Building hardware-accelerated encrypted storage drives (eDrives) in Windows 8Nishanth LingamneniProgram ManagerMicrosoft Corporation

SYS-007T

Overview

• Introduction• Market demand for hardware-enabled encryption• Problem statement; value proposition• Demo• Ecosystem status and opportunities• Requirements for eDrive; eDrives versus self-

encrypting devices (SEDs)• Call to action

Introduction

What is an eDrive?• A regular storage subsystem

(Embedded MultiMediaCard, solid-state drive, hard disk drive) that comes with hardware offload to accelerate crypto processing

How is it different from SEDs?• Self-encrypting drive

• Trusted Computing Group (TCG) standards

• Encrypted drive• TCG standards + IEEE 1667

Why should the ecosystem care?• Initial-time hardware-based

encryption is negligible• Faster than software-based

encryption during standard operation

• Removes initial and on-going performance hit caused by software-based encryption, be it BitLocker® drive encryption or other third-party software

• Standardized in-box support can enable broad adoption

A view on market demand for hardware-enabled encryption

* Source: 2011 Self Encrypting Drive Market and Technology Report by Coughlin Associates in collaboration with TCG (Trusted Computing Group) (http://www.tomcoughlin.com/techpapers.htm)

• It is likely that by about 2017 all hard disk drives (HDDs) will shift to SED-capable units, although estimated security adoption units by 2016 (SED-capable HDDs actually used or intended for data security) are only 25% of all HDDs shipped

• By 2016 the high, median, and low estimates for security adoption for SED HDDs are 411 million, 315 million, and 122 million units, respectively

• We project that SED capability will be in more than 80% of SSDs within two years (by 2013) and likely in almost all SSDs within three years (by 2014)

• Although actual SSD SED feature implementation in 2016 is likely to be 100% in about 122 million SSDs, the projected actual SSDs from that year used for security and data protection purposes is estimated at less than 18 million units

Value proposition

Customers/OEMs

• Data is always encrypted

• Low opportunity cost

Cost savings

• Eliminates provisioning time

• Reduces CPU cycles, power

• Reduces testing, qualification cost

Windows experience

• Seamless out-of-box experience (OOBE)

Compliance

• Improves ecosystem health through

• Device Certification; system Certification

eDrive with Bitlocker in Windows 8

Demo

Demo takeaways; statistics• Goals of feature

• Short term: Each original equipment manufacturer (OEM) supports few PC configurations with eDrives at Windows 8 general availability (GA); top-tier independent hardware vendors (IHVs) and independent software vendors (ISVs) support eDrive by Windows 8 GA

• Long term: eDrives are ubiquitous

Rando

m P

aral

lel R

ead

Rando

m S

eria

l Rea

d

Sequ

entia

l Par

alle

l Rea

d

Sequ

entia

l Ser

ial R

ead

Rando

m P

aral

lel W

rite

Rando

m S

eria

l Writ

e

Sequ

entia

l Par

alle

l Writ

e

Sequ

entia

l Ser

ial W

rite

0

20

40

60

80

100

120

140

BDE non-eDrive

BDE eDrive

Run-time performance comparison

Thro

ugh

put

(in

M

BPS

)*

• Value proposition recap• Initial encryption time eliminated

• Non-eDrive > 1 hour 20 minutes• eDrive < 5 seconds

• For 150 GB HDD on MSIT standard laptop running Windows 8; Encryption SW used: Bitlocker drive encryption

• Run-time performance significantly improved*

• 15 to 35% improvement in data throughput• Common scenarios like startup, sleep,

hibernate also improved• eDrive-enabled systems have improved

CPU utilization, battery life* Higher throughput is more desirable..

Ecosystem update• OEMs

• Significant OEM attention to eDrives in all form factors• Strong need on tablet devices (see requirement below)• Demand increasing in regular form factors; will increase as encryption becomes

more pervasive• Received commitment from one OEM and hearing positive news from two others;

working with all top OEMs• IHVs

• One IHV on spinning HDD; one IHV on SSD; working with others on USB, as well as HDD and SSD vendors

• ISVs• Working with six ISVs; willing to add more per interest

• eDrives on tablets• eDrive-capable eMMC and mSATA parts to be available by 2012-2013; working with

five IHVs• Looking to enforce certification requirement post–Windows 8 GA as per ecosystem

status

eDrives on eMMC requirements

Tablet storage performance requirementsRandom 4-KB write IOPs

>= 200

Random 4-KB read IOPs

>= 2000

Sequential write speed

>= 40 MB/s

Sequential read speed >= 60 MB/s

Max I/O latency < 500 milliseconds

Additional I/O latency requirement

Maximum of 20 seconds sum-total of user-perceivable I/O latencies over any 1 hour period of a user-representative workload, where a user-perceivable I/O is defined as having a latency of at least 100 milliseconds

R/W 2:1 random 4-KB workload IOPS

>= 500

eDrive capable eMMC memory supports eDrive functionality in Windows 8 by 2012-2013

Active power < 800 mw

Idle power < 1.5 mw

• eMMC is one of the recommended form factors for Windows 8–based tablet devices

Requirements for eDrive

• Hardware requirements• When eDrive is present, must support• IEEE 1667-TCG Silo• TCG-OPAL, OPAL v2 + Fixed ACL + Additional Data

Store

• Windows 8 system certification requirements• UEFI 2.3.1 (Section relevant to eDrives), Class II

no CSM/Class III

Call to action

• Evaluate technology; identify potential blockers

• Work with IHVs, ISVs, firmware vendors, and OEMs of your choice to support eDrives

• Confirm interest in supporting eDrives and share plans and tentative timelines

• Support eDrives before Windows 8 GA

Further reading and documentationEvent Site:• http://channel9.msdn.com/EventsResources:• eDrive device guide:• http://msdn.microsoft.com/en-us/library/windows/hardware/

br259095.aspx• Review API documentation on MSDN

• IOCTLS: http://msdn.microsoft.com/en-us/library/windows/hardware/ff567006(v=VS.85).aspx

• Structures: http://msdn.microsoft.com/en-us/library/windows/hardware/ff567007(v=VS.85).aspx

• Engage with Microsoft if questions

Thank You!

For questions, please visit me in the Speakers Connection area following this session.

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.