[Engine-devel] Trusted Compute Pools
Wei, Gang
gang.wei at intel.com
Fri Feb 1 08:25:16 UTC 2013
Design page updated according to in process Patchset 2.
http://wiki.ovirt.org/wiki/Trusted_compute_pools.
Jimmy
Wei, Gang wrote on 2012-11-20:
> Hi,
>
> I am an engineer working in Intel Open Source Technology Center,
interested
> in integrating Intel initiated OpenAttestation(OAT) project
> (https://github.com/OpenAttestation/OpenAttestation.git) into oVirt to
> provide a way for Administrator to deploy VMs on trusted hosts hardened
with
> H/W-based security features, such as Intel TXT.
>
> I made a draft feature page for this:
> http://wiki.ovirt.org/wiki/Trusted_compute_pools
>
> My draft idea is to provide trust_level requirement while doing vm
creation
> like below:
>
> curl -v -u "vdcadmin at qa.lab.tlv.redhat.com"
> -H "Content-type: application/xml"
> -d '<vm><name>my_new_vm</name>
> <cluster id="99408929-82cf-4dc7-a532-9d998063fa95" />
> <template id="00000000-0000-0000-0000-000000000000"/>
> <trust_level>trusted</trust_level></vm>'
> 'http://10.35.1.1/rhevm-api/vms'
> Then oVirt Engine should query attestation server built with OAT via
RESTful
> API to get all trusted hosts and select one to create the VM.
>
> Attestation server performs host verification through following steps:
> 1. Hosts boot with Intel TXT technology enabled
> 2. The hosts' BIOS, hypervisor and OS are measured
> 3. These measured data is sent to Attestation server when challenged by
> attestation server
> 4. Attestation server verifies those measurements against good/known
> database to determine hosts' trustworthiness
>
> Hosts need to be installed with OAT host agent to report host integrity to
> attestation server.
>
> By far, I am still in process of getting familiar with oVirt code and not
> get solid idea yet on how the oVirt Engine should be modified to support
> this feature.
>
> Any kind of comments or suggestions will be highly appreciated.
>
> Thanks
> Gang (Jimmy) Wei
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8586 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/devel/attachments/20130201/e3098a71/attachment-0001.p7s>
More information about the Devel
mailing list