[Engine-devel] [node-devel] Support for stateless nodes

Doron Fediuck dfediuck at redhat.com
Wed Feb 22 16:40:59 UTC 2012


On 22/02/12 18:21, Perry Myers wrote:
>>>>
>>>> * CA pollution; generating a certificate on each reboot
>>>> for each node will create a huge number of certificates
>>>> in the engine side, which eventually may damage the CA.
>>>> (Unsure if there's a limitation to certificates number,
>>>> but having hundreds of junk cert's can't be good).
>>>
>>> We could have vdsm/engine store the certs on the engine side, and on
>>> boot, after validating the host (however that is done), it will load the
>>> certs onto the node machine.  
>>>
>> This is a security issue, since the key pair should be
>> generated on the node. This will lead us back to your TPM
>> suggestion, but (although I like it, ) will cause us
>> to be tpm-dependent, not to mention a non-trivial implementation.
> 
> Not necessarily
> 
> 1. generate cert on oVirt Node
> 2. generate symmetric key and embed in TPM or use embedded symmetric
>    key (for secured network model)
IIUC in this step you're using TPM.
What if there is no TPM (at all)?

> 3. encrypt certs w/ symmetric key
> 4. push encryted cert to oVirt Engine
> 
> On reboot
> 
> 1. download encrypted cert from OE
> 2. use either embedded symmetric key or retrieve TPM based symmetric
>    key and use to decrypt cert
> 
> So no dependency on TPM, but the security is definitely much better if
> you have it.  Use cases like this are one of the fundamental reasons why
> TPM exists :)
> _______________________________________________
> node-devel mailing list
> node-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/node-devel


-- 

/d

"Ford," he said, "you're turning into a penguin. Stop it." --Douglas Adams, The Hitchhiker's Guide to the Galaxy



More information about the Engine-devel mailing list