PowerVM

Live Partition Mobility (LPM) Data Encryption and Compression

By Pete Heyrman posted Tue June 16, 2020 02:16 PM

  
PowerVM LPM Logo SpeedLive Partition Mobility (LPM) allows active partitions to be migrated from one Power server to another Power server without any downtime.  LPM provides for 24x7 operations even if there is a planned outage such as for hardware repairs or firmware updates.  Starting with server firmware FW920, HMC V9 R1.920.0 and/or Novalink 1.0.0.10, the partition data sent between the servers will automatically be encrypted for better security and compressed for better performance.

Why the emphasis on LPM security and performance?
Security is an issue that is critical to every business in today’s environment.  Security of customer data when moving to a hybrid or public cloud environment over public connections is the most important consideration faced by IT managers today.  Normally, as you add more and more layers of security, the performance of the solution tends to degrade.  By leveraging the advanced capabilities of the POWER9 processors, we have found a solution that provides a solid security solution without degrading performance.  In fact, performance testing has shown either greatly reduced times to complete LPM operations or significant reduction in the amount of traffic on the network which reduces the impact of LPM on other applications.  With these improvements, there are no decisions that need to be made; the contents of the LPM data is always secure when it’s transmitted from one server to another.

POWER9 Processor
Each processor chip in a POWER9 server has an accelerator called the NX unit that provides specialized functions for general data compression, gzip compression and encryption. The NX unit consists of 2 compression engines, one gzip engine and two encryption engines.  Starting with FW920, the PowerVM Hypervisor will be utilizing these specialized engines to accelerate LPM operations.  In addition to usage of the NX unit by PowerVM, the NX unit can also be used by operating systems and user applications that have been specifically written to take advantage of these advanced capabilities.

LPM Data flow
The main part of the LPM process is copying the live content of memory from the LPM source server to the LPM target server.  There are two passes across the data, an initial pass and a resume pass.  The initial pass is where all the memory contents from the source server is copied to the target server.  After this initial pass, the hypervisor starts the partition running on the target server and then starts the resume pass where any data that was changed after being copied in the initial pass. is re-sent to the target server. The general flow of this data transfer is:
  • on the source server, the Mover Server Partition (MSP) provides the hypervisor with a buffer
  • the hypervisor copies partition memory into the buffer
  • the MSP transmits the data over the network
  • the data is received by the MSP on the target server
  • the hypervisor copies the data from the buffer into the memory space of the target partition
These data transfer operations continue until all the data has been transferred.

Compression and Encryption Overview
Starting in FW920, the hypervisor first compresses and then encrypts the partition data.  Compression provides a performance benefit by reducing the amount of data that needs to be sent from the source to the target server.  Since, the time it takes to encrypt a block of data is directly proportional to the amount of data being encrypted, compressing the data also provides better encryption performance. When doing compression, the hypervisor presents to the NX unit the buffer of data that needs to be compressed. The NX unit uses the 842-compression algorithm which provides very good compression in a short period of time. 

For the data encryption, there is initial set-up done by the HMC and hypervisor at the start of the migration operation to ensure secure authentication and encryption.  Each POWER9 server has a Trusted Platform Module (TPM) that is provisioned by IBM during the manufacturing process to contain a platform certificate.  This certificate is used to verify the identity of the source and target servers and to create an AES-256 symmetric encryption key.  Each LPM request generates its own unique encryption key that is known only to the PowerVM hypervisor.  After a buffer has been compressed, the hypervisor again presents the buffer to the NX unit and encrypts the data using the AES-256 GCM encryption function in the NX unit.

When a buffer is received on the target server, the data is decrypted, uncompressed and copied into the memory of the partition.

Performance Results
The following are some examples of the performance results where IBM has measured the elapsed time to perform LPM.  These tests were performed with a 100GB partition, running the SPECJbb 2015 workload, with concurrency level 4 for 1Gb and concurrency level 1 for 10Gb and 100Gb tests.
PowerVM LPM Encrypt Compress Performance

So, even though 10Gb and 100Gb networks do not show the dramatic performance improvements as seen with a 1Gb network, another important aspect of LPM is the amount of data sent over the network.  Reducing the amount of data sent can reduce the overall impact of LPM on other production workloads.  When migrating an idle 3 TB SAP HANA partition on 100Gb network this resulted in 3 TB of data uncompressed vs only 25GB of compressed data which is over a 100x reduction in the amount of data sent across the network.  The same test with an active SAP HANA workload resulted in a 2.9x reduction in data sent.  So, even with faster network speeds, there still are performance benefits of the LPM encryption and compression support.

Usage
As previously described, the encryption and compression of the data is automatic.  There are no parameters that can or need to be specified to enable/disable encryption/compression.

The support requires HMC and/or Novalink and PowerVM hypervisor changes, so servers must be managed by HMC version V9 R1.920.0 or later, Novalink 1.0.0.10 or later and have server firmware FW920 or later.  Since there were no changes in PowerVC, VIOS or operating systems to support encryption and compression, there are no dependencies on the PowerVC, VIOS or OS levels.  If you use an earlier level of HMC, Novalink or server firmware either on the source or target, there will be no encryption or compression of the data.

The encryption support can co-exist if your Mover Server Partitions are already configured with IPSEC.  The effect is that the data is encrypted twice, once by the hypervisor and once by the MSP.  Due to the benefits of compression, even though the data is encrypted twice, there are still performance benefits associated with this support.

Summary
This overview of the LPM encryption and compression enhancement provide an insight into how the hardware and firmware teams work together to provide world class security and performance with PowerVM. 

Contacting the PowerVM Team
Have questions for the PowerVM team or want to learn more?  Follow our discussion group on LinkedIn IBM PowerVM or IBM Community Discussions



#powervmblog
#powervm
#powervmlpm
0 comments
15 views

Permalink