That SEV mode looks really interesting
I hadn't heard about this before, thanks for the mention. Undoubtedly there is more work to do to be able to run VMs in zero-trust environments, but it is a big step in the right direction. Bravo, AMD!
Here it is: the official lineup of AMD's Epyc processors, which will go toe to toe with Intel's Xeons that utterly dominate the data center world. Epyc. That's not a typo. AMD's desktop and laptop chips are called Ryzen, and its server-class family is called Epyc. Welcome to the new AyyyyyyyMD. Both Ryzen and Epyc are built …
This harks back to some work done a long time ago. AMD opened up Hypertransport, meaning that any old Tom, Dick or Harry could make silicon that could plug into an AMD socket.
And people did, well, at least they did FPGA modules that could plug into a second CPU slot. I'm sure that one of the things someone did was to turn the FPGA into a RAM encrypter. Looks like AMD have moved that functionality over into the main CPU's memory controller.
It's an interesting idea that the hypervisor cannot see inside the VM. The IT security researchers won't like that particularly - they use VMs as a way of studying viruses, trojans, etc, relying on the hypervisor being an unseen God mode stealthy observer of whatever happens inside the VM. Meanwhile the malware writers go to a lot of effort to ensure that their malware detects a virtual environment and deletes itself, to prevent the whitehats unpicking the malware.
However, if SEV mode becomes commonplace, it might give the malware writers an unexpected advantage; the whitehats might no longer be able to see inside the VMs...
"However, if SEV mode becomes commonplace, it might give the malware writers an unexpected advantage; the whitehats might no longer be able to see inside the VMs..."
Eh? The researchers create and run the VMs they use to study malware. They just have to not check the box for encryption.
They just have to not check the box for encryption.
Fine, provided the hypervisor writers remember to make that a checkable option...
On the topic of hypervisors, it does open up a new avenue for malware. Malware could stand up its own hypervisor, with encryption enabled, or use a hypervisor offered by the host OS, and run its paylaod in that VM. There's then nothing the host OS could do about looking inside that VM. There's plenty of reasons why malware wants discreet, unobservable runtime on someone else's hardware.
"The researchers create and run the VMs they use to study malware. They just have to not check the box for encryption."
But the client OS can presumably detect whether that box was checked. Otherwise the system is worthless because you still have to trust the person hosting your VM when they say "I ticked it, honest.". Of course, you then need some kind of way for a client to know that the VMM isn't virtualising the instructions that you are using to detect whether they checked that box. I'm not sure where it all ends.
I doubt it has been open sourced.
Perhaps the more important thing is that hopefully they've not made the mistake Intel did - connecting a system management microcontroller running an opaque binary blob with complete access to everything to the machine's Ethernet, and then finding that they'd fucked it up...
Epyc has 128 PCIe lanes every model, Thread Ripper has 64 hence the different socket.
Epyc has models with a larger L3 cache then TR
Epyc can be dual socket, TR cannot.
There is, currently, no information regarding in memory encryption for TR but is unlikely since as you say it's an enterprise feature.
Even without those features Thread Ripper is sure starting to look like a real beast.
@analyzer: What I'm getting at - assuming these Epyc prices are accurate - is that this gives a ballpark figure for for the cost of a 16c/32t Threadripper. I can't see AMD pricing a Threadripper (at the same Epyc 7351P base frequency) higher than an Epyc 7351P, particularly as the Epyc 7351P includes a range of technologies that won't be included/enabled in Threadripper. Perhaps if the Threadripper is clocked significantly higher than the Epyc 7351P (while still maintaining sensible thermals) then it might allow AMD to charge a slightly higher premium, but not much more.
@John Pombrio: I wouldn't have thought 2.4GHz x 32 threads (Epyc 7351P or Threadripper) would be too slow for a HEDT, maybe slow for a gaming rig, but for a headless build system that spends all day compiling it could be pretty sweet!
Thomas Ryan writes a good piece regarding TDP here:
"From a power efficiency perspective moving data around is a great way to burn power. This is why we often see a focus on increasing cache sizes and reducing the need to physically move data around inside of modern chips. Given this point of reference one could see EPYC’s epic focus on I/O as a conscious attempt to build a chip that burns most of its Watts not on number crunching but on data movement."
You provide the app, "They" provide the cores to process it.
Huge caveats. Can (has?) the memory encryption processor code been independently audited or is open source? Can the Hypervisor UI be trusted (IE when you click "encrypted" on the setup options it is actually enabled)?
We've seen the f**kup Intel supplied with it's MIPS based unit that appeared to have just been cut N pasted in wholesale, along with its software.
An interesting legal question. Could the USG declare such systems illegal as it would spoil the NSA's ability to snoop
These processors (and their designers) are giving an "abhorrent"+ two finger salute to Theresa May / Amber Rudd's "simplistic, we're the good guys, you're the bad guys, nonsense" regards backdoors into encryption.*
Some good, well thought out design here.
*assuming they don't have a backdoor/vunerability, that is, at the hw level.
+As Amber Rudd would describe it, she never fails with the hyperbole.
I already had to move to a larger Intel server mobo to support 32GB Parity RAM; my next FreeNAS box build, in about 2 to 3 years time, will probably require 64GB Parity RAM. It'd be nice if I didn't have to scrap any more mobos for having inadequate RAM expansion.
All that bandwidth and addressable memory for a single socket will make this advantageous over Intel architectures for those apps that are licensed by socket.
I'm also expecting that this will show well in high performance compute and similar workloads.
SPLA licensing on Microsoft is per-core. For example, if you license Windows it's for a minimum of 8 cores per machine, then increasing 2 at a time. Hence, it may be cheaper to buy, and faster than the Xeon part, but if it costs twice as much each month to run software on it then it's hobbled before you start.
This licensing model has hurt AMD in the past for server CPUs. Great to see some competition though, and anyone licensing per socket is golden.
From the article: "Here's where it gets weird. SEV is designed for paranoid people who don't trust whoever is hosting their virtual machines. "
Could this be used by US based companies and data centres to create hosting environments that meet EU data protection standards and also prevent compelled access from US law enforcement?
If I was trying to break into the data centre market at the moment, that would certainly be my pitch...
From Reddit: "Thanks to Infinity Fabric and to high yelds, AMD is using 99,9% of Ryzen Die. WOW!"
That are remarkably high yields. That explains why AMD can kick the butt out of Intel performancewise _and_ have lower prices _and_ still be more profitable than Intel. Normally if you cut price, you cut profit. Not in this case. AMD has no market share in the very lucrative server segment, so AMD's market share can only increase and Intel can only loose market share.
This means that when the financial markets see the first AMD reports in a few months of how much server CPUs they are selling and see AMD's profit margin, the AMD stock price will surely ryze. Epyc will start to deliver in July. So the quarter after that, we will see the first profit reports. Those numbers will be epyc!
Also, dont forget the VEGA gpus that are reportedly faster than GTX 1080, and cheaper. But we dont know if VEGA is faster than GTX 1080 Ti.
Very helpful, Ta.
"AMD has split its Epyc SKUs into dual and single socket classes – they can be used in either configuration, though, unless they are a P-coded SKU, and a couple appear twice because they straddle both classes. So, for example, AMD recommends using the 7301 in a dual-socket system as an alternative to a pair of $800-plus Intel Xeon E5-2640 v4s, and the 7551P in a single-socket server versus a pair of Xeon E5-2650 v4s."
I cannot find clarity on this. Surprisingly, as its a very common scenario I hear - future proofing with an unused second socket on the chosen mobo.
Part of the reason for 2P popularity is simply adding more cpu grunt later if needed.
The epyc options in this regard are far from clear to me.
Biting the hand that feeds IT © 1998–2021