>>
>> * CA pollution; generating a certificate on each reboot
>> for each node will create a huge number of certificates
>> in the engine side, which eventually may damage the CA.
>> (Unsure if there's a limitation to certificates number,
>> but having hundreds of junk cert's can't be good).
>
> We could have vdsm/engine store the certs on the engine side, and on
> boot, after validating the host (however that is done), it will load the
> certs onto the node machine.
>
This is a security issue, since the key pair should be
generated on the node. This will lead us back to your TPM
suggestion, but (although I like it, ) will cause us
to be tpm-dependent, not to mention a non-trivial implementation.
Not necessarily
1. generate cert on oVirt Node
2. generate symmetric key and embed in TPM or use embedded symmetric
key (for secured network model)
3. encrypt certs w/ symmetric key
4. push encryted cert to oVirt Engine
On reboot
1. download encrypted cert from OE
2. use either embedded symmetric key or retrieve TPM based symmetric
key and use to decrypt cert
So no dependency on TPM, but the security is definitely much better if
you have it. Use cases like this are one of the fundamental reasons why
TPM exists :)