[Engine-devel] Trusted Compute Pools
Laszlo Hornyak
lhornyak at redhat.com
Tue Nov 20 16:20:14 UTC 2012
Hi,
Interesting technology. Some questions:
- There will be 1 and only one attestation server installed per ovirt instance or per trusted pool?
- Could engine cache the data it received from the attestation server, or does it have to query each time a trusted VM needs to be started?
Thank you,
Laszlo
----- Original Message -----
> From: "Gang Wei" <gang.wei at intel.com>
> To: engine-devel at ovirt.org
> Sent: Tuesday, November 20, 2012 2:06:09 PM
> Subject: [Engine-devel] Trusted Compute Pools
>
> Hi,
>
> I am an engineer working in Intel Open Source Technology Center,
> interested
> in integrating Intel initiated OpenAttestation(OAT) project
> (https://github.com/OpenAttestation/OpenAttestation.git) into oVirt
> to
> provide a way for Administrator to deploy VMs on trusted hosts
> hardened with
> H/W-based security features, such as Intel TXT.
>
> I made a draft feature page for this:
> http://wiki.ovirt.org/wiki/Trusted_compute_pools
>
> My draft idea is to provide trust_level requirement while doing vm
> creation
> like below:
>
> curl -v -u "vdcadmin at qa.lab.tlv.redhat.com"
> -H "Content-type: application/xml"
> -d '<vm><name>my_new_vm</name>
> <cluster id="99408929-82cf-4dc7-a532-9d998063fa95" />
> <template id="00000000-0000-0000-0000-000000000000"/>
> <trust_level>trusted</trust_level></vm>'
> 'http://10.35.1.1/rhevm-api/vms'
>
> Then oVirt Engine should query attestation server built with OAT via
> RESTful
> API to get all trusted hosts and select one to create the VM.
>
> Attestation server performs host verification through following
> steps:
> 1. Hosts boot with Intel TXT technology enabled
> 2. The hosts' BIOS, hypervisor and OS are measured
> 3. These measured data is sent to Attestation server when challenged
> by
> attestation server
> 4. Attestation server verifies those measurements against good/known
> database to determine hosts' trustworthiness
>
> Hosts need to be installed with OAT host agent to report host
> integrity to
> attestation server.
>
> By far, I am still in process of getting familiar with oVirt code and
> not
> get solid idea yet on how the oVirt Engine should be modified to
> support
> this feature.
>
> Any kind of comments or suggestions will be highly appreciated.
>
> Thanks
> Gang (Jimmy) Wei
>
> _______________________________________________
> Engine-devel mailing list
> Engine-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/engine-devel
>
More information about the Engine-devel
mailing list