpenGL 4.3 and DirectX 11 applications on both desktop and
server platforms. Application vendors are actively working with NVIDIA and Citrix to certify
their applications for compliance. It is worth noting here that such kind of compliance does
not happen transparently with software-based GPU virtualization.
To provide the reader with further explanation of how this works, as shown in the diagram
above, each virtual machine directly accesses a part of the physical card, called the “vGPU”.
The vGPU assignment provides direct frame buffer access to video memory residing on the
GPU. This direct access minimizes lag time and provides a highly responsive user experience,
even when rendering large and complex 3D models.
XenDesktop and XenServer take advantage of such advanced server-side GPU rendering to
provide knowledge workers, power users, and designers the ability to perform at their best
with no interruption. NVIDIA GRID™-accelerated XenDesktop is an ideal solution for 3D
graphics-intensive applications like remote workstations as users get full experience of the
local PC while running on a virtual desktop served residing in the data center.
XenDesktop existing software GPU pass-through and hardware sharing technologies have
delivered great value for graphically intensive applications such as Adobe Photoshop,
Dassault SolidWorks, Ansys Workbench and Autodesk Applications. Combining the benefits
of that with the vGPU technology will deliver unprecedented value at much lower cost.
Figure 7: XenDesktop supporting NVIDIA vGPU GRID
10. White paper 10
A wide range of graphics, video and CAD intensive applications including medical and
industrial imagery products are now fully interactive with NVIDIA GRID. By leveraging GRID
technology with full 3D and compute API support through the latest NVIDIA Quadro®
drivers, users will be able to take advantage of thousands of applications that run OpenGL
4.3, Microsoft DirectX9, 10, 11, or NVIDIA CUDA® 5.0.
It is worth noting that Citrix is actively working with NVIDIA along with major server
vendors such as HP, Dell, Cisco and IBM to ensure software integration is done and available
for use with XenDesktop sessions on XenServer hypervisors.
Intel® Hardware-Assisted Security Technologies
Challenges with traditional software-based security
Traditional design of computer hardware architecture did not distinguish between running
legitimate and illegitimate software modules. As a result of that, any piece of software code
could boot the system hardware taking full control before the firmware boots the user
operating system installed on the system. This boot-time control has been behind many key
Advanced Persistent Threats (APTs) that have taken place in the past few years steeling
corporates key valuable digital assets; challenging stability and viability of world’s economy.
Usage of cryptographic algorithms has been used as a key element of ensuring confidentiality
of data exchanged across the Internet and stored on persistent storage. But cryptographic
algorithms are very computationally extensive. Thus their usage has been limited to
situations in which their overhead over system response time is acceptable.
In coming sections the paper will talk about some key security technologies to address the
need to protect the boot-elements of he hardware, to establish a Trusted Compute Base
(TCB) and to accelerate adoption of cryptographic algorithms.
Intel Platform Protection Technologies
To address malware infections taking place underneath the operating system, malware
protection has to start from the BIOS. Intel BIOS Guard Technology (IBGT) ensures that
updates made to system BIOS flash are secure. Any update made to system BIOS is
cryptographically verified by a guard module using a protected agent running in protected
system memory. Another related technology is Intel’s Platform Trust Technology (IPTT),
which provides platform functionality for credential storage and key management used by
Windows 8. Both technologies bring great value to XenDesktop hosted desktops as they
ensure that the physical hardware is protected and secure from boot-record malware
infections preventing an entry point used by Advanced Persistent Threats (APTs).
Intel OS Guard (IOSG) is another key security feature preventing instruction execution from
user mode memory pages while the CPU is in supervisor mode. IOSG helps to prevent
common attacks that seek to use privilege escalation to gain control of a platform or execute
malware. IOSG can be enabled via a Windows 8 boot loader option. With XenDesktop
centralized management and policy enforcement, IT admins can force the OS Guard feature
policy to be always turned on for Windows 8.
11. White paper 11
Intel Trusted eXecution Technology (TXT)
Intel TXT® is a feature available in the Intel® Xeon® processor. It establishes a root of trust
through measurements when the hardware and pre-launch software components are in a
known good state. Intel TXT brings the security advantages of microkernel model to actual
platform with enhancements. For a cloud environment, Intel® TXT is able to Measure
Launch (ML) the BIOS, hypervisor and attest the integrity of each VM individually.
Figure 8: TXT benefits to virtualized data centers and clouds
Utilizing the result, XenDesktop along with a VMM like XenServer, administrators can set
policies for sensitive data and workload placement onto groups of servers known as trusted
compute pools. Those trusted compute pools with Intel® TXT support IT compliance by
protecting virtualized XenDesktop data centers against attacks toward hypervisor and BIOS,
firmware, and other pre-launch software components. With Intel TXT, IT can run
XenDesktop virtual desktops on a trusted server, protecting enterprises workload and data
avoiding compromising security and enhancing IT compliance.
Intel® AES-NI and Secure Key Technology
Intel® AES-NI is a new encryption instruction set that improves on the Advanced Encryption
Standard (AES) algorithm and accelerates the encryption of data in the Intel® Xeon®
processor family. AES NI is a set of new instructions to the Intel architecture implementing
XenServer Hypervisor
XenServer
Parent
Domain
Managed and
Secured Compute
Experience
XenDesktop/ XenServer
Management Consoles
Performance Security Virtualization
Operating System
User Apps
Data
Per-VM Agents
Attestation Policies
User Profile
Corporate Apps XenDesktop
TXT Measurement
Hardware Root of TrustAttestation
Scaling out with server consolidation and high density
Windows VM
Windows Kernel
App App App
Windows VM
Windows Kernel
App App App
Windows VM
Windows Kernel
App App App
Windows VM
Windows Kernel
App App App
Figure 9: XenDesktop and XenServer support for TXT-based measurement and attestation.
12. White paper 12
some intensive sub-steps of the AES algorithm into the hardware accelerating execution of
the AES application. AES NI minimizes application performance concerns inherent in
traditional cryptographic processing providing enhanced security by addressing side
channel attacks on AES associated with traditional software methods of table look-ups.
Intel® Secure Key is a new instruction added to the Intel® 64 and IA-32 Architectures called
RDRAND with an underlying Digital Random Number Generator (DRNG) hardware
implementation. The DRNG using the RDRAND instruction is useful for generating high-
quality keys for cryptographic protocols.
Encryption is a basic tool to ensure confidentiality of data at rest and through the wires
protecting against man in the middle attacks. With AES NI offloading of encryption,
cryptography can become a common tool used whenever data confidentiality is needed
without having to worry about processing speed and slowness of overall system operations.
XenDesktop manages virtual machines as they run on top of server hypervisors like
XenServer and Hyper-V. Various types of security compliance and regulations require the
content of VMs with sensitive private data to be encrypted. AES-NI makes this possible.
Today XenDesktop gets the value of AES-NI via the lower level hypervisor as those
hypervisors code rely on AES-NI for acceleration and key security. Windows OS and some of
its applications can take advantage of AES-NI. XenDesktop IT admins can get the value of
Windows in-bound usage of AES-NI directly by providing the right set of configuration to the
Windows VM or deploying the r of in-guest VM agent.
Intel® VMCS Shadowing Technology
Citrix realized long ago that newer usage models are emerging that would require two or
more Virtual Machine Monitors (VMMs) to be hosted on the same client system. Citrix has
been heavily engaged with Intel® to take advantage of new hardware capabilities designed
to accelerate nesting of hypervisors (VMMs). Intel® VMCS Shadowing greatly reduces the
frequency with which the guest VMM must access the root VMM in a nested
environment. With Intel VMCS Shadowing, the root VMM is able to define a shadow VMCS in
hardware. A guest VMM can access this shadow VMCS directly, without interrupting the root
VMM. Since the shadow VMCS is implemented in hardware, required accesses can be
completed nearly as fast as in a non-nested environment.
As explained above XenDesktop relies on
hypervisors’ interfaces for providing an abstracted
hardware-independent view of the data center and
cloud hardware. XenDesktop uses hypervisor
interfaces available from XenServer, VMware
Virtual Center and Microsoft System Center Virtual
Machine Manager to achieve that purpose. Such
capabilities will allow XenDesktop to deploy
custom-driven in-guest VMs that yield better
security, availability and robustness of desktops.
A good example is McAfee’s Deep Defender, which provides advanced protection using a
form of system virtualization furnished by a lightweight hypervisor, or Virtual Machine
Monitor (VMM), known as DeepSAFE. Unlike server hypervisors like XenServer, DeepSAFE
does not provide full system and I/O virtualization. Instead, it uses hardware-assisted
Figure 10: Intel VMCS Shadow Tables
13. White paper 13
virtualization to monitor and control memory and processor operations, which provides the
foundational layer for Deep Defender security functions. Together, XenDesktop and Deep
Defender provide a breadth and depth of security that neither can provide alone.
VMCS shadowing is a revolutionary technology as it opens the doors widely for custom VM-
level virtualization-derived feature. As more companies deliver guest-VM based micro-
visors, XenDesktop IT administrators would be able to deploy separate custom-built guest-
VM hypervisors (micro-visors) separately per-VM bases. For instances, XenDesktop IT
admins can deploy a micro-visor that improves system security and recoverability in one VM
while deploying another micro-visor that improves system availability, fault-tolerance and
measurability to another VM with both VMs running within the same XenDesktop virtual
infrastructure. Those key benefits would be more realized in XenDesktop managed
appliance-type VMs that run a single particular mission critical application like a web or a DB
server for instance.
Closing Notes
Citrix® XenDesktop® Hosted Desktops allows IT to realize important benefits that
traditional PC environments can’t match:
• Improved security and compliance with centralizing desktops, data, and applications
• Enhanced worker productivity anywhere, anytime, any device and secure mobility
• Streamlined desktop support managing all desktops with no interruptions
• Improved business agility scaling and adapting to changes quickly
This paper has shown to the reader how those benefits can be enabled and realized in
fundamentally two different architectural scenarios:
1. A virtualized environment powered by hardware-assisted virtualization of CPU,
memory, GPU and I/O.
2. A physicalized environment powered by integrated large number of PCs and servers
on a single chip as in the case of Microservers.
From an IT admin perspective, whether the infrastructure is virtualized or physicalized
XenDesktop will work uniformly the same and users will get the benefit of Hosted Desktops
whether they’re deployed in the data center or in the cloud.
XenServer Hypervisor
Windows VM
XenServer
Parent
Domain
DeepSAFE Micro-Hypervisor
Windows Kernel
App
Shadow VMCS
DeepDefender
Engine
App App
DeepDefender
Early Launch
Driver
Managed and
Secured Compute
Experience
XenDesktop/ XenServer
Management Consoles
Performance Security Virtualization
Active Protection
McAfee ePo Server
Operating System
User Apps
Data
Per-VM Agents
Attestation Policies
User Profile
Corporate Apps
Malware Active
Protection
DeepSAFE Micro-
Hypervisor
DeepDefender
Engine
XenDesktop
TXT Measurement
Hardware Root of TrustAttestation
Scaling out with server consolidation and high density
14. White paper 14
Scaling up with Server Physicalization
App App
App App
App App
Windows OS
Windows Kernel
App App App
Physical Server Node
(CPU, memory, USB,
network, storage)
App App
App App
App App
Windows OS
Windows Kernel
App App App
Physical Server Node
(CPU, memory, USB,
network, storage)
App App
App App
App App
Windows OS
Windows Kernel
App App App
Physical Server Node
(CPU, memory, USB,
network, storage)
App App
App App
App App
XenServer Hypervisor
XenServer
Parent
Domain
XenDesktop
Scaling out with Server Virtualization.
Windows VM
Windows Kernel
App App App
Windows VM
Windows Kernel
App App App
Windows VM
Windows Kernel
App App App
Windows VM
Windows Kernel
App App App
Physical Server Node
(CPU, memory, USB, network, storage)
Windows OS
Windows Kernel
App App App
Physical Server Node
(CPU, memory, USB,
network, storage)
XenDesktop on
Windows OS
Windows Kernel
Physical Server Node
(CPU, memory, USB,
network, storage)
XenDesktop
Centrally Managed and Secured
Hosted Desktops
Operating System
User Apps
Data
Per-VM Agents
Policies
User Profile
Corporate Apps
Figure 11: Citrix XenDesktop support for system virtualization and physicalization through a unified management
console.
References
1. Citrix® XenProject: http://www.xenproject.org/
2. Citrix® XenServer: http://www.citrix.com/products/xenserver/overview.html
3. Intel® Hardware-Assisted Virtualization Technology: http://goo.gl/sUOfzQ
4. Intel® Trusted Execution Technology (TXT ®): http://goo.gl/rZuMPS
5. Mitigating threats in the cloud using Intel® TXT: http://goo.gl/ZB7Pnp
6. Intel® Virtualization Technology for Directed I/O: http://goo.gl/lxs1fb
7. An Introduction to SR-IOV Technology: http://goo.gl/E9xaQj
8. Intel® AES NI Technology: http://goo.gl/QFv3u
9. Intel® Atom C2000 Processor Technical Overview: http://goo.gl/Em6nDP
10. HP® Moonshot System software defined servers: http://goo.gl/nl4wW4
11. NVIDIA® Virtual GPU: http://www.nvidia.com/object/virtual-gpus.html
12. Benchmarking NVIDIA® vGPU for XenServer and XenDesktop http://goo.gl/ZwNs4M
13. Blog entry on Citrix and HP Moonshot: http://goo.gl/huiypU
14. Blog entry on GPU sharing technologies: http://goo.gl/1tMrk1
15. Blog entry on Citrix®, AMD® and HP® Moonshot: http://goo.gl/KpZLwh
16. Intel and Citrix collaboration around nesting of VMMs: http://goo.gl/LPyLJA
17. HP ConvergedSystem 100 and XenDesktop brief: http://goo.gl/Ry2oL0
15. White paper 15
About Citrix
Citrix (NASDAQ:CTXS) is the cloud company that enables mobile workstyles—empowering
people to work and collaborate from anywhere, securely accessing apps and data on any of
the latest devices, as easily as they would in their own office. Citrix solutions help IT and
service providers build clouds, leveraging virtualization and networking technologies to
deliver high-performance, elastic and cost-effective cloud services. With market-leading
solutions for mobility, desktop virtualization, cloud networking, cloud platforms,
collaboration and data sharing, Citrix helps organizations of all sizes achieve the speed and
agility necessary to succeed in a mobile and dynamic world. Citrix products are in use at
more than 260,000 organizations and by over 100 million users globally. Annual revenue in
2012 was $2.59 billion.
About the author
Ahmed Sallam is a Citrix cross-functional VP and CTO leading technology and solutions strategy in new emerging era of
smart devices, IoT, IoE, system virtualization, server physicalization and security. His focus is on new emerging end-to-end
solutions ranging from devices to networks to clouds across Citrix lines of products. Ahmed drives Intellectual Property
growth opportunities and monetization strategy fro Citrix as well. He works closely with software and hardware ecosystem
partners integrating into Citrix open platforms. He served as CTO and VP of Product Strategy for Client Virtualization. Prior
to Citrix, Ahmed was CTO of Advanced Technology and Chief Architect at McAfee, now part of Intel Corp. where he drove
McAfee into developing global threat intelligence along with predicative preventive anti-malware security solutions. Ahmed
is the co-inventor and architect of Intel/ McAfee’s DeepSAFE technology and co-designer of VMware’s VMM CPU security
technology known as VMsafe. Prior to McAfee, Ahmed was a Senior Architect with Nokia’s security division and a Principal
Engineer at Symantec. Ahmed is a renowned expert across the industry well known for pioneering new models in computer
system virtualization-based security and management delivering flexible, well-managed and secure computer experience
with high safety assurances. Ahmed holds 40 issued patents and has more than 40 published and pending patent
applications. He earned a bachelor’s degree in Computer Science and Automatic Control from the University of Alexandria.