The following is an interview on the recent announcement of a joint collaboration project between Citrix and Intel on bare metal client virtualization technologies. This interview was conducted with Simon Crosby, CTO of Citrix Virtualization and Management Division and Fernando Martins, Director of Intel Virtualization Strategies.
Interviewer: What did Citrix and Intel announce?
SC: Citrix is working with Intel on a joint collaboration called Project Independence. We announced a partnership under which we will be developing client side virtualization technologies based on the Xen hypervisor. The technology aims to enable a whole new set of use cases for rich client execution with all of the benefits of centralized management and delivery of executables – desktop workloads and applications to end users to leverage client side virtualization.
FM: The solution relies on several Intel technologies featured in Intel® vPRO™ platforms . So we are quite excited about this joint announcement.
Interviewer: What is Project Independence?
SC: Together, we are building a Type-1 hypervisor based on the Xen open source hypervisor. It’s tiny, tiny as in just a few MB of flash memory associated with the platform, so small enough to be a bios extension. It owns all hardware including trusted platform modules and has full control over devises, but more than that, it can actually decide which platform it hands through to different guests.
For example, for trusted delivery of enterprise workloads, you can ensure that no USB device is ever passed through to a corporate workload so that nobody can ever copy the data taken outside of the corporation.
Interviewer: What is the difference between Type-1 and Type-2 client hypervisors?
SC: As mentioned earlier, what Citrix and Intel are developing is a Type-1 bare metal client hypervisor.
I’ve often heard debate in the industry around Type-1 and Type-2 virtualization, in short it relates to the type of technology deployed. In Type-2 there is a base operating system installed on your hardware and then on top of that is a layer of virtualization technology which allows you to host one or more additional guest virtual machines.
Type-1 is different because there is no base OS installed instead there is just a very thin layer of virtualization right on top of the hardware…a hypervisor which owns the hardware itself. The key difference is that in Type-2 if the base OS is compromised, the base OS itself is subject to threat. In Type-1 you can build a secure hypervisor which owns all of the hardware, providing a fundamentally trusted platform from which can then build multiple virtual machines, each of which having different levels of privilege and trust.
In short, Type-1 gives you greater control of security and finer degree of arbitration over system resources.
Interviewer: How are Intel Virtualization Technologies leveraged in Project Independence?
FM: Project Independence leverages a wide portfolio of Intel® vPro™ technologies.
The solution derives from the Xen hypervisor and Intel Virtualization Technology (VT) is a key underpinning of Xen.
Two distinct Intel Virtualization Technologies play a role in this solution: our VT-x technology which provides CPU virtualization support and is required by Xen and VT-d which is a technology that allows for direct assignment of devices to virtual machines therefore reducing overhead and increasing the overall reliability of the platform.
Intel’s Trusted Execution Technology (TXT) allows the hypervisor to become part of the trusted compute base such that you can ensure that the hypervisor that is running is the one that is supposed to be running.
Project Independence uses Intel’s Active Management Technology (AMT), for out-of-band updates and access to the client.
So as you can see we have a fairly large portfolio of Intel technologies being leveraged by Project Independence and we’re quite excited about that.
SC: And it’s fair to say that there is no other client platform that can do this. The portfolio of technologies is unique to vPRO™ – and all of those technologies are required to meet the enterprise use cases that we’re addressing with Project Independence.
Interviewer: Why is this project important?
FM: The project definitely addresses unmet user needs. Today’s solutions are either 100% server-based and limited by central execution or client-based where you have the burden of local management.
SC: Until now, the preferred use case of the average user toting around a laptop is rich client execution. But with this scenario, the enterprise is facing the bill for managing this device through its lifecycle. In addition, there are other issues around security and new use cases that just cannot be enabled without this change. So what Project Independence does is tie together the best of two worlds, providing centralized management and delivery of the workload or applications to the end user with rich client execution where you can guarantee the fidelity, trust and protection of the workload…even in cases where you don’t trust other components of the local system. So it enables a broad set of rich, mobile, offline use cases in which enterprises can deliver their users, their contractors and even home employees, trusted corporate workloads in a protected fashion that they could never do before.
Interviewer: In an economic environment like we have today, what will this solution enable that will make it worthwhile to invest in?
FM: The combination of central management and local execution is all about cost reduction. So with central management you can actually have your images managed by a smaller staff and a more structured mechanism for general management of those images. This is an innovation in management toward cost reduction.
Interviewer: Do you have anything else to add?
SC: Stay tuned – it’s going to get even better!
Special note to the readers, if you’re interested in staying up-to-date on the latest news, discussions and information on this joint development project, visit the Project Independence showcase.