[Engine-devel] Trusted Compute Pools

Laszlo Hornyak lhornyak at redhat.com
Tue Nov 20 16:20:14 UTC 2012


Hi,

Interesting technology. Some questions:
- There will be 1 and only one attestation server installed per ovirt instance or per trusted pool?
- Could engine cache the data it received from the attestation server, or does it have to query each time a trusted VM needs to be started?

Thank you,
Laszlo

----- Original Message -----
> From: "Gang Wei" <gang.wei at intel.com>
> To: engine-devel at ovirt.org
> Sent: Tuesday, November 20, 2012 2:06:09 PM
> Subject: [Engine-devel] Trusted Compute Pools
> 
> Hi,
> 
> I am an engineer working in Intel Open Source Technology Center,
> interested
> in integrating Intel initiated OpenAttestation(OAT) project
> (https://github.com/OpenAttestation/OpenAttestation.git) into oVirt
> to
> provide a way for Administrator to deploy VMs on trusted hosts
> hardened with
> H/W-based security features, such as Intel TXT.
> 
> I made a draft feature page for this:
> http://wiki.ovirt.org/wiki/Trusted_compute_pools
> 
> My draft idea is to provide trust_level requirement while doing vm
> creation
> like below:
> 
> curl -v -u "vdcadmin at qa.lab.tlv.redhat.com"
>     -H "Content-type: application/xml"
>     -d '<vm><name>my_new_vm</name>
> <cluster id="99408929-82cf-4dc7-a532-9d998063fa95" />
> <template id="00000000-0000-0000-0000-000000000000"/>
> <trust_level>trusted</trust_level></vm>'
>     'http://10.35.1.1/rhevm-api/vms'
> 
> Then oVirt Engine should query attestation server built with OAT via
> RESTful
> API to get all trusted hosts and select one to create the VM.
> 
> Attestation server performs host verification through following
> steps:
> 1. Hosts boot with Intel TXT technology enabled
> 2. The hosts' BIOS, hypervisor and OS are measured
> 3. These measured data is sent to Attestation server when challenged
> by
> attestation server
> 4. Attestation server verifies those measurements against good/known
> database to determine hosts' trustworthiness
> 
> Hosts need to be installed with OAT host agent to report host
> integrity to
> attestation server.
> 
> By far, I am still in process of getting familiar with oVirt code and
> not
> get solid idea yet on how the oVirt Engine should be modified to
> support
> this feature.
> 
> Any kind of comments or suggestions will be highly appreciated.
> 
> Thanks
> Gang (Jimmy) Wei
> 
> _______________________________________________
> Engine-devel mailing list
> Engine-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/engine-devel
> 



More information about the Engine-devel mailing list