Financial institutions require accurate data and extreme performance where an advantage of even a few microseconds can reap millions of dollars. Virtualized environments can lower costs and boost performance and resource optimization but may introduce novel threats. For example, virtual machine data in use—the memory, cache, and registers that run each VM—is often vulnerable to unauthorized access by a host OS administrator. The traditional tradeoff between performance and security helps explain why the financial services industry is often hesitant to migrate to the cloud.
Confidential computing can help ensure data privacy and integrity by employing hardware-based encryption when enabled on both the host and the VM guest.[i] AMD EPYC™ processors contain an AMD Secure Processor that provides a hardware root of trust. Secure Encrypted Virtualization (SEV) uses the AMD Secure Processor to issue and manage keys that encrypt each virtual machine. This helps isolate the hypervisor and guests from each other. Enabling SEV on both the hypervisor and guest allows the guest OS to indicate which memory pages to encrypt. The hypervisor communicates with the AMD Secure Processor to manage the appropriate keys in the memory controller. AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES) builds on this by encrypting CPU register contents when a VM stops running, thereby helping prevent CPU register information from leaking to the hypervisor. SEV-ES can also detect malicious modifications to a CPU register state.
The Securities Technology Analysis Center (STAC®) coordinates the STAC Benchmark Council™, which brings over 400 financial institutions and 50 vendor organizations together to discuss technical challenges and solutions facing financial services and develop relevant technology benchmark standards. The STAC-A2 Benchmark suite is the industry standard for testing technology stacks used for compute-intensive analytic workloads involved in pricing and risk management. STAC recently performed STAC-A2 Benchmarks on two AMD EPYC based solutions in an A/B comparison where the only difference between solutions was whether SEV-ES was enabled.[ii], [iii]. Comparing the relative performance of the CPU with (NAIV210520b) and without (NAIV210520a) SEV-ES enabled found:
- No change in the maximum paths or maximum assets handled
(capacity Benchmarks – computing maxes by varying one dimension at a time; STAC-A2.β2.GREEKS.{MAX_PATHS/MAX_ASSETS}). - A 0.0% increase (rounded to the nearest tenth of a percent) in elapsed time for warm runs of the large Greeks benchmark (time to compute all Greeks for 10 assets, 100k paths, and 1260 timesteps; STAC-A2.β2.GREEKS.10-100k-1260.TIME.WARM)
- Less than 1.2% increase in elapsed time for warm and cold runs of the baseline Greeks benchmark (time to compute baseline Greeks for 5 assets, 25k paths, and 252 timesteps; STAC-A2.β2.GREEKS.TIME.{WARM/COLD})
- Less than 1.3% reduction in throughput, energy efficiency, and space efficiency (energy/space requirements are similar with SEV-ES enabled; STAC-A2.β2.HPORTFOLIO.{SPEED/ENERGY_EFF/SPACE_EFF})
- No change in the quality benchmark results (results not affected by enabling SEV-ES).
Financial institutions require high levels of data confidentiality, integrity, and the ability to attest to that confidentiality and integrity without sacrificing performance. AMD EPYC processors with SEV-ES enabled deliver high performance while helping improve security. The STAC-A2 tests demonstrate a negligible performance impact when AMD EPYC security features are enabled.
------------------------------------------------------------------------------------------------------------------------------------------------------
[i] SEV-ES is currently supported by:
- Host: VMware ESXi® 7.0 U1, Photon OS 3.0, and Tanzu
- Guest: Linux® 5.10, 5.11, and Linux RedHat and SUSE Distros on the guest
[ii] Stacks under test (SUT) consisted of the STAC-A2 Pack for C (Naive Implementation) Rev B running in a virtualized environment on a Dell PowerEdge R6525 server with two 8-core AMD EPYC 72F3 CPUs and 2 TiB of physical DDR4 memory. The bare-metal hypervisor VMware ESXi 7.0 Update 2 supported a single VM with access to all machine cores and 1.5 TiB of memory, running an AMD-modified version of the SUSE Linux Enterprise Server 15 SP2 operating system. The servers had patches applied to mitigate Spectre & Meltdown security vulnerabilities.
[iii] The report is available from https://stacresearch.com/news/NAIV210520.
“STAC” and all STAC names are trademarks or registered trademarks of the Securities Technology Analysis Center, LLC.
Raghu Nambiar is a corporate vice president for Data Center Ecosystems at AMD. His postings are his own opinions and may not represent AMD’s positions, strategies or opinions. Links to third party sites are provided for convenience and unless explicitly stated, AMD is not responsible for the contents of such linked sites and no endorsement is implied.
