[Engine-devel] Trusted Compute Pools
Wei, Gang
gang.wei at intel.com
Tue Nov 20 13:06:09 UTC 2012
Hi,
I am an engineer working in Intel Open Source Technology Center, interested
in integrating Intel initiated OpenAttestation(OAT) project
(https://github.com/OpenAttestation/OpenAttestation.git) into oVirt to
provide a way for Administrator to deploy VMs on trusted hosts hardened with
H/W-based security features, such as Intel TXT.
I made a draft feature page for this:
http://wiki.ovirt.org/wiki/Trusted_compute_pools
My draft idea is to provide trust_level requirement while doing vm creation
like below:
curl -v -u "vdcadmin at qa.lab.tlv.redhat.com"
-H "Content-type: application/xml"
-d '<vm><name>my_new_vm</name>
<cluster id="99408929-82cf-4dc7-a532-9d998063fa95" />
<template id="00000000-0000-0000-0000-000000000000"/>
<trust_level>trusted</trust_level></vm>'
'http://10.35.1.1/rhevm-api/vms'
Then oVirt Engine should query attestation server built with OAT via RESTful
API to get all trusted hosts and select one to create the VM.
Attestation server performs host verification through following steps:
1. Hosts boot with Intel TXT technology enabled
2. The hosts' BIOS, hypervisor and OS are measured
3. These measured data is sent to Attestation server when challenged by
attestation server
4. Attestation server verifies those measurements against good/known
database to determine hosts' trustworthiness
Hosts need to be installed with OAT host agent to report host integrity to
attestation server.
By far, I am still in process of getting familiar with oVirt code and not
get solid idea yet on how the oVirt Engine should be modified to support
this feature.
Any kind of comments or suggestions will be highly appreciated.
Thanks
Gang (Jimmy) Wei
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8586 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/engine-devel/attachments/20121120/cd801282/attachment.p7s>
More information about the Engine-devel
mailing list