sNVMe-oF: Secure and Efficient Disaggregated Storage
Marcin Chrapek, Meni Orenbach, Ahmad Atamli, Marcin Copik, Fritz Alder, Torsten Hoefler
基于NVMe-over-Fabrics (NVMe-oF) 的分解式存储已成为现代数据中心的标准解决方案,实现了卓越的性能、资源利用率和能效。同时,机密计算(CC)正在成为事实上的安全范式,为敏感工作负载提供更强的隔离和保护。然而,使用传统CC方法保护最先进的存储系统难以扩展,并且会损害性能或安全性。为了解决这些问题,我们引入了sNVMe-oF,这是一个存储管理系统,它扩展了NVMe-oF协议并遵循CC威胁模型,提供机密性、完整性和新鲜性保证。sNVMe-oF提供了适当的控制路径和新颖概念,如计数器租赁。sNVMe-oF还通过利用NVMe元数据、引入新的分解式Hazel Merkle树(HMT)以及避免冗余的IPSec保护来优化数据路径性能。我们在不修改NVMe-oF协议的情况下实现了这些功能。为了在提供线速的同时防止过度资源使用,sNVMe-oF还利用了支持CC的智能网卡的加速器。我们在NVIDIA BlueField-3上对sNVMe-oF进行了原型实现,并证明它对于合成模式和AI训练仅能实现低至2%的性能下降。
Disaggregated storage with NVMe-over-Fabrics (NVMe-oF) has emerged as the standard solution in modern data centers, achieving superior performance, resource utilization, and power efficiency. Simultaneously, confidential computing (CC) is becoming the de facto security paradigm, enforcing stronger isolation and protection for sensitive workloads. However, securing state-of-the-art storage with traditional CC methods struggles to scale and compromises performance or security. To address these iss...
