By Jawad Jafri, Cyber Security and Privacy Officer (CSPO), Huawei South Africa

Platform Security

Huawei Cloud’s Unified Virtualization Platform (UVP) abstracts physical server resources such as CPU, memory, and input/output (I/O) resources, and converts them into a pool of logical resources that can be centrally managed, flexibly scheduled, and dynamically assigned. Based on the logical resources, the UVP provisions on a single physical server a number of VM execution environments, which run concurrently but are isolated from each other. Huawei Cloud’s UVP OS has been awarded the highest rating Five Star Plus Certification as part of Huawei Cloud’s China DCA Trusted Cloud Certification.

To ensure Huawei Cloud platform security, Huawei Cloud has taken a minimalist approach in building an extremely stripped-down host OS and also performs security hardening on all its services. In addition, Huawei Cloud enforces stringent privilege access management (PAM) on Huawei Cloud administrators who have host OS access and enables comprehensive logging and centralized log management of all administrator-level O&M activities. Huawei Cloud administrators must pass two-factor authentication in order to access the management plane through jump hosts.

The UVP, which directly runs on physical servers, supports virtualization capabilities based on the Intel VT-x hardware-assisted virtualization technology and provides execution environments for VMs. The UVP ensures that each VM runs in its own properly assigned space such that it prevents a VM from attacking the UVP or other VMs.

The UVP uses technologies such as CPU isolation, memory isolation, and I/O isolation to isolate the virtual host OS from the guest VM OS. In addition, the UVP uses the Hypervisor to make the virtual host OS and the guest VM OS run with different sets of permissions, ensuring platform resource security.

UVP resource isolation mechanisms in the three areas of CPU, memory, and I/O are described in further detail in the following subsections.

CPU Isolation

The virtualization platform is implemented based on the Intel VT-x hardware-assisted virtualization technology. CPU isolation based on hardware virtualization mainly refers to the isolation between the virtualization platform and VMs, the permission allocation inside VMs, and the isolation between VMs themselves. CPU isolation is implemented in various modes such as running mode switching between root and non-root modes, permission allocation in each running mode, and allocation of virtual computing resource in the form of virtual CPU (VCPU).

Through CPU isolation, the UVP is able to control the permissions for VMs to access physical resources and virtualized environment. Consequently, it achieves information and resource isolation between the virtualization platform and VMs as well as between different VMs, which prevents one VM from unauthorized access to information and resources belonging to another VM or the virtualization platform.

Memory Isolation

The virtualization platform is also responsible for providing memory resources for VMs and ensuring that each VM can only access its own memory. To achieve this objective, the virtualization platform manages and enforces the one-to-one mapping between VM memory resources and physical memory resources.

VMs’ access to memory resources entails address translation at the virtualization layer, which ensures that each VM can access only the physical memory resources to which it has been assigned and cannot access the memory resources belonging to other VMs or the virtualization platform.

I/O Isolation

The virtualization platform also provides each VM with its dedicated virtual I/O devices, including storage disks, network adapters, mouse and keyboard, which prevents unauthorized information disclosure due to I/O device sharing between VMs.

Each virtual disk corresponds to an image file or a logical volume on the virtualization platform. The virtualization platform ensures one-to-one mapping between a virtual I/O device used by a VM and its corresponding I/O management object on the virtualization platform such that, for example, only one virtual disk of a specific VM is associated with one unique image file. This also prevents I/O device sharing between VMs and achieves I/O access path isolation.