The Path Truly Opens To Alternate Power CPUs, But Is It Enough?

The Path Truly Opens To Alternate Power CPUs, But Is It Enough?

July 14, 2020 Timothy Prickett Morgan

If you have a few tens of millions of dollars to spare and you want to set up a foundry partnership with either Globalfoundries for 14 nanometer chip making technologies or with Samsung for 7 nanometer technologies and then create your own Power processor, things just got a little bit easier. Big Blue has open sourced one of its Power cores through the OpenPower foundation and now anybody and everybody can grab it and design a new central processing unit around that core.

Don’t get too excited, but get a little excited. Let me explain.

We still believe in the idea that anything that makes Power chips stronger allows for the IBM i platform to live longer, so the opening up of the Power instruction set last August and now the opening up of the Power-A2 core used in IBM’s Wire Speed Processor and its BlueGene/Q massively parallel supercomputers takes it another step. Back in early June, in my other day job over at The Next Platform, I spoke to the new executive director of the OpenPower Foundation, James Kulina, about the prospect of open sourcing Power cores to help jump start innovation and treating OpenPower more like a software project, among other topics of conversation, and two weeks ago, just before IT Jungle went on hiatus for the July 4^th holiday, I also spoke to Mendy Furmanek, president of the OpenPower Foundation who is also in charge of Power processor verification and open hardware business development at IBM, about the opening up of the Power-A2 core that had just happened. I am not going to repeat all of that work again here, but I do want to bring some insight to the Power-A2 core being opened up and what it might mean – and what it probably does not mean – for IBM i shops.

The first thing to note is that IBM did not open source the cores used in the Power7, Power7+, Power8, and Power9 processors – and it probably is not going to open source the cores used in the future Power10 chip, either. That is a little too close to the bank account for Big Blue. But I have said in the past and I will say it again that perhaps the Power10 chip, in its entirety, should be the last one that IBM develops by itself and that the future Power11 processor should be specified, developed, and manufactured by the OpenPower collective. IBM is great at creating the processors that customers of its big iron machines need and it is doing a better job of making processors well suited to the entry server market and for clustered systems, but there are other variations that are needed for niche markets in edge computing and lower-cost computing for SMBs. And as I have said before, most IBM i shops in particular need a chip that has only a few cores and lots of clocks and cache so it can rip through batch jobs and high availability replication work and Java and Python applications like grit through a goose.

Yes, many of these applications have been threaded, and yes, more threads at much lower clocks and yield much better performance per watt. But someone putting a server in a closet and spending a few hundred bucks a year powering it doesn’t give a damn about dollars per performance per watt. Yes, this really matters when you are running a few million servers across a few dozen regions with several dozens of datacenters. But what matters most to most IBM i shops is wall time to complete work. If you can make batch jobs at SMBs run twice as fast or four times as fast, then you should. And I am not talking about creating an expensive chip where all but one or two of the dozen or two dozen cores are turned off because that is still a big expensive chip with low yields in the first place. I am talking about making a chip specifically for IBM i.

And as it turns out, the Power-A2 chip does not have speculative execution, so it is not susceptible to side channel security attacks and it is an in-order processor that has a lot of ways to hook accelerators into it. And it supports special PowerPC-AS memory tagging methods that IBM i requires to create single level storage. This is a very cool thing. Of course, should such a chip be manufactured, getting Big Blue to license IBM i for it would be possibly problematic. It’s hard to say.

With Big Blue controlling the source code to both AIX and IBM i, it holds all of the cards here. There is some comfort in that in the event that IBM decides to stop making Power Systems hardware that supports AIX or IBM i that others could now pick up the ISA and cores and weave a new chip to run it. But they would have to either create a clone of Power7, Power8, or Power9 to run IBM’s operating systems or have access to the source code to make the tweaks necessary to the operating system kernel and driver stack to make AIX or IBM i run on this new chip. You could create an emulation layer, with say a Power6 runtime environment supporting an old IBM i release like OS/400 V6R1. But this is not ideal, and has some obvious limitations. There is always the possibility of running IBM i atop the PowerVM hypervisor and using that as some kind of emulation environment, but IBM, again, holds all of the cards.

This is why the Power hardware and the IBM i and AIX software both need to be open source. If IBM has caught the open source religion with the acquisition of Red Hat, the situation sort of requires it. And that means truly trusting the open source philosophy, all the way. The question is will competitors take an open IBM i and AIX and an open Power chip and create competitive boxes, or will IBM still be the dominant supplier? Red Hat is still the only $3 billion open source company, and it argues that enterprises will pay for support for enterprise-grade software that is worth the money.

With IBM i and AIX software open and the possibility of Power hardware also being open, and both tuned for specific workloads and specific customers, there is a chance to radically change the business model for the Power Systems platform and to tell a consistent story across AIX, IBM i, and Linux. It’s something to think about.

RELATED STORIES

Powers Of Ten

What Open Sourcing Power’s ISA Means For IBM i Shops

IBM’s Plan For Etching Power10 And Later Chips

The Road Ahead For Power Is Paved With Bandwidth

At Long Last, IBM i Finally Gets Power9

Can OpenPower Take A Bite Out Of The Datacenter?

Taking The Power Systems Pulse With GM Doug Balog

OpenPower Could Take IBM i To Hyperscale And Beyond

New OpenPower Servers Present Interesting IBM i Possibilities

Can OpenPower Take A Bite Out Of The Datacenter?

OpenPower Builds Momentum With New Members, Summit

Any Place For IBM i In The OpenPower Clan?

Samsung Joins The OpenPower Consortium Party

IBM Licenses Power8 Chips To Chinese Startup

IBM Puts Future Power Chip Stakes In The Ground

Power8 Offers Big Blue And IBM i A Clean Slate

IBM Forms OpenPower Consortium, Breathes New Life Into Power (2013)

IBM’s Plan for an Adjacent, Custom Systems Market (2007)

The IBM Systems Agenda: iB(M) (2005)

international Business (machines) (2003)
Share this:
Reddit
Facebook
LinkedIn
Twitter
Email
Tags: Tags: AIX, IBM i, Linux, OpenPower, OpenPower Foundation, OS/400 V6R1, Power Systems, Power-A2, Power10, Power11, Power6, Power7, Power8, Power9, PowerVM
Sponsored by
Kisco Information Systems
The Case For Implementing Exit Points

By Rich Loeber

Someone recently asked me if there was someplace on the Internet where they could see a case made for implementing exit points on their IBM i system. I was at a loss for a comprehensive source and this got me thinking that it might be a good idea to just create one here.

Security exit points on the IBM i (and its predecessor OS/400) have been in existence since the mid-1990s. When the system was opened up to network access, the need for additional security over and above the standard IBM i OS security was apparent. IBM’s solution was to let their customers solve the issues on their own by giving them access to specific decision points in the various network server functions that were being rolled out. Server functions were being added to the IBM i OS to support network access to the system like FTP, ODBC, SQL, mapped drives in the IFS, file upload and download, remote command calls and a lot more. Since that time, even more network functions have been added along with related new exit points.

To be fair and above board, I must also disclose here that my company, Kisco Information Systems, jumped on the exit point bandwagon right away when the exit points were initially rolled out. Since 1996 we have been selling a comprehensive general use exit point solution called SafeNet/i, now in its 11th release.

The question I was asked was “Why does my shop need to implement exit point controls?” That is what I want to address here. I will do so by describing several cases where additional security is needed over and above the already excellent security features that are built into the IBM i OS.

Case #1: The classic case for exit point implementation comes from the 5250 terminal application days. If you have a Payroll Application that runs on your IBM i and is maintained by one or more clerks, OS security has to give access to the payroll files for those clerks, but the application and terminal menu system can easily be used to restrict what operations they can do on the payroll master files. That access will probably grant then *USE access so they can update files and generate payroll checks and reports.

The above scenario is secure from an application perspective, but you would never want your payroll clerk to be able to download the payroll master files and take them home on a USB drive, would you? An exit point implementation can prevent this access. The exit point process runs on top of the IBM i OS and can be used to restrict server functions by user profile, source IP address and even by objects accessed. This leaves the IBM i OS security intact for the 5250 terminal application and also prevents unauthorized access via the network connection.

Case #2: Many IBM i shops have one or more “regular users” defined with *ALLOBJ access in their user profile. This can happen for lots of reasons and in many cases, it would take a very long time to correct. I never recommend granting *ALLOBJ access to regular users, but if your system has evolved with this issue, it cannot be fixed overnight. In many cases, the application itself is providing the security. The issue, however, is that these users literally have access to ALL OBJECTS on your system. With network access to your system, one of these users could easily download sensitive data from your system, including credit card information and customer identity information, and hide it on a USB drive and walk out the front door and nobody would be the wiser.

An exit point implementation can address this issue. Using exit points, you can restrict object access by user profile even though the user is set up with *ALLOBJ. In fact, object access can even be restricted for the QSECOFR security user profile. This can help to protect your system from abuse by a user profile that has been granted more access rights than they really need.

Case #3: Since the TCP/IP communications utility FTP was added to the IBM i OS, a very easy to use network application lets users interact with the IBM i system without using a 5250 interface. The FTP user can browse objects on your system and upload or download them. A talented FTP user and even execute IBM i commands through FTP. For some shops, you want a user to have these capabilities, but you wouldn’t want them granted on a broad basis.

Exit points can help with this, too. First, you can easily restrict which user profiles are allowed to use FTP. Then, you can further restrict which FTP commands they are allowed to use letting them do a PUT, for example, but disallowing a GET. Then, you can even give the user contextual access rights by only allowing an FTP connection from a known and trusted IP address, such as an internal IP address. Then, if the user’s credentials are compromised, the FTP connection will still have to be established from a trusted source.

To sum up: These are just a few examples of why IBM i shops should consider exit point implementation for additional security on your IBM i system. There are literally dozens of additional scenarios that can be described, but these should get you started on making a case for exit points. It is my belief that every IBM i shop should have some form of exit point controls in place in order to be secure. If you are interested, I can heartily recommend Kisco’s SafeNet/i software if you want to jump in and get started.

If you have questions about details of this tip, feel free to contact me directly by email, download our FREE utilities, or visit our website for more information.
Share this:
Reddit
Facebook
LinkedIn
Twitter
Email
IBM i PTF Guide, Volume 22, Number 27 Guru: The Case for Mixed-Case Procedure Names

Leave a Reply Cancel reply

This Issue Sponsored By

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search

The Path Truly Opens To Alternate Power CPUs, But Is It Enough?

RELATED STORIES

Share this:

Share this:

Leave a Reply Cancel reply

This Issue Sponsored By

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search