Server systems are much more complex today than they had been just a few years ago. The cloud providers and hyper-scalers are driving the market to the point where we are seeing specific silicon designs to address security, virtualization and performance needs of the new data center reality.
AMD EPYC 7000 Key Security and Virtualization Features
There are a few key features that we wanted to touch upon for the AMD EPYC 7000 series security story. First is the AMD Secure Processor. AMD has a dedicated ARM Cortex-A5 subsystem within its overall SoC design to provide cryptographic features and provide a hardware validated root of trust for AMD EPYC 7000 series platforms:
One of the more interesting and novel features of the AMD EPYC design is the ability to encrypt memory in hardware. We have not yet had the opportunity to measure the performance impacts of this feature, which we expect to be noticable given guidance at AMD EPYC Tech Day, but it is interesting technology. Essentially this allows for memory to be encrypted to prevent unauthorized access to data in memory.
The next feature we can see spawning an entire hosting class. If you are an STH reader that provides managed services to clients, this is one to look at. Building on the memory encryption, AMD is promoting Secure Encrypted Virtualization or SEV. The benefit of SEV is that you have encryption on VMs/ containers, including DRAM, so that you can run applications securely from hypervisors and other VMs. If you want secure multi-tenant hosting clusters, this is a very interesting solution.
There is one major caveat. Since this is an AMD feature, to implement you are looking to have a greenfield cluster of servers where you can provide these services. Still, there are businesses that will not move workloads to multi-tenant clouds because they want higher levels of security. This may be a way to incrementally move more software and services to the cloud.
Along these lines, AMD is also incrementing its virtualization features over its previous generation with features like nested virtualization that Intel has had for generations.
One area that we are keen to test soon is whether one can live migrate between existing Intel clusters and AMD EPYC systems. This is a requirement for many production VMware, KVM, and Hyper-V clusters that have a large existing install base. That functionality is something that is not a given simply because the underlying architecture is x86. Even some inter-generational Intel to Intel live migrations can be troublesome on some architectures.
Aside from the virtualization instructions, AMD is also adding a number of new security and encryption instructions. Here is a list:
Features like RDSEED, AES and SHA are now table stakes in data center designs. AMD has also added instructions specifically to aid in the NUMA heavy caching and fabric structures of EPYC. AMD will not support AVX-512 in this generation but does support AVX-2.
A key difference AMD has is that with GPUs in its portfolio, its answer is to offload heavy vector operations to GPUs rather than push through AVX-512 pipelines. This is a philosophical difference between AMD and Intel based largely on where their product portfolios are strongest.
AMD has some excellent new technologies in this space that we are very excited about. While we do have concerns about interoperability for live migrations in existing clusters, we also see an opportunity. The AMD Secure Encrypted Virtualization feature may be one that MSPs can build around to push on-prem markets to multi-tenant cloud clusters.
More AMD EPYC Launch Day Coverage From STH
- AMD EPYC 7000 Series Platform-Level Features PCIe and Storage
- AMD EPYC 7000 Series Key Security Virtualization and Performance Features
- AMD EPYC 7000 Series SKU Lists for Launch
- AMD EPYC 7601 Dual Socket Early Power Consumption Observations
We will have more AMD EPYC information as soon as we are allowed to release it.