hosted desktops and server evolution technologies - 2014 edition

Whitepaper 1

XenDesktopandTheEvolutionofHardware-AssistedServerTechnologiesByAhmedSallam,VPandCTO,Hardware,Security,EmergingSolutionsandIPJanuary2014

TableofContents

ExecutiveSummary...................................................................................................................2

Background...............................................................................................................................2Introduction.....................................................................................................................................................................................2Intel,NVIDIA,AMDandHP........................................................................................................................................................2HostedDesktopsonx86,ARMmicroserversandHSA..................................................................................................2EvolutionofServerPhysicalizationandSoftwareDefinedServers.............................................3HP®MoonshotHyperscaleMicroservers..........................................................................................................................4Citrix®XenDesktop®poweringHP®-AMD®Microservers..................................................................................5Hardware-AssistedSystemVirtualization..................................................................................6Corebenefits....................................................................................................................................................................................6Challengeswithsoftwarebasedsystemvirtualization.................................................................................................7Intel®VirtualizationTechnology(Intel®VT).................................................................................................................8Intel®VirtualizationTechnologyforDirectedI/O(VT-D).........................................................................................8GPUVirtualization:TheartofsharingGPUsacrossvirtualmachines.........................................8

Intel®Hardware-AssistedSecurityTechnologies......................................................................10Challengeswithtraditionalsoftware-basedsecurity.................................................................................................10IntelPlatformProtectionTechnologies............................................................................................................................10IntelTrustedeXecutionTechnology(TXT).....................................................................................................................11Intel®AES-NIandSecureKeyTechnology.....................................................................................................................11Intel®VMCSShadowingTechnology................................................................................................................................12ClosingNotes..........................................................................................................................13

References..............................................................................................................................14

AboutCitrix.............................................................................................................................15

Abouttheauthor.....................................................................................................................15

Whitepaper 2

ExecutiveSummaryThreekeyserverhardwaretechnologiesareshapingthefutureofDesktopVirtualization:

1. Hardware-AssistedSystemVirtualization.2. Hardware-AssistedSystemSecurity3. HardwareServersPhysicalization.

Hardware-assistedvirtualizationishappeningeverywhereforCPUs,Memory,I/OandGPUs.Virtualization allows XenDesktop to scale out taking best advantage of existing computepower in system hardware. Microservers are driving innovation further letting desktopphysicalization scaling upward taking advantage of commodity low expensive hardwareyielding better performance per watt, higher density and lower cost. Lastly, hardware-assisted security is changing the face of computing making IT infrastructure safer at thebottom of the system architecture stack outside the reach of software. Citrix is activelyengagedwiththehardwareecosystemvendorsforbetterdesignandenablementofvarioustypes of hardware-assisted features delivering unique unprecedented enterprise mobilityexperience.Thispaperprovidesthereaderwithenoughtechnicalinsightscoveringthosethreeemergingserver technology areas. The paper content is targeting those Citrix customers and fieldengineerswhohavebasicunderstandingofdatacentersinfrastructurearchitectureaswellas system virtualization. The paper is not intended for those readers looking for deeptechnicaldescriptionofeach technologyor for thosereaders looking forhigh-levelnotso-technicaldescription.

Background

IntroductionForovertwodecadesDesktopVirtualizationhasrevolutionizedITindustrythroughreducedcost,simplifiedcentralizedmanagement,bettersecurity,flexibility,visibility,scalabilityandhigher availability. Citrix XenDesktop has been the industry leading solution for bothdesktops and applications virtualization in the data center and as a service in the cloud.Hardwareservertechnologieshaveplayedakeyroleinenablingdesktopvirtualization.Thispaper talks about specific current and emerging server hardware technologies thatmakedesktopvirtualizationfaster,simpler,safer,lessexpensiveandhighlyscalable.

Intel,NVIDIA,AMDandHPThe paper covers many of Intel’s server hardware technologies, which is expected givenIntel’s market leadership as the provider of very large-scale hardware compute servers.NVIDIAhasrecentlycomeupwiththeirtechnologyforserverGPUvirtualizationthatwillbecovered in the paper. AMD and HP have collaborated closely to deliver x86Microserversaddressing thegrowingneed forsystemphysicalizationand this lineof technologywillbecoveredinthepaperaswell.

HostedDesktopsonx86,ARMmicroserversandHSAThis paper focuses on Citrix XenDesktop running on top of x86-based hardware servers.XenDesktopmanagesWindowsintheenterpriseandasacloud-baseddesktopservice.ARM-basedMicroservers are growing in popularity entering themarket with specific focus onweb,cloudandbigdataworkloads.CitrixhasbeenactiveintheARMmicroserverspace:

Whitepaper 3

1- CollaboratingandengagingcloselywithARMCorporationonserverarchitectureandspecification.

2- Engaging with ARM hardware microserver providers like AppliedMicro, AMD andMarvell.

3- BeinganactivememberofLinaroEnterpriseGroup.4- PortingtheCitrixXenProjectHypervisortotheARMarchitecture.

ThefocusofARMmicroserverproductshasbeenonLinux-basedARMmicroserversandnotonWindowsasWindowsserverOShasnotbeenmadeavailableyetonARMarchitecture.Microsofthasnotcomepubliclywithanydisclosedplansfordoingsointhenearfutureaswell.Giventhosereasons,ARMarchitecturewon’tbecoveredinthispaper.

EvolutionofServerPhysicalizationandSoftwareDefinedServersInthisrapidlygrowingInternetofThingsenvironment,manythingsthatwedoeveryday,suchascheckingemailaccounts,postingontosocialmediasites,browsingwebpages,andsearchingwebindexesorportals—arenotcompute-intensive.Theydohowever;havehighI/O throughput and memory footprint requirements. IT architects working at this scaletypically use cluster techniques to run massively parallel workloads that distribute dataacrossmanynodes,oftenincloudenvironments.Usingtypicalserverx86CPUsdesignedforcompute-intensive enterprise applications in these environments means underutilizingcompute capacity andwasting energy.Distributedworkloads in cloud environments oftenrunatlowprocessorutilizationlevelsof20%orless,yetadministratorspayforthecostofapremiumCPU.VirtualizationhashistoricallyaddressedtheissueoflowCPUandGPUutilizationbyallowingIT architects to consolidate multiple workloads that are somewhat balanced, such asenterprise applications or infrastructure-as-a-service. Physicalization, on the other handaddresses theneed to scale-upapplicationsandwebserving,where the I/Ocomponent ismuchlargerandtheamountofprocessingrequiredperunitofdataismuchsmaller.Intheseenvironments, consolidating through virtualization effectively reduces the network,memory, and I/O bandwidth per unit of data,whichmakes the large I/O problemworse.Physicalizationtakestheapproachofusingenergy-efficientCPUsthatbalanceperformanceandcosttomatchtheneedsofdata-intensiveapplications.

Scalingup

throughph

ysicalse

rvernod

es

App AppApp AppApp App

WindowsOS

WindowsKernel

App App App

PhysicalServerNode(CPU,memory,USB,network,storage)


WindowsOS

WindowsKernel

App App App



WindowsOS

WindowsKernel

App App App



WindowsOS

WindowsKernel

App App App


XenDesktoponWindowsOS

WindowsKernel


Managedand

SecuredCompute

Experience

XenDesktop/XenServerManagementConsoles

OperatingSystem

UserApps

Data

Per-VMAgents

AttestationPolicies

UserProfile

CorporateApps

Figure1:XenDesktopmanaginghosteddesktopsinphysicaldatacenters.

Whitepaper 4

The data center environment is diversifying both in terms of the infrastructure and themarketsegmentsincludingstorage,communications,cloud,HPC,andtraditionalenterprise.Each area has a unique requirement, which is providing an opportunity for targetedsolutionstobestcovertheseneeds.Themicroserveriscomprisedofmanysmallone-socketservers sharing a chassis; fans, power supplies and a common interconnect to achieveimprovedflexibility,higherefficiencyanddensity.TheIntel®Atom®processorC2000productfamily,isIntel’ssecond-generation64-bitserverSystemonChip(SoC)manufacturedinalowpowerSoC22nmprocess.Theirfocusisonenablinghighdensitywithhighperformanceproviding2,4,and8coreproductmodelsat6-20Wattsofpowerconsumption. That extends Intel’s existing portfolio of products thatservice the cloud service providers. Optimized forparallelsoftwarethatbenefitmostfrommoreindividualserverswithsufficientI/Obetweennodes including static web servers, simple content delivery node, distributed memorycaching(memcached),entrydedicatedhosting,coldstorage,andanyoftheafore-mentionedusesthathaveanadditionalneedforaccelerationofcryptographiccommunicationssuchasentrylevelsecurityappliancesandswitches. UptofourIntel®Atom®SoCnodescanbeaddedontoaServerSystemInfrastructure(SSI)module.Multiple SSImodules can be added to a singlemicroserver chassis to expand thenumber of accessible nodes. This allows for optimization of rack density as compared toothersingleunitservers.Figure1isarepresentationofthemicroserveratahighlevel.

HP®MoonshotHyperscaleMicroserversHP Moonshot System is a new server design that addresses the speed, scale andspecializationrequiredforthenewstyleofITthatisemergingaroundtheconvergingtrendsofmobility, cloud, socialmedia, andbig data.Withbillions of people connectedwith eachotherandwithbusinessesover the Internet,manyof themfrommobiledevices, there isarapidlyescalatingdemandfordigitalcontentandexperiences.TheconnectionofalmostanydevicetotheInternethasbecomeknownastheInternetofThings(IoT).Thesedevicescangatherandprocessdata,provideaservice,andseamlesslyinteractwithotherdevices.TheIoT presents businesseswith newways to drivemarket differentiation, deepen customerrelationships,anddeliverprofitability.ThesespecializedIoTsolutionsrequireanewstyleofcomputing,onethatcanachieveoptimalperformanceandefficientscaling.AkeyissuethatoverwhelmsITmanagersinhyperscaleenvironmentsisthesheernumberofdevicestheymustmanage,power,andcool.Withtoday’srack-mountx86platforms,youcanhave between 20 and 40 servers in a 42U rack. Scale-out optimized platforms like HPProLiantSLcanincreasethedensityto80serversineachrack.Eachservercomeswithitsownmanagement controller, network controllers, storage controllers, OS instance, devicedrivers, and so on. So every time you add a server, you must also procure multiple I/Odevices and manage, secure, power, and cool them. While HP Blade System c-Classenclosuresalsoprovideasharedinfrastructure,theHPMoonshotSystemtakesthesharingto a new level by integrating the processor and chipset onto a single piece of silicon andsharingotherresourcesacrossthesystem.

Figure2:IntelATOMC2000fourSoCsCard

Whitepaper 5

Dedicated hosting company use large numbers of traditionally architected servers, hittingthewall for power, cooling and space.TheHPMoonshot Systemuses an innovative newarchitecturethatresultsfromonesimpledesigntenet:toalignpurpose-builtmoduleswiththerightworkloadtoprovideoptimalresultsfordedicatedhostingenvironments.HPMoonshotSystemisasoftware-definedserverplatformachievingefficiencyandscalebyaligning just the right amount of compute, memory and storage to get the work done,enablingITtocapitalizeonthemajorgrowthtrendoftheIoT.Traditional servers rely on dedicated components, including management, networking,storage, and power cords and cooling fans in a single chassis. In contrast, the Moonshotsystemshares these chassis componentsand is capableof supporting45 serversper4.3Uchassis.Thisprovidestheabilitytogenerategreaterrevenuefromasmallerfootprintwhiledrivingdownoperationalcosts.

Eachsoftwaredefinedsevercontainsitsowndedicatedmemory,storage,storagecontroller,and two NICs (1Gb). Formonitoring andmanagement, each server containsmanagementlogicintheformofaSatelliteControllerwithadedicatedinternalnetworkconnection(100Mb).HP Moonshot System provides application-specific processing for targeted workloads. Creating a fabric infrastructure capable of accommodating a wide range of application-specific workloads requires highly flexible fabric connectivity. This flexibility allows the Moonshot System fabric architecture to adapt to changing requirements of hyperscale workload interconnectivity.

Moonshot mangement is achived via support of the Command-Line (CLI) and IntelligentPlatform Management (IMPI) Interfaces. These provide the primary gateway for nodemanagement, aggregation, inventory, power capping, firmware management andaggregationalongwithassetmanagementanddeployment.

Citrix®XenDesktop®poweringHP®-AMD®MicroserversAt HP Discover 2013 in Barcelona, Spain, HP unveiled a new member of the Moonshotplatform called the Converged System100 forHostedDesktops designed exclusivelywithAMDforCitrixXenDesktop.ThesystemissupportedforCitrixcustomersusingXenDesktop7.1andProvisioningServices7.1.Independentcomputeandgraphicsprocessingunit(GPU)peruserwhencombinedwiththehigh-densityoftheHPConvergedSystem100forHostedDesktops delivers a full-powered PC desktop experience to all types of enterprise users.Workersnowenjoyconsistentperformanceandqualityofservice,nomatterwhatindividualworkloadstheyarerunningandincludingbusinessgraphicsandmultimediaapplications.

Figure3:HPMoonshot1500Chassisrearview Figure4:HPMoonshot1500Chassisfrontview

Whitepaper 6

TheHPConvergedSystem100 forHostedDesktops consistsof a4.3UHPMoonshot1500Chassis that holds up to 45 AMD-based cartridges. Each cartridge has four independentservers (PC-on-a-chip),with each server supporting one desktop. The dedicatedGPU per-user enables PC-quality multimedia capabilities. Combined with HP Moonshot and datacenterhostingefficiencies,thisnon-persistentdeliverymodelprovidesacompellingcostperuser.A complete solution including compute, storage, and networking, the HP Converged System 100 for Hosted Desktops hosts up to 180 desktops per chassis. With no SAN or virtualization layer to install and manage, IT administrators will experience less complexity. And with pre-determined sizing and fewer workload images, desktop provisioning time is greatly reduced. ThemainfeaturethatonlyXenDesktop7.1providesisthecapabilityfortheStandardVDAtoleveragethenativeGPUforDirectXenabledapplications,forexample,withouttheneedoftheHDX3DProVDAthatwasalwaysthecasebeforeforleveragingGPUs.The HDX 3D Pro VDA is required for higher end CAD applications, which also require ahigher end GPU than what is inside the M700 cartridge. Consider the NVIDIA K2 andXenServerGPUpass throughwithHPBL380Gen8 blades here forHDX3DPro for thosehigherendusers,whichisaseparatearchitecturethanMoonshot.Throughout the development of theMoonshot platform Citrix, HP, and AMDworked verycloselytoensureHDXcompatibility.DuringthattimeCitrixdeveloperswereabletoenhancethe XenDesktop 7.1 VDAWDDM driver to be able to provide optimizations that are nowcapableof leveraging theAMDgraphics cards,whicharea standardon theMoonshotHDIplatform.ThisnewWDDMdriverenhancementnowallows fora superiorHDXexperiencethatcandirectlyleveragetheGPUforeachnode!.

Hardware-AssistedSystemVirtualization

CorebenefitsVirtualization solutions allow multiple operating systems and applications to run inindependent partitions all on a single computer. Using virtualization capabilities, onephysical computer system can function as multiple "virtual" systems. Virtual partitioningneedstobeachievedfromthehardwarelevelattheverybottomandenabledallthewayupthroughuppersoftware layers.Systemhardware iscomposedofCPUs,memory,GPUsandI/O devices like networks and storage in particular. Every one of those hardwarecomponents has to be pre-designed or capable of running multiple isolated virtualenvironmentson top. Serverhardwareand softwarehypervisorshaveevolved in thepastfew years to provide virtualization assistance across CPUs, GPUs, memory, network andstorage.ForovertwodecadesCitrixhasbeentheindustryleaderinapplicationsvirtualization.Ourflagship product XenApp has been behind the streamlined operations in hospitals,enterprises, schools, factories, airports, governments, etc. As server virtualization becamepossibleCitrixdeliveredafulldesktopvirtualizationexperiencenotonlyallowingappstobevirtualizedwithisolatedaccessbutalsodesktops.

Whitepaper 7

Virtualizationprovidestheabilitytoisolatesoftwarecomponentsrunningtheminisolatedcontainerswithinboundandoutboundaccesscontrol.Withsuchlevelofisolationandaccesscontrol virtualization allows companies like Citrix to revolutionize the way desktops andappsaredeliveredandsecureddrivingusintoneweraofsaferandfullenterprisemobility.

Hypervisor

Managedand

SecuredCompute

Experience

XenDesktopManagementConsole

Performance Security Virtualization

OperatingSystem

UserApps

Data

Per-VMAgents

UserProfile

CorporateApps XenDesktop

WindowsVM

WindowsKernel

App App App

WindowsVM

WindowsKernel

App App App

Computerusers

ITadmins

WindowsVM

WindowsKernel

App App App

WindowsVM

WindowsKernel

App App App

Figure5:XenDesktopmanaginghosteddesktopsinvirtualdatacenters

Intel’s familyofXeonserverprocessorsprovidessupport forhardware-basedtechnologiesenablingDesktopandApplicationsvirtualizationandsecurity.The followingsectionof thepaperwillcoverspecificallythefollowingtechnologies:IntelVT,VT-x,VT-d,TXT,OSGuard,VMCSShadowing(nestingofhypervisors)andAES-NI.Responsive and secure desktop virtualization requires tight integration between thevirtualizationmachinemonitor / hypervisor software that is used to deploy andmanagevirtualmachinesandtheunderlyinghardwareplatform.XenServeristheCitrixopensourcehypervisorproductforserverandcloudvirtualization.XenServertakesadvantageofmanyserverhardwareprovidedtechnologies.XenDesktop,whichrunsontopofmanycommercialhypervisors, gets the benefits of many of those direct interfaces between XenServer, thehypervisor and Intel server hardware. Some of those benefits will be covered in comingsections.

ChallengeswithsoftwarebasedsystemvirtualizationThedesignoftheIntel’sprotectedmodearchitectureprovidesfourprotectionrings,ring0to ring3,outofwhich ring0 ismostprivilegedused for runningoperating systemkernelalongwithdevicedriversandring3isusedtorunusermodeapplications.Softwaremodulesrunninginring0haveenoughprivilegetodirectlyaccesscertainprocessor;memoryandI/Ocontrolstructures,addressesandregisters.Oneapproachtosoftware-basedvirtualizationiscalled ring deprivileging which involves running guest OS at a higher ring than ring 0.Various techniques have been generally used for software-based virtualization: (1) binarytranslation,inducingatrapandemulatemodel,(2)shadowingofmemoryandI/Opagesand(3)devicesandchipsetemulation.Thosetechniquesincreasesoftwarecomplexityaffectingits performance and reliability greatly, increase the size of what is needed to establish aTrustedComputingbase (TCB)and suffer from theabsenceof sufficientprotectionacrossboundaries.Anotherpopulartechniqueispara-virtualization,whichinvolvesmodifyingandporting the operating system to run within the target virtual machine environment. The

Whitepaper 8

obvious price of para-virtualization is not being able to run operating systems codeunmodifiedinvirtualenvironments.

Intel®VirtualizationTechnology(Intel®VT)Intel® Hardware-based Virtualization Technology (Intel® VT)improves the fundamentalflexibility and robustness of traditional software-based virtualization solutions byacceleratingkeyfunctionsofthevirtualizedplatform.ThisefficiencyoffersbenefitstotheITasitspeedsupthetransferofplatformcontrolbetweentheguestoperatingsystems(OSs)andthevirtualmachinemanager(VMM)/hypervisor.EnablingtheVMMtouniquelyassignCPUs and Memory pages to guest OSs. Intel VT performs various virtualization tasks inhardware, likememory address translation, which reduces the overhead and footprint ofvirtualizationsoftwareandimprovesitsperformance.

Intel®VirtualizationTechnologyforDirectedI/O(VT-D)IntelVT-distheotherpartoftheIntelVirtualizationTechnologyhardwarearchitecture.VT-daddressesthelossofnativeperformanceorofnativecapabilityofavirtualizedI/OdevicebyprovidinghardwareisolationandtranslationmechanismsthatenabletoVMMtodirectlyassignthedevicetoaVM.Inthismodel,theVMMrestrictsitselftoacontrollingfunctionforenablingdirectassignmentofdevicestoitspartitions.RatherthaninvokingtheVMMforall(or most) I/O requests from a partition, the VMM is invoked only when guest softwareaccesses protected resources (such as I/O configuration accesses, interrupt management,etc.)thatimpactsystemfunctionalityandisolation.IntelVT-denablesprotectionbyrestrictingdirectmemory access (DMA)of the devices to pre-assigned domains or physical memory regions.This is achieved by a hardware capability knownas DMA-remapping. The VT-d DMA-remappinghardware logic in the chipset sits between theDMAcapableperipheralI/Odevicesandthecomputer’sphysicalmemory.Inavirtualizationenvironment the system software is the VMM. In a native environmentwhere there is novirtualizationsoftware,thesystemsoftwareisthenativeOS.DMA-remappingtranslatestheaddressoftheincomingDMArequesttothecorrectphysicalmemoryaddressandperformchecksforpermissionstoaccessthatphysicaladdress,basedontheinformationprovidedbythesystemsoftware.

GPUVirtualization:TheartofsharingGPUsacrossvirtualmachinesAs Intel made great advancements to hardware CPU and I/Ovirtualization,parallelprogresswasmadearoundGPUhardwarevirtualization. NVIDIA® GRID™ vGPU™ brings the full benefit ofNVIDIA hardware-accelerated graphics to virtualized solutions.This provides exceptional graphics performance for virtualdesktopsbysharingasingleGPUamongmultipleusers.GRIDvGPUprovideshardwareaccelerationacrossmultiplevirtualdesktopswhiledeliveringahighperformancegraphicsexperience,with economical benefits over a dedicated GPU per each user.

Figure6:NVIDIAvGPUGRID

Whitepaper 9

Operating systems still uses NVIDIA native graphic drivers allowing seamless supportwithout impacting applications features or compatibility. Furthermore, the graphicscommands of each virtual machine are passed directly to the GPU, without requiringadditionaltranslationbythehypervisor.ThistransparentsupportallowsGPUhardwaretobevirtuallydivideddeliveringultimatesharedvirtualizedgraphicsperformance.Assaidearlier,CitrixHDX3DProusesthenativeNVIDIAGPUdriverinstalleddirectlyintheguest OS. With NVIDIA GRID cards, this ensures full application-level compatibility. As aresultofthat,anyapplicationcertifiedtoworkwithNVIDIAcardswouldbefullysupportedonNVIDIAvGPUGRID.CitrixHDX3DPro supportsOpenGL4.3 andDirectX11 applications onbothdesktop andserverplatforms.ApplicationvendorsareactivelyworkingwithNVIDIAandCitrixtocertifytheirapplicationsforcompliance.Itisworthnotingherethatsuchkindofcompliancedoesnothappentransparentlywithsoftware-basedGPUvirtualization.

Toprovidethereaderwithfurtherexplanationofhowthisworks,asshowninthediagramabove,eachvirtualmachinedirectlyaccessesapartofthephysicalcard,calledthe“vGPU”.ThevGPUassignmentprovidesdirectframebufferaccesstovideomemoryresidingontheGPU.Thisdirectaccessminimizeslagtimeandprovidesahighlyresponsiveuserexperience,evenwhenrenderinglargeandcomplex3Dmodels.XenDesktopandXenServer takeadvantageof suchadvancedserver-sideGPUrendering toprovideknowledgeworkers,powerusers,anddesignerstheabilitytoperformattheirbestwith no interruption. NVIDIA GRID™-accelerated XenDesktop is an ideal solution for 3Dgraphics-intensiveapplicationslikeremoteworkstationsasusersget fullexperienceofthelocalPCwhilerunningonavirtualdesktopservedresidinginthedatacenter.XenDesktop existing software GPU pass-through and hardware sharing technologies havedelivered great value for graphically intensive applications such as Adobe Photoshop,DassaultSolidWorks,AnsysWorkbenchandAutodeskApplications.CombiningthebenefitsofthatwiththevGPUtechnologywilldeliverunprecedentedvalueatmuchlowercost.

Figure7:XenDesktopsupportingNVIDIAvGPUGRID

Whitepaper 10

A wide range of graphics, video and CAD intensive applications including medical andindustrialimageryproductsarenowfullyinteractivewithNVIDIAGRID.ByleveragingGRIDtechnology with full 3D and compute API support through the latestNVIDIA Quadro®drivers,userswillbeable to takeadvantageof thousandsofapplications thatrunOpenGL4.3,MicrosoftDirectX9,10,11,orNVIDIACUDA®5.0.It is worth noting that Citrix is actively working with NVIDIA along with major servervendorssuchasHP,Dell,CiscoandIBMtoensuresoftwareintegrationisdoneandavailableforusewithXenDesktopsessionsonXenServerhypervisors.

Intel®Hardware-AssistedSecurityTechnologies

Challengeswithtraditionalsoftware-basedsecurityTraditionaldesignofcomputerhardwarearchitecturedidnotdistinguishbetweenrunninglegitimateandillegitimatesoftwaremodules.Asaresultofthat,anypieceofsoftwarecodecould boot the system hardware taking full control before the firmware boots the useroperatingsysteminstalledonthesystem.Thisboot-timecontrolhasbeenbehindmanykeyAdvanced Persistent Threats (APTs) that have taken place in the past few years steelingcorporateskeyvaluabledigitalassets;challengingstabilityandviabilityofworld’seconomy.Usageofcryptographicalgorithmshasbeenusedasakeyelementofensuringconfidentialityofdata exchangedacross the Internet and storedonpersistent storage.But cryptographicalgorithms are very computationally extensive. Thus their usage has been limited tosituationsinwhichtheiroverheadoversystemresponsetimeisacceptable.Incomingsectionsthepaperwill talkaboutsomekeysecuritytechnologiestoaddresstheneed to protect the boot-elements of he hardware, to establish a Trusted Compute Base(TCB)andtoaccelerateadoptionofcryptographicalgorithms.

IntelPlatformProtectionTechnologiesToaddressmalwareinfectionstakingplaceunderneaththeoperatingsystem,malwareprotectionhastostartfromtheBIOS.IntelBIOSGuardTechnology(IBGT)ensuresthatupdatesmadetosystemBIOSflasharesecure.AnyupdatemadetosystemBIOSiscryptographicallyverifiedbyaguardmoduleusingaprotectedagentrunninginprotectedsystemmemory.AnotherrelatedtechnologyisIntel’sPlatformTrustTechnology(IPTT),whichprovidesplatformfunctionalityforcredentialstorageandkeymanagementusedbyWindows8.BothtechnologiesbringgreatvaluetoXenDesktophosteddesktopsastheyensurethatthephysicalhardwareisprotectedandsecurefromboot-recordmalwareinfectionspreventinganentrypointusedbyAdvancedPersistentThreats(APTs).IntelOSGuard(IOSG)isanotherkeysecurityfeaturepreventinginstructionexecutionfromuser mode memory pages while the CPU is in supervisor mode. IOSG helps to preventcommonattacksthatseektouseprivilegeescalationtogaincontrolofaplatformorexecutemalware. IOSG can be enabled via a Windows 8 boot loader option. With XenDesktopcentralizedmanagementandpolicyenforcement,ITadminscanforcetheOSGuardfeaturepolicytobealwaysturnedonforWindows8.

Whitepaper 11

IntelTrustedeXecutionTechnology(TXT)IntelTXT®isafeatureavailableintheIntel®Xeon®processor.Itestablishesarootoftrustthroughmeasurementswhen the hardware and pre-launch software components are in aknowngoodstate. IntelTXTbringsthesecurityadvantagesofmicrokernelmodeltoactualplatform with enhancements. For a cloud environment, Intel® TXT is able to MeasureLaunch(ML)theBIOS,hypervisorandattesttheintegrityofeachVMindividually.

Figure8:TXTbenefitstovirtualizeddatacentersandclouds

Utilizing the result, XenDesktop alongwith a VMM like XenServer, administrators can setpoliciesforsensitivedataandworkloadplacementontogroupsofserversknownastrustedcompute pools. Those trusted compute pools with Intel® TXT support IT compliance byprotectingvirtualizedXenDesktopdatacentersagainstattackstowardhypervisorandBIOS,firmware, and other pre-launch software components. With Intel TXT, IT can runXenDesktopvirtualdesktopsonatrustedserver,protectingenterprisesworkloadanddataavoidingcompromisingsecurityandenhancingITcompliance.

Intel®AES-NIandSecureKeyTechnologyIntel®AES-NIisanewencryptioninstructionsetthatimprovesontheAdvancedEncryptionStandard (AES) algorithm and accelerates the encryption of data in the Intel® Xeon®processorfamily.AESNIisasetofnewinstructionstotheIntelarchitectureimplementing

XenServerHypervisor

XenServerParentDomain

Managedand

SecuredCompute

Experience



OperatingSystem

UserApps

Data

Per-VMAgents

AttestationPolicies

UserProfile

CorporateApps XenDesktop

TXTMeasurement

HardwareRootofTrustAttestation

Scalingoutwithserverconsolidationandhighdensity

WindowsVM

WindowsKernel

App App App

WindowsVM

WindowsKernel

App App App

WindowsVM

WindowsKernel

App App App

WindowsVM

WindowsKernel

App App App

Figure9:XenDesktopandXenServersupportforTXT-basedmeasurementandattestation.

Whitepaper 12

someintensivesub-stepsof theAESalgorithmintothehardwareacceleratingexecutionofthe AES application. AES NI minimizes application performance concerns inherent intraditional cryptographic processing providing enhanced security by addressing sidechannelattacksonAESassociatedwithtraditionalsoftwaremethodsoftablelook-ups.Intel®SecureKeyisanewinstructionaddedtotheIntel®64andIA-32ArchitecturescalledRDRAND with an underlying Digital Random Number Generator (DRNG) hardwareimplementation. The DRNG using the RDRAND instruction is useful for generating high-qualitykeysforcryptographicprotocols.Encryption is a basic tool to ensure confidentiality of data at rest and through the wiresprotecting against man in the middle attacks. With AES NI offloading of encryption,cryptography can become a common tool used whenever data confidentiality is neededwithouthavingtoworryaboutprocessingspeedandslownessofoverallsystemoperations.XenDesktop manages virtual machines as they run on top of server hypervisors likeXenServer andHyper-V. Various types of security compliance and regulations require thecontent of VMs with sensitive private data to be encrypted. AES-NI makes this possible.Today XenDesktop gets the value of AES-NI via the lower level hypervisor as thosehypervisorscoderelyonAES-NIforaccelerationandkeysecurity.WindowsOSandsomeofits applications can take advantage of AES-NI. XenDesktop IT admins can get the value ofWindowsin-boundusageofAES-NIdirectlybyprovidingtherightsetofconfigurationtotheWindowsVMordeployingtherofin-guestVMagent.

Intel®VMCSShadowingTechnologyCitrix realized long ago that newerusagemodels are emerging thatwould require twoormoreVirtualMachineMonitors (VMMs) tobehostedon thesameclientsystem.CitrixhasbeenheavilyengagedwithIntel®totakeadvantageofnewhardwarecapabilitiesdesignedto accelerate nesting of hypervisors (VMMs). Intel®VMCS Shadowing greatly reduces thefrequency with which the guest VMM must access the root VMM in a nestedenvironment.WithIntelVMCSShadowing,therootVMMisabletodefineashadowVMCSinhardware.AguestVMMcanaccessthisshadowVMCSdirectly,withoutinterruptingtherootVMM. Since the shadow VMCS is implemented in hardware, required accesses can becompletednearlyasfastasinanon-nestedenvironment. As explained above XenDesktop relies onhypervisors’interfacesforprovidinganabstractedhardware-independentviewofthedatacenterandcloud hardware. XenDesktop uses hypervisorinterfaces available from XenServer, VMwareVirtualCenterandMicrosoftSystemCenterVirtualMachine Manager to achieve that purpose. Suchcapabilities will allow XenDesktop to deploycustom-driven in-guest VMs that yield bettersecurity,availabilityandrobustnessofdesktops.A good example is McAfee’s Deep Defender, which provides advanced protection using aform of system virtualization furnished by a lightweight hypervisor, or Virtual MachineMonitor (VMM),knownasDeepSAFE.Unlikeserverhypervisors likeXenServer,DeepSAFEdoes not provide full system and I/O virtualization. Instead, it uses hardware-assisted

Figure10:IntelVMCSShadowTables

Whitepaper 13

virtualizationtomonitorandcontrolmemoryandprocessoroperations,whichprovidesthefoundational layer for Deep Defender security functions. Together, XenDesktop and DeepDefenderprovideabreadthanddepthofsecuritythatneithercanprovidealone.VMCSshadowingisarevolutionarytechnologyasitopensthedoorswidelyforcustomVM-level virtualization-derived feature. As more companies deliver guest-VM based micro-visors,XenDesktopITadministratorswouldbeabletodeployseparatecustom-builtguest-

VM hypervisors (micro-visors) separately per-VM bases. For instances, XenDesktop ITadminscandeployamicro-visorthatimprovessystemsecurityandrecoverabilityinoneVMwhiledeployinganothermicro-visor that improves systemavailability, fault-toleranceandmeasurability to another VMwith both VMs runningwithin the same XenDesktop virtualinfrastructure. Those key benefits would be more realized in XenDesktop managedappliance-typeVMsthatrunasingleparticularmissioncriticalapplicationlikeaweboraDBserverforinstance.

ClosingNotesCitrix® XenDesktop® Hosted Desktops allows IT to realize important benefits thattraditionalPCenvironmentscan’tmatch:

• Improvedsecurityandcompliancewithcentralizingdesktops,data,andapplications• Enhancedworkerproductivityanywhere,anytime,anydeviceandsecuremobility• Streamlineddesktopsupportmanagingalldesktopswithnointerruptions• Improvedbusinessagilityscalingandadaptingtochangesquickly

This paper has shown to the reader how those benefits can be enabled and realized infundamentallytwodifferentarchitecturalscenarios:

1. A virtualized environment powered by hardware-assisted virtualization of CPU,memory,GPUandI/O.

2. AphysicalizedenvironmentpoweredbyintegratedlargenumberofPCsandserversonasinglechipasinthecaseofMicroservers.

From an IT admin perspective, whether the infrastructure is virtualized or physicalizedXenDesktopwillworkuniformlythesameanduserswillgetthebenefitofHostedDesktopswhetherthey’redeployedinthedatacenterorinthecloud.

XenServerHypervisor

WindowsVM


DeepSAFEMicro-Hypervisor

WindowsKernel

App

ShadowVMCS

DeepDefenderEngineApp App

DeepDefenderEarlyLaunch

Driver

Managedand

SecuredCompute

Experience



Activ

eProtectio

n

McAfeeePoServer

OperatingSystem

UserApps

Data

Per-VMAgents

AttestationPolicies

UserProfile

CorporateApps

MalwareActiveProtection

DeepSAFEMicro-Hypervisor

DeepDefenderEngine

XenDesktopTX

TMeasurement

HardwareRootofTrustAttestation

Scalingoutwithserverconsolidationandhighdensity

Whitepaper 14

ScalingupwithServerPhysicalization


WindowsOS

WindowsKernel

App App App



WindowsOS

WindowsKernel

App App App



WindowsOS

WindowsKernel

App App App



XenServerHypervisor


XenDesktop

ScalingoutwithServerVirtualization.

WindowsVM

WindowsKernel

App App App

WindowsVM

WindowsKernel

App App App

WindowsVM

WindowsKernel

App App App

WindowsVM

WindowsKernel

App App App


WindowsOS

WindowsKernel

App App App


XenDesktoponWindowsOS

WindowsKernel


XenDesktopCentrallyManagedandSecured

HostedDesktopsOperatingSystem

UserApps

Data

Per-VMAgents

Policies

UserProfile

CorporateApps

Figure11:CitrixXenDesktopsupportforsystemvirtualizationandphysicalizationthroughaunifiedmanagementconsole.

References1. Citrix®XenProject:http://www.xenproject.org/2. Citrix®XenServer:http://www.citrix.com/products/xenserver/overview.html3. Intel®Hardware-AssistedVirtualizationTechnology:http://goo.gl/sUOfzQ4. Intel®TrustedExecutionTechnology(TXT®):http://goo.gl/rZuMPS5. MitigatingthreatsinthecloudusingIntel®TXT:http://goo.gl/ZB7Pnp6. Intel®VirtualizationTechnologyforDirectedI/O:http://goo.gl/lxs1fb7. AnIntroductiontoSR-IOVTechnology:http://goo.gl/E9xaQj8. Intel®AESNITechnology:http://goo.gl/QFv3u9. Intel®AtomC2000ProcessorTechnicalOverview:http://goo.gl/Em6nDP10. HP®MoonshotSystemsoftwaredefinedservers:http://goo.gl/nl4wW411. NVIDIA®VirtualGPU:http://www.nvidia.com/object/virtual-gpus.html12. BenchmarkingNVIDIA®vGPUforXenServerandXenDesktophttp://goo.gl/ZwNs4M13. BlogentryonCitrixandHPMoonshot:http://goo.gl/huiypU14. BlogentryonGPUsharingtechnologies:http://goo.gl/1tMrk115. BlogentryonCitrix®,AMD®andHP®Moonshot:http://goo.gl/KpZLwh16. IntelandCitrixcollaborationaroundnestingofVMMs:http://goo.gl/LPyLJA17. HPConvergedSystem100andXenDesktopbrief:http://goo.gl/Ry2oL0

Whitepaper 15

AboutCitrixCitrix (NASDAQ:CTXS) is thecloudcompanythatenablesmobileworkstyles—empoweringpeopletoworkandcollaboratefromanywhere,securelyaccessingappsanddataonanyofthe latest devices, as easily as theywould in their ownoffice. Citrix solutions help IT andservice providers build clouds, leveraging virtualization and networking technologies todeliver high-performance, elastic and cost-effective cloud services. With market-leadingsolutions for mobility, desktop virtualization, cloud networking, cloud platforms,collaborationanddatasharing,Citrixhelpsorganizationsofallsizesachievethespeedandagility necessary to succeed in amobile and dynamicworld. Citrix products are in use atmorethan260,000organizationsandbyover100millionusersglobally.Annualrevenuein2012was$2.59billion.

AbouttheauthorAhmedSallam is aCitrix cross-functionalVP andCTO leading technology and solutions strategy innewemerging eraofsmartdevices,IoT,IoE,systemvirtualization,serverphysicalizationandsecurity.Hisfocusisonnewemergingend-to-endsolutions ranging fromdevices tonetworks to clouds acrossCitrix lines of products. Ahmeddrives Intellectual PropertygrowthopportunitiesandmonetizationstrategyfroCitrixaswell.HeworkscloselywithsoftwareandhardwareecosystempartnersintegratingintoCitrixopenplatforms.HeservedasCTOandVPofProductStrategyforClientVirtualization.PriortoCitrix,AhmedwasCTOofAdvancedTechnologyandChiefArchitectatMcAfee,nowpartofIntelCorp.wherehedroveMcAfeeintodevelopingglobalthreatintelligencealongwithpredicativepreventiveanti-malwaresecuritysolutions.Ahmedis theco-inventorandarchitectof Intel/McAfee’sDeepSAFEtechnologyandco-designerofVMware’sVMMCPUsecuritytechnologyknownasVMsafe.PriortoMcAfee,AhmedwasaSeniorArchitectwithNokia’ssecuritydivisionandaPrincipalEngineeratSymantec.Ahmedisarenownedexpertacrosstheindustrywellknownforpioneeringnewmodelsincomputersystemvirtualization-based securityandmanagementdelivering flexible,well-managedand secure computerexperiencewith high safety assurances. Ahmed holds 40 issued patents and has more than 40 published and pending patentapplications.Heearnedabachelor’sdegreeinComputerScienceandAutomaticControlfromtheUniversityofAlexandria.