Hosted desktops and server evolution technologies - 2014 Edition
•
0 likes•455 views
Three key server hardware technologies are shaping the future of Desktop Virtualization: 1. Hardware-Assisted System Virtualization. 2. Hardware-Assisted System Security 3. Hardware Servers Physicalization. The three are covered in this paper.
Recommended
Recommended
More Related Content
What's hot
What's hot (18)
Similar to Hosted desktops and server evolution technologies - 2014 Edition
Similar to Hosted desktops and server evolution technologies - 2014 Edition (20)
More from Ahmed Sallam
More from Ahmed Sallam (8)
Recently uploaded
Recently uploaded (20)
Hosted desktops and server evolution technologies - 2014 Edition
- 2. White paper 2 Executive Summary Three key server hardware technologies are shaping the future of Desktop Virtualization: 1. Hardware-Assisted System Virtualization. 2. Hardware-Assisted System Security 3. Hardware Servers Physicalization. Hardware-assisted virtualization is happening everywhere for CPUs, Memory, I/O and GPUs. Virtualization allows XenDesktop to scale out taking best advantage of existing compute power in system hardware. Microservers are driving innovation further letting desktop physicalization scaling upward taking advantage of commodity low expensive hardware yielding better performance per watt, higher density and lower cost. Lastly, hardware- assisted security is changing the face of computing making IT infrastructure safer at the bottom of the system architecture stack outside the reach of software. Citrix is actively engaged with the hardware ecosystem vendors for better design and enablement of various types of hardware-assisted features delivering unique unprecedented enterprise mobility experience. This paper provides the reader with enough technical insights covering those three emerging server technology areas. The paper content is targeting those Citrix customers and field engineers who have basic understanding of data centers infrastructure architecture as well as system virtualization. The paper is not intended for those readers looking for deep technical description of each technology or for those readers looking for high-level not so- technical description. Background Introduction For over two decades Desktop Virtualization has revolutionized IT industry through reduced cost, simplified centralized management, better security, flexibility, visibility, scalability and higher availability. Citrix XenDesktop has been the industry leading solution for both desktops and applications virtualization in the data center and as a service in the cloud. Hardware server technologies have played a key role in enabling desktop virtualization. This paper talks about specific current and emerging server hardware technologies that make desktop virtualization faster, simpler, safer, less expensive and highly scalable. Intel, NVIDIA, AMD and HP The paper covers many of Intel’s server hardware technologies, which is expected given Intel’s market leadership as the provider of very large-scale hardware compute servers. NVIDIA has recently come up with their technology for server GPU virtualization that will be covered in the paper. AMD and HP have collaborated closely to deliver x86 Microservers addressing the growing need for system physicalization and this line of technology will be covered in the paper as well. Hosted Desktops on x86, ARM microservers and HSA This paper focuses on Citrix XenDesktop running on top of x86-based hardware servers. XenDesktop manages Windows in the enterprise and as a cloud-based desktop service. ARM- based Microservers are growing in popularity entering the market with specific focus on web, cloud and big data workloads. Citrix has been active in the ARM microserver space:
- 3. White paper 3 1- Collaborating and engaging closely with ARM Corporation on server architecture and specification. 2- Engaging with ARM hardware microserver providers like AppliedMicro, AMD and Marvell. 3- Being an active member of Linaro Enterprise Group. 4- Porting the Citrix Xen Project Hypervisor to the ARM architecture. The focus of ARM microserver products has been on Linux-based ARM microservers and not on Windows as Windows server OS has not been made available yet on ARM architecture. Microsoft has not come publicly with any disclosed plans for doing so in the near future as well. Given those reasons, ARM architecture won’t be covered in this paper. Evolution of Server Physicalization and Software Defined Servers In this rapidly growing Internet of Things environment, many things that we do every day, such as checking email accounts, posting onto social media sites, browsing web pages, and searching web indexes or portals—are not compute-intensive. They do however; have high I/O throughput and memory footprint requirements. IT architects working at this scale typically use cluster techniques to run massively parallel workloads that distribute data across many nodes, often in cloud environments. Using typical server x86 CPUs designed for compute-intensive enterprise applications in these environments means underutilizing compute capacity and wasting energy. Distributed workloads in cloud environments often run at low processor utilization levels of 20% or less, yet administrators pay for the cost of a premium CPU. Virtualization has historically addressed the issue of low CPU and GPU utilization by allowing IT architects to consolidate multiple workloads that are somewhat balanced, such as enterprise applications or infrastructure-as-a-service. Physicalization, on the other hand addresses the need to scale-up applications and web serving, where the I/O component is much larger and the amount of processing required per unit of data is much smaller. In these environments, consolidating through virtualization effectively reduces the network, memory, and I/O bandwidth per unit of data, which makes the large I/O problem worse. Physicalization takes the approach of using energy-efficient CPUs that balance performance and cost to match the needs of data-intensive applications. Scaling up through physical server nodes App App App App App App Windows OS Windows Kernel App App App Physical Server Node (CPU, memory, USB, network, storage) App App App App App App Windows OS Windows Kernel App App App Physical Server Node (CPU, memory, USB, network, storage) App App App App App App Windows OS Windows Kernel App App App Physical Server Node (CPU, memory, USB, network, storage) App App App App App App Windows OS Windows Kernel App App App Physical Server Node (CPU, memory, USB, network, storage) XenDesktop on Windows OS Windows Kernel Physical Server Node (CPU, memory, USB, network, storage) Managed and Secured Compute Experience XenDesktop/ XenServer Management Consoles Operating System User Apps Data Per-VM Agents Attestation Policies User Profile Corporate Apps Figure 1: XenDesktop managing hosted desktops in physical data centers.
- 4. White paper 4 The data center environment is diversifying both in terms of the infrastructure and the market segments including storage, communications, cloud, HPC, and traditional enterprise. Each area has a unique requirement, which is providing an opportunity for targeted solutions to best cover these needs. The microserver is comprised of many small one-socket servers sharing a chassis; fans, power supplies and a common interconnect to achieve improved flexibility, higher efficiency and density. The Intel® Atom® processor C2000 product family, is Intel’s second-generation 64-bit server System on Chip (SoC) manufactured in a low power SoC 22nm process. Their focus is on enabling high density with high performance providing 2, 4, and 8 core product models at 6-20 Watts of power consumption. That extends Intel’s existing portfolio of products that service the cloud service providers. Optimized for parallel software that benefit most from more individual servers with sufficient I/O between nodes including static web servers, simple content delivery node, distributed memory caching (memcached), entry dedicated hosting, cold storage, and any of the afore-mentioned uses that have an additional need for acceleration of cryptographic communications such as entry level security appliances and switches. Up to four Intel® Atom® SoC nodes can be added on to a Server System Infrastructure (SSI) module. Multiple SSI modules can be added to a single microserver chassis to expand the number of accessible nodes. This allows for optimization of rack density as compared to other single unit servers. Figure 1 is a representation of the microserver at a high level. HP® Moonshot Hyperscale Microservers HP Moonshot System is a new server design that addresses the speed, scale and specialization required for the new style of IT that is emerging around the converging trends of mobility, cloud, social media, and big data. With billions of people connected with each other and with businesses over the Internet, many of them from mobile devices, there is a rapidly escalating demand for digital content and experiences. The connection of almost any device to the Internet has become known as the Internet of Things (IoT). These devices can gather and process data, provide a service, and seamlessly interact with other devices. The IoT presents businesses with new ways to drive market differentiation, deepen customer relationships, and deliver profitability. These specialized IoT solutions require a new style of computing, one that can achieve optimal performance and efficient scaling. A key issue that overwhelms IT managers in hyperscale environments is the sheer number of devices they must manage, power, and cool. With today’s rack-mount x86 platforms, you can have between 20 and 40 servers in a 42U rack. Scale-out optimized platforms like HP ProLiant SL can increase the density to 80 servers in each rack. Each server comes with its own management controller, network controllers, storage controllers, OS instance, device drivers, and so on. So every time you add a server, you must also procure multiple I/O devices and manage, secure, power, and cool them. While HP Blade System c-Class enclosures also provide a shared infrastructure, the HP Moonshot System takes the sharing to a new level by integrating the processor and chipset onto a single piece of silicon and sharing other resources across the system. Figure 2: Intel ATOM C2000 four SoCs Card
- 5. White paper 5 Dedicated hosting company use large numbers of traditionally architected servers, hitting the wall for power, cooling and space. The HP Moonshot System uses an innovative new architecture that results from one simple design tenet: to align purpose-built modules with the right workload to provide optimal results for dedicated hosting environments. HP Moonshot System is a software-defined server platform achieving efficiency and scale by aligning just the right amount of compute, memory and storage to get the work done, enabling IT to capitalize on the major growth trend of the IoT. Traditional servers rely on dedicated components, including management, networking, storage, and power cords and cooling fans in a single chassis. In contrast, the Moonshot system shares these chassis components and is capable of supporting 45 servers per 4.3U chassis. This provides the ability to generate greater revenue from a smaller footprint while driving down operational costs. Each software defined sever contains its own dedicated memory, storage, storage controller, and two NICs (1Gb). For monitoring and management, each server contains management logic in the form of a Satellite Controller with a dedicated internal network connection (100 Mb). HP Moonshot System provides application-specific processing for targeted workloads. Creating a fabric infrastructure capable of accommodating a wide range of application-specific workloads requires highly flexible fabric connectivity. This flexibility allows the Moonshot System fabric architecture to adapt to changing requirements of hyperscale workload interconnectivity. Moonshot mangement is achived via support of the Command-Line (CLI) and Intelligent Platform Management (IMPI) Interfaces. These provide the primary gateway for node management, aggregation, inventory, power capping, firmware management and aggregation along with asset management and deployment. Citrix® XenDesktop® powering HP® - AMD® Microservers At HP Discover 2013 in Barcelona, Spain, HP unveiled a new member of the Moonshot platform called the Converged System 100 for Hosted Desktops designed exclusively with AMD for Citrix XenDesktop. The system is supported for Citrix customers using XenDesktop 7.1 and Provisioning Services 7.1. Independent compute and graphics processing unit (GPU) per user when combined with the high-density of the HP Converged System 100 for Hosted Desktops delivers a full-powered PC desktop experience to all types of enterprise users. Workers now enjoy consistent performance and quality of service, no matter what individual workloads they are running and including business graphics and multimedia applications. Figure 3: HP Moonshot 1500 Chassis rear view Figure 4: HP Moonshot 1500 Chassis front view
- 6. White paper 6 The HP Converged System 100 for Hosted Desktops consists of a 4.3U HP Moonshot 1500 Chassis that holds up to 45 AMD-based cartridges. Each cartridge has four independent servers (PC-on-a-chip), with each server supporting one desktop. The dedicated GPU per- user enables PC-quality multimedia capabilities. Combined with HP Moonshot and data center hosting efficiencies, this non-persistent delivery model provides a compelling cost per user. A complete solution including compute, storage, and networking, the HP Converged System 100 for Hosted Desktops hosts up to 180 desktops per chassis. With no SAN or virtualization layer to install and manage, IT administrators will experience less complexity. And with pre-determined sizing and fewer workload images, desktop provisioning time is greatly reduced. The main feature that only XenDesktop 7.1 provides is the capability for the Standard VDA to leverage the native GPU for Direct X enabled applications, for example, without the need of the HDX 3D Pro VDA that was always the case before for leveraging GPUs. The HDX 3D Pro VDA is required for higher end CAD applications, which also require a higher end GPU than what is inside the M700 cartridge. Consider the NVIDIA K2 and XenServer GPU pass through with HP BL380 Gen 8 blades here for HDX 3D Pro for those higher end users, which is a separate architecture than Moonshot. Throughout the development of the Moonshot platform Citrix, HP, and AMD worked very closely to ensure HDX compatibility. During that time Citrix developers were able to enhance the XenDesktop 7.1 VDA WDDM driver to be able to provide optimizations that are now capable of leveraging the AMD graphics cards, which are a standard on the Moonshot HDI platform. This new WDDM driver enhancement now allows for a superior HDX experience that can directly leverage the GPU for each node!. Hardware-Assisted System Virtualization Core benefits Virtualization solutions allow multiple operating systems and applications to run in independent partitions all on a single computer. Using virtualization capabilities, one physical computer system can function as multiple "virtual" systems. Virtual partitioning needs to be achieved from the hardware level at the very bottom and enabled all the way up through upper software layers. System hardware is composed of CPUs, memory, GPUs and I/O devices like networks and storage in particular. Every one of those hardware components has to be pre-designed or capable of running multiple isolated virtual environments on top. Server hardware and software hypervisors have evolved in the past few years to provide virtualization assistance across CPUs, GPUs, memory, network and storage. For over two decades Citrix has been the industry leader in applications virtualization. Our flagship product XenApp has been behind the streamlined operations in hospitals, enterprises, schools, factories, airports, governments, etc. As server virtualization became possible Citrix delivered a full desktop virtualization experience not only allowing apps to be virtualized with isolated access but also desktops.
- 7. White paper 7 Virtualization provides the ability to isolate software components running them in isolated containers with inbound and outbound access control. With such level of isolation and access control virtualization allows companies like Citrix to revolutionize the way desktops and apps are delivered and secured driving us into new era of safer and full enterprise mobility. Hypervisor Managed and Secured Compute Experience XenDesktop Management Console Performance Security Virtualization Operating System User Apps Data Per-VM Agents User Profile Corporate Apps XenDesktop Windows VM Windows Kernel App App App Windows VM Windows Kernel App App App Computer users ITadmins Windows VM Windows Kernel App App App Windows VM Windows Kernel App App App Figure 5: XenDesktop managing hosted desktops in virtual data centers Intel’s family of Xeon server processors provides support for hardware-based technologies enabling Desktop and Applications virtualization and security. The following section of the paper will cover specifically the following technologies: Intel VT, VT-x, VT-d, TXT, OS Guard, VMCS Shadowing (nesting of hypervisors) and AES-NI. Responsive and secure desktop virtualization requires tight integration between the virtualization machine monitor / hypervisor software that is used to deploy and manage virtual machines and the underlying hardware platform. XenServer is the Citrix open source hypervisor product for server and cloud virtualization. XenServer takes advantage of many server hardware provided technologies. XenDesktop, which runs on top of many commercial hypervisors, gets the benefits of many of those direct interfaces between XenServer, the hypervisor and Intel server hardware. Some of those benefits will be covered in coming sections. Challenges with software based system virtualization The design of the Intel’s protected mode architecture provides four protection rings, ring 0 to ring 3, out of which ring 0 is most privileged used for running operating system kernel along with device drivers and ring 3 is used to run user mode applications. Software modules running in ring 0 have enough privilege to directly access certain processor; memory and I/O control structures, addresses and registers. One approach to software-based virtualization is called ring deprivileging which involves running guest OS at a higher ring than ring 0. Various techniques have been generally used for software-based virtualization: (1) binary translation, inducing a trap and emulate model, (2) shadowing of memory and I/O pages and (3) devices and chipset emulation. Those techniques increase software complexity affecting its performance and reliability greatly, increase the size of what is needed to establish a Trusted Computing base (TCB) and suffer from the absence of sufficient protection across boundaries. Another popular technique is para-virtualization, which involves modifying and porting the operating system to run within the target virtual machine environment. The
- 8. White paper 8 obvious price of para-virtualization is not being able to run operating systems code unmodified in virtual environments. Intel® Virtualization Technology (Intel® VT) Intel® Hardware-based Virtualization Technology (Intel® VT) improves the fundamental flexibility and robustness of traditional software-based virtualization solutions by accelerating key functions of the virtualized platform. This efficiency offers benefits to the IT as it speeds up the transfer of platform control between the guest operating systems (OSs) and the virtual machine manager (VMM)/hypervisor. Enabling the VMM to uniquely assign CPUs and Memory pages to guest OSs. Intel VT performs various virtualization tasks in hardware, like memory address translation, which reduces the overhead and footprint of virtualization software and improves its performance. Intel® Virtualization Technology for Directed I/O (VT-D) Intel VT-d is the other part of the Intel Virtualization Technology hardware architecture. VT- d addresses the loss of native performance or of native capability of a virtualized I/O device by providing hardware isolation and translation mechanisms that enable to VMM to directly assign the device to a VM. In this model, the VMM restricts itself to a controlling function for enabling direct assignment of devices to its partitions. Rather than invoking the VMM for all (or most) I/O requests from a partition, the VMM is invoked only when guest software accesses protected resources (such as I/O configuration accesses, interrupt management, etc.) that impact system functionality and isolation. Intel VT-d enables protection by restricting direct memory access (DMA) of the devices to pre- assigned domains or physical memory regions. This is achieved by a hardware capability known as DMA-remapping. The VT-d DMA-remapping hardware logic in the chipset sits between the DMA capable peripheral I/O devices and the computer’s physical memory. In a virtualization environment the system software is the VMM. In a native environment where there is no virtualization software, the system software is the native OS. DMA-remapping translates the address of the incoming DMA request to the correct physical memory address and perform checks for permissions to access that physical address, based on the information provided by the system software. GPU Virtualization: The art of sharing GPUs across virtual machines As Intel made great advancements to hardware CPU and I/O virtualization, parallel progress was made around GPU hardware virtualization. NVIDIA® GRID™ vGPU™ brings the full benefit of NVIDIA hardware-accelerated graphics to virtualized solutions. This provides exceptional graphics performance for virtual desktops by sharing a single GPU among multiple users. GRID vGPU provides hardware acceleration across multiple virtual desktops while delivering a high performance graphics experience, with economical benefits over a dedicated GPU per each user. Figure 6: NVIDIA vGPU GRID
- 9. White paper 9 Operating systems still uses NVIDIA native graphic drivers allowing seamless support without impacting applications features or compatibility. Furthermore, the graphics commands of each virtual machine are passed directly to the GPU, without requiring additional translation by the hypervisor. This transparent support allows GPU hardware to be virtually divided delivering ultimate shared virtualized graphics performance. As said earlier, Citrix HDX 3D Pro uses the native NVIDIA GPU driver installed directly in the guest OS. With NVIDIA GRID cards, this ensures full application-level compatibility. As a result of that, any application certified to work with NVIDIA cards would be fully supported on NVIDIA vGPU GRID. Citrix HDX 3D Pro supports OpenGL 4.3 and DirectX 11 applications on both desktop and server platforms. Application vendors are actively working with NVIDIA and Citrix to certify their applications for compliance. It is worth noting here that such kind of compliance does not happen transparently with software-based GPU virtualization. To provide the reader with further explanation of how this works, as shown in the diagram above, each virtual machine directly accesses a part of the physical card, called the “vGPU”. The vGPU assignment provides direct frame buffer access to video memory residing on the GPU. This direct access minimizes lag time and provides a highly responsive user experience, even when rendering large and complex 3D models. XenDesktop and XenServer take advantage of such advanced server-side GPU rendering to provide knowledge workers, power users, and designers the ability to perform at their best with no interruption. NVIDIA GRID™-accelerated XenDesktop is an ideal solution for 3D graphics-intensive applications like remote workstations as users get full experience of the local PC while running on a virtual desktop served residing in the data center. XenDesktop existing software GPU pass-through and hardware sharing technologies have delivered great value for graphically intensive applications such as Adobe Photoshop, Dassault SolidWorks, Ansys Workbench and Autodesk Applications. Combining the benefits of that with the vGPU technology will deliver unprecedented value at much lower cost. Figure 7: XenDesktop supporting NVIDIA vGPU GRID
- 10. White paper 10 A wide range of graphics, video and CAD intensive applications including medical and industrial imagery products are now fully interactive with NVIDIA GRID. By leveraging GRID technology with full 3D and compute API support through the latest NVIDIA Quadro® drivers, users will be able to take advantage of thousands of applications that run OpenGL 4.3, Microsoft DirectX9, 10, 11, or NVIDIA CUDA® 5.0. It is worth noting that Citrix is actively working with NVIDIA along with major server vendors such as HP, Dell, Cisco and IBM to ensure software integration is done and available for use with XenDesktop sessions on XenServer hypervisors. Intel® Hardware-Assisted Security Technologies Challenges with traditional software-based security Traditional design of computer hardware architecture did not distinguish between running legitimate and illegitimate software modules. As a result of that, any piece of software code could boot the system hardware taking full control before the firmware boots the user operating system installed on the system. This boot-time control has been behind many key Advanced Persistent Threats (APTs) that have taken place in the past few years steeling corporates key valuable digital assets; challenging stability and viability of world’s economy. Usage of cryptographic algorithms has been used as a key element of ensuring confidentiality of data exchanged across the Internet and stored on persistent storage. But cryptographic algorithms are very computationally extensive. Thus their usage has been limited to situations in which their overhead over system response time is acceptable. In coming sections the paper will talk about some key security technologies to address the need to protect the boot-elements of he hardware, to establish a Trusted Compute Base (TCB) and to accelerate adoption of cryptographic algorithms. Intel Platform Protection Technologies To address malware infections taking place underneath the operating system, malware protection has to start from the BIOS. Intel BIOS Guard Technology (IBGT) ensures that updates made to system BIOS flash are secure. Any update made to system BIOS is cryptographically verified by a guard module using a protected agent running in protected system memory. Another related technology is Intel’s Platform Trust Technology (IPTT), which provides platform functionality for credential storage and key management used by Windows 8. Both technologies bring great value to XenDesktop hosted desktops as they ensure that the physical hardware is protected and secure from boot-record malware infections preventing an entry point used by Advanced Persistent Threats (APTs). Intel OS Guard (IOSG) is another key security feature preventing instruction execution from user mode memory pages while the CPU is in supervisor mode. IOSG helps to prevent common attacks that seek to use privilege escalation to gain control of a platform or execute malware. IOSG can be enabled via a Windows 8 boot loader option. With XenDesktop centralized management and policy enforcement, IT admins can force the OS Guard feature policy to be always turned on for Windows 8.
- 11. White paper 11 Intel Trusted eXecution Technology (TXT) Intel TXT® is a feature available in the Intel® Xeon® processor. It establishes a root of trust through measurements when the hardware and pre-launch software components are in a known good state. Intel TXT brings the security advantages of microkernel model to actual platform with enhancements. For a cloud environment, Intel® TXT is able to Measure Launch (ML) the BIOS, hypervisor and attest the integrity of each VM individually. Figure 8: TXT benefits to virtualized data centers and clouds Utilizing the result, XenDesktop along with a VMM like XenServer, administrators can set policies for sensitive data and workload placement onto groups of servers known as trusted compute pools. Those trusted compute pools with Intel® TXT support IT compliance by protecting virtualized XenDesktop data centers against attacks toward hypervisor and BIOS, firmware, and other pre-launch software components. With Intel TXT, IT can run XenDesktop virtual desktops on a trusted server, protecting enterprises workload and data avoiding compromising security and enhancing IT compliance. Intel® AES-NI and Secure Key Technology Intel® AES-NI is a new encryption instruction set that improves on the Advanced Encryption Standard (AES) algorithm and accelerates the encryption of data in the Intel® Xeon® processor family. AES NI is a set of new instructions to the Intel architecture implementing XenServer Hypervisor XenServer Parent Domain Managed and Secured Compute Experience XenDesktop/ XenServer Management Consoles Performance Security Virtualization Operating System User Apps Data Per-VM Agents Attestation Policies User Profile Corporate Apps XenDesktop TXT Measurement Hardware Root of TrustAttestation Scaling out with server consolidation and high density Windows VM Windows Kernel App App App Windows VM Windows Kernel App App App Windows VM Windows Kernel App App App Windows VM Windows Kernel App App App Figure 9: XenDesktop and XenServer support for TXT-based measurement and attestation.
- 12. White paper 12 some intensive sub-steps of the AES algorithm into the hardware accelerating execution of the AES application. AES NI minimizes application performance concerns inherent in traditional cryptographic processing providing enhanced security by addressing side channel attacks on AES associated with traditional software methods of table look-ups. Intel® Secure Key is a new instruction added to the Intel® 64 and IA-32 Architectures called RDRAND with an underlying Digital Random Number Generator (DRNG) hardware implementation. The DRNG using the RDRAND instruction is useful for generating high- quality keys for cryptographic protocols. Encryption is a basic tool to ensure confidentiality of data at rest and through the wires protecting against man in the middle attacks. With AES NI offloading of encryption, cryptography can become a common tool used whenever data confidentiality is needed without having to worry about processing speed and slowness of overall system operations. XenDesktop manages virtual machines as they run on top of server hypervisors like XenServer and Hyper-V. Various types of security compliance and regulations require the content of VMs with sensitive private data to be encrypted. AES-NI makes this possible. Today XenDesktop gets the value of AES-NI via the lower level hypervisor as those hypervisors code rely on AES-NI for acceleration and key security. Windows OS and some of its applications can take advantage of AES-NI. XenDesktop IT admins can get the value of Windows in-bound usage of AES-NI directly by providing the right set of configuration to the Windows VM or deploying the r of in-guest VM agent. Intel® VMCS Shadowing Technology Citrix realized long ago that newer usage models are emerging that would require two or more Virtual Machine Monitors (VMMs) to be hosted on the same client system. Citrix has been heavily engaged with Intel® to take advantage of new hardware capabilities designed to accelerate nesting of hypervisors (VMMs). Intel® VMCS Shadowing greatly reduces the frequency with which the guest VMM must access the root VMM in a nested environment. With Intel VMCS Shadowing, the root VMM is able to define a shadow VMCS in hardware. A guest VMM can access this shadow VMCS directly, without interrupting the root VMM. Since the shadow VMCS is implemented in hardware, required accesses can be completed nearly as fast as in a non-nested environment. As explained above XenDesktop relies on hypervisors’ interfaces for providing an abstracted hardware-independent view of the data center and cloud hardware. XenDesktop uses hypervisor interfaces available from XenServer, VMware Virtual Center and Microsoft System Center Virtual Machine Manager to achieve that purpose. Such capabilities will allow XenDesktop to deploy custom-driven in-guest VMs that yield better security, availability and robustness of desktops. A good example is McAfee’s Deep Defender, which provides advanced protection using a form of system virtualization furnished by a lightweight hypervisor, or Virtual Machine Monitor (VMM), known as DeepSAFE. Unlike server hypervisors like XenServer, DeepSAFE does not provide full system and I/O virtualization. Instead, it uses hardware-assisted Figure 10: Intel VMCS Shadow Tables
- 13. White paper 13 virtualization to monitor and control memory and processor operations, which provides the foundational layer for Deep Defender security functions. Together, XenDesktop and Deep Defender provide a breadth and depth of security that neither can provide alone. VMCS shadowing is a revolutionary technology as it opens the doors widely for custom VM- level virtualization-derived feature. As more companies deliver guest-VM based micro- visors, XenDesktop IT administrators would be able to deploy separate custom-built guest- VM hypervisors (micro-visors) separately per-VM bases. For instances, XenDesktop IT admins can deploy a micro-visor that improves system security and recoverability in one VM while deploying another micro-visor that improves system availability, fault-tolerance and measurability to another VM with both VMs running within the same XenDesktop virtual infrastructure. Those key benefits would be more realized in XenDesktop managed appliance-type VMs that run a single particular mission critical application like a web or a DB server for instance. Closing Notes Citrix® XenDesktop® Hosted Desktops allows IT to realize important benefits that traditional PC environments can’t match: • Improved security and compliance with centralizing desktops, data, and applications • Enhanced worker productivity anywhere, anytime, any device and secure mobility • Streamlined desktop support managing all desktops with no interruptions • Improved business agility scaling and adapting to changes quickly This paper has shown to the reader how those benefits can be enabled and realized in fundamentally two different architectural scenarios: 1. A virtualized environment powered by hardware-assisted virtualization of CPU, memory, GPU and I/O. 2. A physicalized environment powered by integrated large number of PCs and servers on a single chip as in the case of Microservers. From an IT admin perspective, whether the infrastructure is virtualized or physicalized XenDesktop will work uniformly the same and users will get the benefit of Hosted Desktops whether they’re deployed in the data center or in the cloud. XenServer Hypervisor Windows VM XenServer Parent Domain DeepSAFE Micro-Hypervisor Windows Kernel App Shadow VMCS DeepDefender Engine App App DeepDefender Early Launch Driver Managed and Secured Compute Experience XenDesktop/ XenServer Management Consoles Performance Security Virtualization Active Protection McAfee ePo Server Operating System User Apps Data Per-VM Agents Attestation Policies User Profile Corporate Apps Malware Active Protection DeepSAFE Micro- Hypervisor DeepDefender Engine XenDesktop TXT Measurement Hardware Root of TrustAttestation Scaling out with server consolidation and high density
- 14. White paper 14 Scaling up with Server Physicalization App App App App App App Windows OS Windows Kernel App App App Physical Server Node (CPU, memory, USB, network, storage) App App App App App App Windows OS Windows Kernel App App App Physical Server Node (CPU, memory, USB, network, storage) App App App App App App Windows OS Windows Kernel App App App Physical Server Node (CPU, memory, USB, network, storage) App App App App App App XenServer Hypervisor XenServer Parent Domain XenDesktop Scaling out with Server Virtualization. Windows VM Windows Kernel App App App Windows VM Windows Kernel App App App Windows VM Windows Kernel App App App Windows VM Windows Kernel App App App Physical Server Node (CPU, memory, USB, network, storage) Windows OS Windows Kernel App App App Physical Server Node (CPU, memory, USB, network, storage) XenDesktop on Windows OS Windows Kernel Physical Server Node (CPU, memory, USB, network, storage) XenDesktop Centrally Managed and Secured Hosted Desktops Operating System User Apps Data Per-VM Agents Policies User Profile Corporate Apps Figure 11: Citrix XenDesktop support for system virtualization and physicalization through a unified management console. References 1. Citrix® XenProject: http://www.xenproject.org/ 2. Citrix® XenServer: http://www.citrix.com/products/xenserver/overview.html 3. Intel® Hardware-Assisted Virtualization Technology: http://goo.gl/sUOfzQ 4. Intel® Trusted Execution Technology (TXT ®): http://goo.gl/rZuMPS 5. Mitigating threats in the cloud using Intel® TXT: http://goo.gl/ZB7Pnp 6. Intel® Virtualization Technology for Directed I/O: http://goo.gl/lxs1fb 7. An Introduction to SR-IOV Technology: http://goo.gl/E9xaQj 8. Intel® AES NI Technology: http://goo.gl/QFv3u 9. Intel® Atom C2000 Processor Technical Overview: http://goo.gl/Em6nDP 10. HP® Moonshot System software defined servers: http://goo.gl/nl4wW4 11. NVIDIA® Virtual GPU: http://www.nvidia.com/object/virtual-gpus.html 12. Benchmarking NVIDIA® vGPU for XenServer and XenDesktop http://goo.gl/ZwNs4M 13. Blog entry on Citrix and HP Moonshot: http://goo.gl/huiypU 14. Blog entry on GPU sharing technologies: http://goo.gl/1tMrk1 15. Blog entry on Citrix®, AMD® and HP® Moonshot: http://goo.gl/KpZLwh 16. Intel and Citrix collaboration around nesting of VMMs: http://goo.gl/LPyLJA 17. HP ConvergedSystem 100 and XenDesktop brief: http://goo.gl/Ry2oL0
- 15. White paper 15 About Citrix Citrix (NASDAQ:CTXS) is the cloud company that enables mobile workstyles—empowering people to work and collaborate from anywhere, securely accessing apps and data on any of the latest devices, as easily as they would in their own office. Citrix solutions help IT and service providers build clouds, leveraging virtualization and networking technologies to deliver high-performance, elastic and cost-effective cloud services. With market-leading solutions for mobility, desktop virtualization, cloud networking, cloud platforms, collaboration and data sharing, Citrix helps organizations of all sizes achieve the speed and agility necessary to succeed in a mobile and dynamic world. Citrix products are in use at more than 260,000 organizations and by over 100 million users globally. Annual revenue in 2012 was $2.59 billion. About the author Ahmed Sallam is a Citrix cross-functional VP and CTO leading technology and solutions strategy in new emerging era of smart devices, IoT, IoE, system virtualization, server physicalization and security. His focus is on new emerging end-to-end solutions ranging from devices to networks to clouds across Citrix lines of products. Ahmed drives Intellectual Property growth opportunities and monetization strategy fro Citrix as well. He works closely with software and hardware ecosystem partners integrating into Citrix open platforms. He served as CTO and VP of Product Strategy for Client Virtualization. Prior to Citrix, Ahmed was CTO of Advanced Technology and Chief Architect at McAfee, now part of Intel Corp. where he drove McAfee into developing global threat intelligence along with predicative preventive anti-malware security solutions. Ahmed is the co-inventor and architect of Intel/ McAfee’s DeepSAFE technology and co-designer of VMware’s VMM CPU security technology known as VMsafe. Prior to McAfee, Ahmed was a Senior Architect with Nokia’s security division and a Principal Engineer at Symantec. Ahmed is a renowned expert across the industry well known for pioneering new models in computer system virtualization-based security and management delivering flexible, well-managed and secure computer experience with high safety assurances. Ahmed holds 40 issued patents and has more than 40 published and pending patent applications. He earned a bachelor’s degree in Computer Science and Automatic Control from the University of Alexandria.