Help Center/ Elastic Cloud Server/ Technical White Paper/ QingTian System Security Technical White Paper/ QingTian System Components/ QingTian Cards
Updated on 2025-10-17 GMT+08:00
View PDF
Share

QingTian Cards

Logically, QingTian Cards consist of one primary card and multiple subordinate cards.

  • Primary card: also called QingTian Controller. It manages all other components and firmware of the server system.
  • Subordinate card: also called the I/O offloading card. It provides dedicated network acceleration, storage acceleration, management plane acceleration, and encryption offloading.

QingTian Cards contain all control interfaces required by the ECS service to provision and manage CPUs, memory, and storage for hosts. For the ECS service control plane, the central node only needs to connect to QingTian Cards, not to servers. Servers do not contain storage and network. All VM lifecycle management commands from the ECS service control plane are directly delivered to QingTian Cards. QingTian Cards operate front-end servers unidirectionally, such as creating or stopping VMs, hot plugging devices, and live migrating VMs.

QingTian Cards also provide all I/O interfaces for servers to interact with external systems, including VPC network interfaces and EVS block storage interfaces. For servers, all components (logical inbound or outbound) that interact with the external world are implemented through QingTian Cards. QingTian Cards are connected to servers via PCIe and can be powered independently. The cards encapsulate Huawei-developed SPU chips for firmware startup and simplified OS running. QingTian Cards support hot upgrade of the OS and key virtualization components on the cads. The upgrade is independently from the firmware and system components on the host server and does not affect customer services and security protection functions.

QingTian Controller

The QingTian system supports secure boot based on the UEFI Secure Boot standard. After the server is powered on, QingTian Controller performs secure boot first. At this moment, the host system is waiting. The secure boot process of the system on a chip (SoC) in QingTian Controller is as follows:

  1. Start boot ROM.
  2. Verify the signature integrity of the firmware in the initial boot phase that is stored in the flash memory connected to QingTian Controller to complete the secure boot of QingTian Controller.
  3. Verify the signature integrity of the QingTian Hypervisor image in the connected flash memory to extend the trust chain to the front-end host system.
    • If the image signature verification fails, an abnormal startup event is reported and the startup stops.
    • If the image signature verification is successful, the host system is notified to continue the secure boot.

If the secure boot of the host system fails, an abnormal startup event is reported. If the startup is abnormal, the node is removed from the service node and does not run customer workloads.

QingTian Controller is also a security gateway that isolates the physical server and cloud service control planes. Cloud service control planes (including ECS/BMS, EVS, and VPC) are logically independent and use the microservice architecture. QingTian Controller abstracts the cloud service control planes as ECS Control Plane for interaction. The interaction follows a unidirectional control flow: ECS Control Plane -> QingTian Controller -> QingTian Hypervisor. Only unidirectional connection initialization is allowed. Any reverse initialization is considered abnormal.

As the only channel, QingTian Controller isolates the physical server from external control planes. All inbound and outbound traffic must be forwarded by QingTian Controller.

  • QingTian Controller provides an mTLS-based bidirectional authentication communication link for the ECS service control plane to ensure end-to-end encryption of data transmission links.
  • QingTian Controller also provides condition-based access control based on API context attributes to restrict each control plane component to only call the minimum set of APIs required for its services. In addition, the system records all API operation logs (including the source network context, identity context, call parameters, and timestamps) and supports real-time detection of abnormal API calls.
  • QingTian Controller communicates with the ECS service control plane through a dedicated network. The inbound and outbound traffic on the control plane is completely isolated from the tenant traffic (such as EVS storage data traffic and VPC network traffic).
Figure 1 QingTian Controller interaction

I/O Offloading

The QingTian system has dedicated I/O offloading acceleration hardware. The hardware uses the same SoC and basic firmware architecture as QingTian Controller. It can accelerate offloading for networking and storage hardware, such as VPC and EVS block storage. The offloading acceleration hardware implements data encryption and acceleration for networking and storage using hardware encryption offloading engines and secure key storage integrated in the SoC.

Huawei Cloud-developed VPC encryption: Standard security protocols IPsec and TLS are not applicable to communication encryption in large-scale, high-performance cloud data centers. Huawei Cloud has launched the cloud network CAE cryptographic algorithm based on its service security requirements to meet the encryption transmission requirements in multiple scenarios of Huawei Cloud networks, such as encrypted transmission between VMs in a given VPC and cross-site encrypted transmission in distributed clouds. Huawei Cloud supports secure, encrypted connections between all ECSs. For specific ECSs, dedicated offloading cards for VPC can be used to encrypt in-transit traffic between instances. By default, the CAE protocol uses the AES-256-GCM algorithm to automatically and transparently encrypt the in-transit traffic between instances. The encryption protocol supports anonymity, anti-replay, forward-secrecy, and post-quantum security.

Dedicated I/O offloading cards provide hardware acceleration for data key import and encryption/decryption algorithms based on end-to-end encryption. Standard cryptographic algorithms such as AES and encryption modes such as GCM/XTS are supported. The encryption keys used for EVS and VPC networks are present only in plaintext in the hardware key-protected subsystem of QingTian Cards. Huawei Cloud O&M personnel and any customer code running on the host system cannot access them. To avoid individual security issues in the key distribution system, the control plane system uses multiple key management components to distribute multiple key materials independently and securely. The data plane does not need to perform key negotiation. Instead, at runtime it derives data keys from the multiple key materials delivered by the control plane and supports automatic key rotation on an hourly basis. This key distribution mechanism is more suitable for the cloud computing SDN architecture. It reduces performance overhead of key negotiation and enables communication encryption at greater scale and scope.

When the system runs in QingTian Hypervisor, the I/O devices provided by QingTian Cards are divided into multiple virtual functions (VFs) using the single-root I/O virtualization (SR-IOV) technology, and I/O devices can be directly connected to VMs. These VFs can be directly allocated to VMs so that the VMs can directly access hardware interfaces (such as network interfaces and storage controllers). In the transmission path, customer service data (transmitted for processing, storage, and hosting) is directly transmitted between ECSs and the virtual I/O devices provided by QingTian Cards, bypassing the hypervisor layer to achieve hardware-level data passthrough. Based on to the principle of minimizing the attack surface, this solution ensures that the I/O path only involves VMs, VF hardware, and physical devices. By minimizing the dependency on software and hardware in the I/O path, it delivers higher security and near-bare-metal performance.