security a sparc m7 cpu

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Security a SPARC M7 CPU

Josef Šlahůnek Oracle Systems Sales Consulting [email protected] +420 602 731 728


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3


Required Benchmark Disclosure Statement Must be in SPARC M7 Presentations with Benchmark Results

•Additional Info: http://blogs.oracle.com/bestperf •Copyright 2015, Oracle &/or its affiliates. All rights reserved. Oracle & Java are registered trademarks of Oracle &/or its affiliates.Other names may be trademarks of their respective owners

•SPEC and the benchmark name SPECjEnterprise are registered trademarks of the Standard Performance Evaluation Corporation. Results from www.spec.org as of 10/25/2015. SPARC T7-1, 25,818.85 SPECjEnterprise2010 EjOPS (unsecure); SPARC T7-1, 25,093.06 SPECjEnterprise2010 EjOPS (secure); Oracle Server X5-2, 21,504.30 SPECjEnterprise2010 EjOPS (unsecure); IBM Power S824, 22,543.34 SPECjEnterprise2010 EjOPS (unsecure); IBM x3650 M5, 19,282.14 SPECjEnterprise2010 EjOPS (unsecure).

•SPEC and the benchmark name SPECvirt_sc are registered trademarks of the Standard Performance Evaluation Corporation. Results from www.spec.org as of 11/18/2015. SPARC T7-2, SPECvirt_sc2013 3198@179 VMs; HP DL580 Gen9, SPECvirt_sc2013 3020@168 VMs; Lenovo x3850 X6; SPECvirt_sc2013 2655@147 VMs; Huawei FusionServer RH2288H V3, SPECvirt_sc2013 1616@95 VMs; HP ProLiant DL360 Gen9, SPECvirt_sc2013 1614@95 VMs; IBM Power S824, SPECvirt_sc2013 1371@79 VMs.

•SPEC and the benchmark names SPECfp and SPECint are registered trademarks of the Standard Performance Evaluation Corporation. Results as of October 25, 2015 from www.spec.org and this report. 1 chip resultsSPARC T7-1: 1200 SPECint_rate2006, 1120 SPECint_rate_base2006, 832 SPECfp_rate2006, 801 SPECfp_rate_base2006; SPARC T5-1B: 489 SPECint_rate2006, 440 SPECint_rate_base2006, 369 SPECfp_rate2006, 350 SPECfp_rate_base2006; Fujitsu SPARC M10-4S: 546 SPECint_rate2006, 479 SPECint_rate_base2006, 462 SPECfp_rate2006, 418 SPECfp_rate_base2006. IBM Power 710 Express: 289 SPECint_rate2006, 255 SPECint_rate_base2006, 248 SPECfp_rate2006, 229 SPECfp_rate_base2006; Fujitsu CELSIUS C740: 715 SPECint_rate2006, 693 SPECint_rate_base2006; NEC Express5800/R120f-1M: 474 SPECfp_rate2006, 460 SPECfp_rate_base2006.

•SPEC and the benchmark name SPECjbb are registered trademarks of Standard Performance Evaluation Corporation (SPEC). Results from http://www.spec.org as of 11/13/2015 and IBM announcement. SPARC T7-1 120,603 SPECjbb2015-MultiJVM max-jOPS, 60,280 SPECjbb2015-MultiJVM critical-jOPS;IBM Power S812LC 44,883 SPECjbb2015-MultiJVM max-jOPS, 13,032 SPECjbb2015-MultiJVM critical-jOPS; ; Cisco UCS C220 M4 97,551 SPECjbb2015-MultiJVM max-jOPS, 28,318 SPECjbb2015-MultiJVM critical-jOPS; SPARC T5-2 80,889 SPECjbb2015-MultiJVM max-jOPS, 37,422 SPECjbb2015-MultiJVM critical-jOPS; Oracle Server X5-2L 76,773 SPECjbb2015-MultiJVM max-jOPS, 26,458 SPECjbb2015-MultiJVM critical-jOPS; Sun Server X4-2 52,482 SPECjbb2015-MultiJVM max-jOPS, 19,614 SPECjbb2015-MultiJVM critical-jOPS; HP ProLiant DL120 Gen9 47,334 SPECjbb2015-MultiJVM max-jOPS, 9,876 SPECjbb2015-MultiJVM critical-jOPS.

•SPEC and the benchmark name SPEC OMP are registered trademarks of the Standard Performance Evaluation Corporation. Results as of October 25, 2015 from www.spec.org and this report. SPARC T7-4 (4 chips, 128 cores, 1024 threads): 27.9 SPECompG_peak2012, 26.4 SPECompG_base2012; HP ProLiant DL580 Gen9 (4 chips, 72 cores, 144 threads): 21.5 SPECompG_peak2012, 20.4 SPECompG_base2012; Cisco UCS C460 M7 (4 chips, 72 cores, 144 threads): 20.8 SPECompG_base2012.

• Two-tier SAP Sales and Distribution (SD) standard application benchmarks, SAP Enhancement Package 5 for SAP ERP 6.0 as of 10/23/15: SPARC T7-2 (2 processors, 64 cores, 512 threads) 30,800 SAP SD users, 2 x 4.13 GHz SPARC M7, 1 TB memory, Oracle Database 12c, Oracle Solaris 11, Cert# 2015050. IBM Power System S824 (4 processors, 24 cores, 192 threads) 21,212 SAP SD users, 4 x 3.52 GHz POWER8, 512 GB memory, DB2 10.5, AIX 7, Cert#201401. Dell PowerEdge R730 (2 processors, 36 cores, 72 threads) 16,500 SAP SD users, 2 x 2.3 GHz Intel Xeon Processor E5-2699 v3 256 GB memory, SAP ASE 16, RHEL 7, Cert#2014033. HP ProLiant DL380 Gen9 (2 processors, 36 cores, 72 threads) 16,101 SAP SD users, 2 x 2.3 GHz Intel Xeon Processor E5-2699 v3 256 GB memory, SAP ASE 16, RHEL 6.5, Cert#2014032. SAP, R/3, reg TM of SAP AG in Germany and other countries. More info www.sap.com/benchmark

4


6 Processors in 5 Years

Oracle’s Microprocessors

2013 2011 2010 2013 2013 2015

16 x 2nd Gen cores 4 MB L3 Cache

1.65 GHz

8 x 3rd Gen Cores 4 MB L3 Cache

3.0 GHz


3.6 GHz


3.6 GHz


3.6 GHz

32 x 4th Gen Cores 64 MB L3 Cache

4.13 GHz

SPARC T3 SPARC T4 SPARC T5 SPARC M5 SPARC M6 SPARC M7

Including Software in Silicon

• Silicon Secured Memory • Encryption Acceleration • Query Acceleration • More…

}

Today

5


• 32 SPARC Cores

• Fourth Generation CMT Core (S4)

• Dynamically Threaded, 1 to 8 Threads Per Core

• New Cache Organizations

• Shared Level 2 Data and Instruction Caches

• 64MB Shared & Partitioned Level 3 Cache

• DDR4 DRAM

• Up to 2TB Physical Memory per Processor

• 2X-3X Memory Bandwidth over Prior Generations

• Application Acceleration

• Real-time Application Data Integrity

• Data Base Query Offload Engines

• In-Memory Columnar Decompression at Full Bandwidth

• SMP Scalability from 1 to 32 Processors

• Technology: 20nm, 13ML

• Oracle SW Core Factor 0.5

SPARC M7 Processor

5

Extreme Performance CORE

CLUSTER

CORE

CLUSTER

CORE

CLUSTER

CORE

CLUSTER

CORE

CLUSTER

CORE

CLUSTER

CORE

CLUSTER

CORE

CLUSTER

AC

CE

LE

RA

TO

RS

CO

HE

RE

NC

E, S

MP

& I

/O

INT

ER

CO

NN

EC

T

CO

HE

RE

NC

E, S

MP

& I

/O

INT

ER

CO

NN

EC

T

ME

MO

RY

CO

NT

RO

L M

EM

OR

Y C

ON

TR

OL

L3$ & ON-CHIP NETWORK

AC

CE

LE

RA

TO

RS


SPARC: Best for real performance CMT: Maximum use of all chip resources

7

IBM designed for 1-thread benchmarks This hurts real-world throughput performance

(see yellow highlights)

Compute Time

SPA

RC

HW

Th

rea

ds

SPARC HW Threads designed to overlap

to provide max throughput

without contention

Memory latency

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M

C M


Bottleneck Memory Bandwidth: Bisection Bandwidth Real world scatters memory: can simply measure by reversing Stream benchmark

• SPARC M7-8 8.7x faster “Bottleneck Bandwidth” than 8-chip x86

– Better interconnect means predictable performance for applications

– Good bisection bandwidth is critical for real workloads

8

Circles show chips Lines proportional To Bandwidth x86 & Power8 out-of-balance Fully connected

“glueless” 2-hop 2-hop

IBM S824 only has 60 GB/s Bisection BW

Bisection Bandwidth

P P P P P P

M M M M M M

P P

M M

IBM Power8 SPARC M7-8 x86 E7 v3 Haswell

Fully connected “glueless”

2-hop 2-hop

383 GB/s 44 GB/s 120 GB/s

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 9

HammerDB: Open-Source OLTP Workload (TPC-C based)

P8 6core

0,0

1,0

2,0

3,0

4,0

5,0

SPARC M7 Power8 6c E5 v3

M t

pm

OLT

P

M7

SPARC M7 per core performance:

Beats IBM Power8 Beats x86 E5 v3

https://blogs.oracle.com/BestPerf/entry/20160317_sparc_t7_1_oltp

• SPARC M7 2.8x faster per chip than E5 v3

• SPARC M7 is 1.6x faster per core than E5 v3

• SPARC M7 5.5x faster per chip than IBM Power8(6c) – SPARC M7 is 3% faster per core than Power8

• Order-entry transactions 800 wholesale supplier DB


M7 Brings New Level of Security Without Performance Impact

10

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

New Platform for Secure Computing With Oracle’s Software in Silicon architecture

Security in Silicon

Wide key encryption and Silicon Secured Memory

Breakthrough hardware SQL acceleration and decompression for

Oracle Database In-Memory

SQL in Silicon

More cores, more threads, more bandwidth, lower latency – Extreme performance for apps and cloud

World’s Fastest Microprocessor

11


Large Memory & Complex Systems Create Risks Memory Reference Bugs

• Millions of lines of code, concurrent development by thousands of people

• Lots of threads working on large shared memory segments

– Victim thread finds bad data long after culprit thread escaped

– Hard to diagnose

• Non-system languages like Java have built-in protection – No unbound pointers, garbage collectors

• Options for system level languages?

– Dynamic pointer checking transparently in hardware/silicon

12 4/20/2016


Improved Security & Reliability in Hardware

Software in Silicon: Application Data Integrity

• First ever hardware based memory protection

• Stops malicious programs from accessing other application memory

• Can be always on: Hardware approach has negligible performance impact

• Results in improved developer efficiency and more secure and higher available applications


A Couple Famous Examples: Heartbleed & Venom Silicon Secured Memory protection from read and write attacks

Buffer Over-Read Attack Buffer Over-Write Attack

14


• Memory access vulnerability in the open source Quick Emulator hypervisor (QEMU)

• Malicious code in VM executes code in hypervisor security context.

• Code escapes the guest VM to control the entire host

• Caused by buffer over-write, allowing data to be stored beyond allocated memory

Example Venom-Type Vulnerability

15

Host System

Sales server VM

DB server VM

Web server VM

VM Hypervisor

Host Hardware

Hacker exploits VENOM to escape VM

VENOM executes instructions in

hypervisor and gains control of host

hardware

Venom escape


Pointer “B”

Pointer “R”

Pointer “Y”

Applications Memory

GO

GO

Silicon Secured Memory: Always-On Intrusion Protection

• Silicon Secured Memory implements fine grained memory protection in hardware – Hidden “color” bits added to pointers (key),

and content (lock)

• Pointer color (key) must match content color or program is aborted – Set on memory allocation, changed on

memory free

• Helps prevent access off end of structure, stale pointer access, malicious attacks, etc. plus improves developer productivity

Breakthrough security and reliability in hardware

16


Hardware Accelerated Cryptography 32 Crypto Accelerators with the broadest set of ciphers

Clear Data In

Encrypted Data Out

17


SPARC’s Long-Term Investment in Security

�2005 �2007 �2010 �2011

SPARC T1

SPARC T2

SPARC T3

SPARC T4, T5, M5, M6

RSA DSA

AES DES 3DES

DSA ECC MD5 RC4

RSA SHA-1 SHA-256

AES CRC32c DES

3DES DH DSA ECC

Kasumi MD5 RSA SHA-1 SHA-256 SHA-384 SHA-512

AES Camellia CRC32c DES

3DES DH DSA ECC

Kasumi MD5 RSA SHA-1 SHA-224 SHA-256 SHA-384 SHA-512

2011-2015

Ten years of hardware accelerated encryption

18


SPARC M7 is years ahead in security protection

Nobody Does Crypto Acceleration Better

Features Per Socket

Power8

Intel Xeon SPARC M7

Clock speed (GHz) 4 2.3 4.13

Cores 12 18 32

Threads 96 36 256

Crypto Instructions 6 7 25

Crypto Algorithms Accelerated On-chip 7 5 15

Transistors 4.3B 5.56B 10B

Supports VM Live Migration No No Yes

19


IBM Missing Fast Cipher used in Oracle Database IBM Power8 missing hardware acceleration for critical AES-CFB !

• IBM Power8 has HW acceleration for simplistic AES ciphers but misses critical AES-CFB & AES-CCM

– Oracle DB need AES-CFB

– ZFS file system needs AES-CCM

20

© 2014 International Business Machines Corporation 18

Hardware Encryption

Algorithm POWER7+ POWER8

On-Chip On-Chip In-Core

AES-GCM

AES-CTR

AES-CBC

AES-ECB

SHA-256

SHA-512

RNG

CRC

Cycles per Byte

Algorithm POWER7[+]

(SW)

POWER8 (HW)

Single Thread Multi Thread

SHA512 35 10.7 2.6

AES-128-ENC 17 4 0.8

AES-256-ENC 21 5.5 1.1

• On-Chip Hardware Accelerators

introduced with POWER7+

– POWER8 has same accelerators

– Offload encryption for OS-based

large messages (encrypted file

systems, etc)

• POWER8 includes user-mode

instructions to accelerate common

algorithms

From IBM’s HotChips Presentation 2014 HC26.12.810-POWER8-Mericas-IBM


SPECjEnterprise Two T7-1s & End-to-End Security SPARC M7 processor is 2.3x faster per chip than x86 E5 v3 (Haswell)

Vendor App; DB Chips Core GHz CPU SW EjOPs notes App Perf/chip

Oracle 1x T7-1 1 32 4.13 SPARC M7 WLS 12.1.3 25,093.06 Encrypted Net 25,093

1x T7-1 1 32 4.13 SPARC M7 Oracle 12c Encrypted DB!

IBM 1x S824 4 24 3.5 POWER8 WS 8.5.5.2 22,543.34 Unsecure 5,636

1x S824 4 24 3.5 POWER8 DB2 10.5

Oracle 1x X5-2 2 36 2.3 x86 E5 v3 WLS 12.1.3 21,504.30 Unsecure 10,752

1x X5-2 2 36 2.3 x86 E5 v3 Oracle 12c

• SPARC T7-1 secure with hardware encryption (SPARC M7 clear at 25,818.85 EjOPs) • Oracle TDE Database Encryption & JDBC Network encrypted

• x86 & Power8 unsecure everywhere • T7-1 is 1.2x faster than 2-chip x86 E5 v3, M7 1.3x faster per core than x86

• x86 special BIOS “Cluster on Die”, splits x86 into two 9-core, bandwidth penalties between halves

• M7 chip 4.5x faster per chip than Power8 6-core

21


M7 with SQL In Silicon

22


Oracle Database 12c Breakthrough: Dual Format Database

• BOTH row and column formats for same table

• Simultaneously active and transactionally consistent

• Analytics and reporting use new in-memory column format

• OLTP uses proven row format

Memory Memory

SALES SALES

Row Format

Column Format

SALES

23


DAX: Data Analytics Accelerator

SPARC M7 In-Memory Database Advantages

• Industry-leading SPARC M7 memory bandwidth

• DAX decompresses data at same rate as scan-only

• DAX performs one-step scans, range scans, and assists Bloom filter joins

SQL: select sum(lo_extendedprice*lo_discount) as revenue from lineorder, date_dim where lo_orderdate = d_datekey and d_year = 2012 and lo_quantity between 6 and 25 and lo_discount between 1 and 3

Processes: Decode values (DAX) & Sum aggregation (cores)

Hash Joins (cores) Bloom Filter Joins (DAX & cores)

Scans (DAX) Range Scans (DAX)

24


Decompress at memory speed >120 GB/sec

SQL In Silicon: Accelerating Oracle Database 12c

One step 10X

faster

Decompress More than Doubles data size

Read Software

scan Rea

d

Write

Wri

te

Rea

d

DA

X

Wri

te

Multiple steps

SQL: SELECT count(*) …WHERE lo_orderdate = d_datekey …AND lo_partkey = 1059538 AND d_year_monthnum BETWEEN 201311 AND 201312;

t

25


Fast analytics for real-time decision making

SQL In Silicon

SPARC T7-1 Single-Chip Server 32 Cores

363 Queries/min per Chip

5 x HP ProLiant DL380 G9 2-Chip Servers

180 Cores

33 Queries/min per Chip

1 TB Database compressed into 160 GB of memory

5x Faster In-Memory

Query and Analytics

5x Fewer Servers 10x Fewer Chips

26


M7 Virtualization and Consolidation

27


Solaris and SPARC Virtualization No-cost Virtualization for a More Efficient Datacenter

Physical Domains (PDoms) Oracle VM Server for SPARC (LDoms)

M-series T-Series

Oracle Solaris Containers/Zones

Oracle Solaris

Domain A Web

Oracle Solaris

Domain A

Domain C

App

App Domain B

Web

Web

Sola

ris

8 C

on

tain

er

DB

Sola

ris

9 C

on

tain

er

App

Sola

ris

Co

nta

iner

Web

Sola

ris

Co

nta

iner

Domain A

Domain B

OLTP DB

OLTP DB

DW DB

App App


Hypothetical deployment configuration for Secure Oracle Database

29


(1) Factory configured with one (up to 8 processors) or two (up to 4 processors each) static physical domains (2) 1, 2, 3 or 4 reconfigurable physical domains

SPARC T7 and M7 Servers

T7-1 T7-2 T7-4 M7-8 M7-16

Processors 1 2 2 or 4 Up to 8 Up to 16

Max Cores 32 64 128 256 512

Max Threads 256 512 1,024 2,048 4,096

Max Memory .5 TB 1 TB 2 TB 4 TB 8 TB

Form Factor 2U 3U 5U Rack / 10U Rack

Domaining LDOMs LDOMs LDOMs LDOMs, PDOMs 1 LDOMs, PDOMs 2

30


✓Secure and Compliant

✓Simple

✓Efficient

✓Open

✓Affordable

Your Enterprise Cloud

Oracle Solaris 11.3 – Security. Speed. Simplicity.

31

YOUR APP


Prevents Credential Abuse/Misuse

Delegation

Activity-based user access

Time-Based Control

Control when users can perform actions

Remote Auditing, Logging and Alerting

Audit entries sent to secure server; can’t be tampered

32


Oracle Solaris

Immutable Guest

#

Immutable Guest

Firewall

• Locked down hypervisor and guests

• Stop malware before it gets in

• Prevent administrator mistakes

• Update and patch but unwritable by users, applications, or hackers

• Simple on/off with ready made security levels

33

Protects Hypervisor and Guest Environments


Eliminates Vulnerability During Live Migration

• Encryption by default

• No performance impact hardware cryptographic offload

• Access via RESTful APIs

34

Oracle Solaris Oracle Solaris

Solaris Zone Solaris Zone

Solaris Zone Solaris Zone


Simple Compliance Reporting

35


Secure and Compliant Iaas

36

• 40X consolidation ratios –Zero overhead virtualization with

Solaris Zones

– Integrated network virtualization

• 10X less compliance overhead –Secure, automated installation

–Read-only zones for administrators and tenants

–Automated compliance reporting

Secure Multitenant Iaas for External Customers

Oracle

Solaris Zone

DATABASE

Customer

Solaris Zone

DATABASE

Customer

Solaris Zone

DATABASE

Customer

Solaris Zone

DATABASE

Customer

Oracle M7

Solaris 11 Global Zone Integrated Virtual Switching,

Load Balancer, Firewall

http://www.ivv.de/


Simple Deployment Rapid Deployment with Unified Archives – in 10 minutes!

OpenStack Unified Archive

Downloaded

Archive Deployed

Networking, SSH Configured

Cloud Services Enabled Ready!

10:00 10:06 10:08 10:09 10:10

AI Server

Cloud REST APIs

Pre-configured Unified Archive

Solaris 11.3

37


Migration

38


Migration Technologies • Oracle Transportable Table spaces The transportable tablespace (TTS) allows a subset of an Oracle database to be “plugged” into another Oracle database, essentially moving tablespaces

between Oracle databases. This can be much faster than a traditional export/import or unload/load of data because transporting the tablespace only requires the copying of the data files and then integration of the structural information into the new Oracle database.

• Oracle Transportable Databases The transportable database (TDB) allows users to migrate databases quickly to another platform. Historically, prior to Oracle Database 10g, a migration to

a different platform was delivered by exporting and importing the data from the legacy system into the new systems. This process could take a number of days. With TDBs, higher transfer rates can be achieved.

• Oracle Data Pump Oracle Data Pump is a flexible tool for server-based bulk data movement that supersedes the old import and export utilities. It can load and unload data

and data structures from a database. • Recovery Manager (RMAN) Recovery Manager (RMAN) is a complete backup and recovery manager for Oracle databases. It performs backup and recovery operations in both an

online and an offline manner. Oracle RMAN 9i onward allows the software to duplicate an Oracle database as a physical/logical standby for the use of Oracle Data Guard (including Oracle Active Data Guard). This effectively allows a migration to take place while keeping the source and target in sync.

Oracle Database 12c allows cross-platform backup and recovery to simplify the migration. • Procedural Procedural migrations encompass a selection of the above technologies. No single tool will suit all migrations in an enterprise. For example, TTSs and TDBs

may be suited to smaller machines, while Oracle RMAN may be suitable for migrations during small outage windows. Oracle Data Pump may be useful for systems that require certain objects or object types to be migrated that are natural or unnatural limitations of other tools or jumps from older versions, such as from Oracle 8i Database to Oracle Database 12c.

• The Migration Tools – from ACS, OCS and Oracle Migration Factory

39


oracle.com/sparc

40