Interesting technology. Some questions:
- There will be 1 and only one attestation server installed per ovirt instance or per
- Could engine cache the data it received from the attestation server, or does it have to
query each time a trusted VM needs to be started?
----- Original Message -----
From: "Gang Wei" <gang.wei(a)intel.com>
Sent: Tuesday, November 20, 2012 2:06:09 PM
Subject: [Engine-devel] Trusted Compute Pools
I am an engineer working in Intel Open Source Technology Center,
in integrating Intel initiated OpenAttestation(OAT) project
) into oVirt
provide a way for Administrator to deploy VMs on trusted hosts
H/W-based security features, such as Intel TXT.
I made a draft feature page for this:
My draft idea is to provide trust_level requirement while doing vm
curl -v -u "vdcadmin(a)qa.lab.tlv.redhat.com"
-H "Content-type: application/xml"
<cluster id="99408929-82cf-4dc7-a532-9d998063fa95" />
Then oVirt Engine should query attestation server built with OAT via
API to get all trusted hosts and select one to create the VM.
Attestation server performs host verification through following
1. Hosts boot with Intel TXT technology enabled
2. The hosts' BIOS, hypervisor and OS are measured
3. These measured data is sent to Attestation server when challenged
4. Attestation server verifies those measurements against good/known
database to determine hosts' trustworthiness
Hosts need to be installed with OAT host agent to report host
By far, I am still in process of getting familiar with oVirt code and
get solid idea yet on how the oVirt Engine should be modified to
Any kind of comments or suggestions will be highly appreciated.
Gang (Jimmy) Wei
Engine-devel mailing list