Monthly Archive: May 2010

May 24 2010

New book – Maximum vSphere

After writing my first book I swore I’d never write another, it’s a relatively big investment in time with a fairly small financial return. Ask any author and they’d probably say the same thing right after finishing a book. Well fortunately that feeling does not last and the desire to write another eventually returns. I took my time preparing for this one, I didn’t feel comfortable writing about vSphere until I had used it for many months to gain as much knowledge and experience as I could with it first. When I did get started with it I wrote the whole book in about 2 months time. I did have a little help though, I approached Simon Seagrave to see if he would contribute by doing a few chapters. He was very happy to be onboard and ended up doing the chapters on Performance and vSphere Home Labs. It was great working with him and I think the book turned out pretty good. Due to publisher constraints we had to fit everything into 350 pages which was quite challenging and meant we had to trim some fat and eliminate many figures. The end result was a book packed with information on vSphere including information on the not yet released next version. I was lucky to have John Troyer return to do the foreword on this book which is due out right before VMworld. You can find out more about the book on Pearson’s website and it’s also available on Amazon for pre-order. Not only will this book give you great information, it will look cool on your book shelf!

0137044747

May 24 2010

Please consider voting for my VMworld sessions

I have 2 sessions in consideration for VMworld 2010 in the Virtualization 101 track. The first is a deep-dive session on vSphere features, I’m the curious type and always have to know how things work behind the scenes. As a result I do a lot of research trying to figure out the technical magic behind features like VMDirectPath, VMCI, Fault Tolerance, DVFS, etc. Once I have a firm understanding of how things work I can better explain it to everyone else so they can understand it as well without having to do all the work I did to find out. The second session is on home labs and small vSphere environments. I’ve had a lot of experience recently with different home lab configurations and done a lot of research on supported configurations, hardware and shared storage options. I’ve gone from building a powerful desktop to use with VMware Workstation and running ESX/ESXi as VMs to using low-cost brand name servers running ESX/ESXi bare metal. For a pretty affordable price I’ve built a pretty cool lab that any VMware admin would enjoy having. So if you’d like to hear more about either topic head on over to the VMworld website and vote for me.

Vote here: http://vmworld.com/community/conferences/2010/cfpvote/v101

Title: Deep Dive on Virtualization – How stuff works in virtualization
Session Id: V18268
Abstract: You may use virtualization everyday but do you really understand how everything works behind the scenes? This session will provide deep dives into the many features of virtualization so you may better understand them and be able to use them more effectively. In this session we will cover things like paravirtualization, hardware virtualization (CPU & chipsets), VMDirectPath, Trusted Platform Module, Dynamic Voltage Frequency Scaling, VMCI, CBT, snapshots, ESXi anatomy, virtual machine anatomy (hardware/files) and more. This session will provide a better understanding of some of the more complex features of vSphere and those that rely on specific server hardware. Attendees will learn the mechanics behind these features with technical deep dives that go beyond the product documentation which only tells you how to use them and not how they work or why you should use them. For those that are curious about how everything works in virtualization this session will give you a much better understanding of the technology so when you go to use a feature you will know exactly what is happening, requirements and the benefits of the feature. In addition the deep dives into the anatomy of ESXi & VM’s will provide you with information that will allow you to more effectively troubleshoot and administer them.
Type: Breakout Session
Track:Virtualization 101
Speaker: Eric Siebert Company: Boston Market
Title: Building an affordable vSphere environment for a lab or small business
Session Id:V18328
Abstract:“This session will cover how to build a vSphere home lab or an environment for use in a small business. It will cover the following areas: 1) How to choose the hardware, including white box hardware, brand name hardware, network components and storage 2) What the hardware compatibility guide means and the consequences of using unsupported hardware 3) Making sure the hardware you choose will work with vSphere 4) Using VMware Workstation to run nested hypervisors and virtual machines 5) Using ESX or ESXi to run nested hypervisors or virtual machines 6) Installing ESXi on to a USB flash drive 7) How to choose and use affordable shared storage devices 8) Using free ESXi and free administration tools to manage it 9) Using the affordable Essentials editions to gain big features at a reduced cost 10) Putting it all together to make a virtual environment”
Type: Breakout Session
Track:Virtualization 101
Speaker: Eric Siebert Company: Boston Market

May 24 2010

New vSphere security feature that you can’t really use yet

According to the original vSphere feature list there is a new security feature called “VMkernel Protection” that uses a technology called Trusted Platform Module (TPM) to add a layer of protection to the VMkernel. The VMkernel (hypervisor) is the most critical component of a virtual host because if it is compromised the VM’s running on it can easily be compromised. Therefore VMware introduced a new protection mechanism in vSphere to ensure the integrity of the VMkernel both on disk and in memory. Here is how it is described by VMware:

VMkernel Protection – As part of ongoing efforts to protect the hypervisor from common attacks and exploits, mechanisms were introduced to assure the integrity of the VMkernel and loaded modules as they reside on disk and in memory. Disk-integrity techniques protect the boot-up of the hypervisor using the Trusted Platform Module (TPM), a hardware device embedded in servers. To ensure the authenticity and integrity of dynamically loaded code, VMkernel modules are digitally signed and validated during load-time. These disk integrity mechanisms protect against malware, which might attempt to overwrite or modify VMkernel as it persists on disk. VMkernel also uses memory integrity techniques at load-time coupled with microprocessor capabilities to protect itself from common buffer-overflow attacks that are used to exploit running code. These techniques create a stronger barrier of protection around the hypervisor. See the ESX Configuration Guide and the ESXi Configuration Guide.

Having a strong interest in security I was curious about this feature and wanted to try it out so I did some research on it. TPM is a security specification developed by Trusted Computing Group (TCG) that uses cryptographic keys to protect information. It relies on a TPM chip which has a unique RSA key burned into it and is capable of performing platform authentication and can be used to verify that software has not been changed. vSphere can use TPM to digitally sign VMkernel modules and validate them when the host is starting up to protect against malware that might overwrite them. This feature is similar to the Windows File Protection feature that Microsoft has built-in to Windows to prevent critical system files from being modified or overwritten.

TPM is integrated into processors and chipsets so just like every other technology Intel has their version of it and AMD their own. Intel’s is called Trusted Execution Technology (TXT) which has been available for some time and AMD’s is called Secure Execution Mode (AMD has very little information on this) and is not widely available. For TPM to work you must have both a CPU with the necessary processor extensions for TPM and a chipset that supports TPM. TPM uses Platform Configuration Registers (PCRs) that are like containers that can hold 160-bit values in them in the following manner:

  • At boot PCRs are all initialized to a known value (either 0 or -1)
  • An application can then measure things by computing its hash value
  • The resulting measurement is inserted into a PCR, this process is called “extending the PCR”
  • PCRs can be extended multiple times until a final value is calculated
  • Each code segment is measured and validated and control passes from one code segment to the next
  • PCRs represent an accumulated measurement of the history of the executed code beginning with power-up
  • TPM signing keys can be used to sign the values of PCRs
  • The system state can then be verified from the hashes that get stored into the PCRs

The technology behind TPM is a bit complex and if you wish to read more there are some great resources at the end of this post that you can check out. As I wanted to see this technology in action I ordered a TPM chip for one of our servers so I could try it out. The chips are fairly cheap, for HP servers they are about $39. They consist of a small little circuit board that plugs into a TPM slot located on the motherboard of the server.

tpm4-new1tpm5-new1

There is also a pin that secures it so if it is ever removed you will know it has been tampered with.

tpm6-new1

Once the chip is inserted some new security options will appear in the server BIOS to configure the TPM chip as shown below.

tpm3-new1

Once I received the chip and put it in the server I turned to the vSphere documentation to set it up. The problem there was there was no documentation on how to do this despite it being advertised as a new vSphere security feature. The ESXi configuration guide had one little paragraph on TPM which didn’t tell how to set it up and use it:

This module is a hardware element that represents the core of trust for a platform and enables attestation of the boot process, as well as cryptographic key storage and protection. As part of the boot process, ESXi measures the VMkernel by the TPM, and changes to the VMkernel are logged from one boot to the next. Measurement values are propagated to vCenter Server, and can be retrieved by third-party agents using the vSphere API.

Frustrated I reached out to VMware to figure out how to use this feature, some of the information I was able to get is below:

  • TPM is only supported with ESXi.
  • You need a TCG compliant BIOS, TXT needs to be enabled from the BIOS. Once it is enabled, you need to enable use of tboot from the UI Advanced configuration option for the ESXi host (the host has to be added to VC to be able to do this).
  • There are some logs in serial log which can be used to monitor TPM. A 3rd party VC API is provided to fetch the TPM PCRs. If TXT was successful, then VMkernel fingerprint is reported in PCR19 otherwise, if the host has TPM but TXT was not used, then it will show in PCR8, otherwise PCRs should be NULL.
  • There might not be any production server platforms out there ‘today’ which can support TXT.

I never did find the “tboot” advanced parameter that was supposed to be enabled. I checked all through the VMkernel advanced settings and didn’t see anything that was even close. It seems like while TPM provides some additional great protection for the VMkernel it is not yet ready to be used. The building blocks are currently there in vSphere but none of the necessary support features to be able to use it effectively exist yet. For example there is no way to monitor the feature so even if you could enable it there would be not much value to it. I expect both 3rd party vendors and VMware will develop the missing pieces in a future release (note the ESX & ESXi 4.1/4.5 version #’s in the videos) and look forward to being able to fully utilize this new security feature.