[Engine-devel] Trusted Compute Pools
Wei, Gang
gang.wei at intel.com
Wed Nov 21 03:24:58 UTC 2012
Great to see interests.
Laszlo Hornyak wrote on 2012-11-21:
> Hi,
>
> Interesting technology. Some questions:
> - There will be 1 and only one attestation server installed per ovirt
> instance or
> per trusted pool?
By far, I expect 1 and only one attestation server installed per ovirt
instance. Maybe different ovirt instances can also shall attestation server,
if all hosts under differenct ovirt instances are accessible by the
attestation server and are able to access the attestation server.
> - Could engine cache the data it received from the attestation server, or
> does it
> have to query each time a trusted VM needs to be started?
The basic case is query each time a trusted VM needs to be started, the
advance case is engine cache the data with some practical cache invalidation
timing/policy.
The cache feature might also be able to be implemented inside the attestation
server.
Thanks
Jimmy
>
> Thank you,
> Laszlo
>
> ----- Original Message -----
>> From: "Gang Wei" <gang.wei at intel.com>
>> To: engine-devel at ovirt.org
>> Sent: Tuesday, November 20, 2012 2:06:09 PM
>> Subject: [Engine-devel] Trusted Compute Pools
>>
>> Hi,
>>
>> I am an engineer working in Intel Open Source Technology Center,
>> interested
>> in integrating Intel initiated OpenAttestation(OAT) project
>> (https://github.com/OpenAttestation/OpenAttestation.git) into oVirt
>> to
>> provide a way for Administrator to deploy VMs on trusted hosts
>> hardened with
>> H/W-based security features, such as Intel TXT.
>>
>> I made a draft feature page for this:
>> http://wiki.ovirt.org/wiki/Trusted_compute_pools
>>
>> My draft idea is to provide trust_level requirement while doing vm
>> creation
>> like below:
>>
>> curl -v -u "vdcadmin at qa.lab.tlv.redhat.com"
>> -H "Content-type: application/xml"
>> -d '<vm><name>my_new_vm</name>
>> <cluster id="99408929-82cf-4dc7-a532-9d998063fa95" />
>> <template id="00000000-0000-0000-0000-000000000000"/>
>> <trust_level>trusted</trust_level></vm>'
>> 'http://10.35.1.1/rhevm-api/vms'
>> Then oVirt Engine should query attestation server built with OAT via
>> RESTful
>> API to get all trusted hosts and select one to create the VM.
>>
>> Attestation server performs host verification through following
>> steps:
>> 1. Hosts boot with Intel TXT technology enabled
>> 2. The hosts' BIOS, hypervisor and OS are measured
>> 3. These measured data is sent to Attestation server when challenged
>> by
>> attestation server
>> 4. Attestation server verifies those measurements against good/known
>> database to determine hosts' trustworthiness
>>
>> Hosts need to be installed with OAT host agent to report host
>> integrity to
>> attestation server.
>>
>> By far, I am still in process of getting familiar with oVirt code and
>> not
>> get solid idea yet on how the oVirt Engine should be modified to
>> support
>> this feature.
>>
>> Any kind of comments or suggestions will be highly appreciated.
>>
>> Thanks
>> Gang (Jimmy) Wei
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8586 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/devel/attachments/20121121/c4c2fc61/attachment-0002.p7s>
More information about the Devel
mailing list