Security in Power5 LPARs

A recent discussion on the value of infrastructure virtualization for SOA and SOA based middleware and related security issues was one worth posting on.

It seems to be a commonly held view that we really won’t get true Internet, Web security isolation for servers until we get the next generation of Intel hardware and related software updates from Linux and Microsoft and a protected kernal or nexus.

That overlooks the fact that System p already delivers features that enable hardware isolation that can protect software running in one logical partition from a). being hacked and b). if it is hacked, being able to compromise other partitions either directly or indirectly.[1]

The mechanisms provided for LPAR (both HW and SW) represent a very simple security monitor capability. POWER hardware introduced a set of special registers, which are only accessible to the hypervisor, which is a trusted component of the firmware.

The POWER processor has created another higher privileged level of operation, where the hypervisor runs. Just as in a classic ringed processor architecture, “ring-0” is controlled by the operating system kernel with tightly controlled mechanisms for transitioning to that unprivileged state (syscalls), on a hypervisor based system a “ring -1” (inferring that it exists below the OS kernel ring) exists and this is the domain of the hypervisor.

Transition to the hypervisor privileged is through controlled mechanism called “hcall’s”, which can only be made from a ring-0 privileged program. These mechanisms and the processor hardware capabilities provide for the creation of a “padded cell” around the partition. The hardware mechanisms center primarily in the area of memory address mapping and handling, since the first concern is to prevent partitions from looking into other partitions memory.

In essence the firmware provides a non-addressable “firewall” like structure which ensures applications and O/S instances in one partition from accessing memory, or addressing devices that belong to another partition. As earlier stated, if you ensure that any connections into other partitions via network, messaging, etc. provide the appropriate level of security credentials, you have perfect isolation in a virtualized, shared processor environment.

This doesn’t just a benefit to web applications, it benefits any O/S or applications running in a partition and allows you to exploit unused processor capability to run badly behaved testing applications and systems in unused capacity on servers running production workloads. It is implemented in a way that requires no O/S, middleware, or application changes and is transparent. TCO[2] for the taking!

POWER5 LPAR Security white paper. 9/06 – Armstrong, Mathews, Bade et al.

Virtualization Security and Integrity in the IBM POWER5 Environment – Stahl

[1] Of course this pre-assumes the software configuration hasn’t left open network connections real or virtual that are unsecured, or worse still use a common security credential for all requests irrespective of orgin.

[2] Total cost of ownership

0 Responses to “Security in Power5 LPARs”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

About & Contact

I'm Mark Cathcart, formally a Senior Distinguished Engineer, in Dells Software Group; before that Director of Systems Engineering in the Enterprise Solutions Group at Dell. Prior to that, I was IBM Distinguished Engineer and member of the IBM Academy of Technology. I am a Fellow of the British Computer Society ( I'm an information technology optimist.

I was a member of the Linux Foundation Core Infrastructure Initiative Steering committee. Read more about it here.

Subscribe to updates via rss:

Feed Icon

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 915 other followers

Blog Stats

  • 88,694 hits

%d bloggers like this: