Hi, Interesting technology. Some questions: - There will be 1 and only one attestation server installed per ovirt instance or per trusted pool? - Could engine cache the data it received from the attestation server, or does it have to query each time a trusted VM needs to be started?
Thank you, Laszlo ----- Original Message ----- > From: "Gang Wei" <[email protected]> > To: [email protected] > Sent: Tuesday, November 20, 2012 2:06:09 PM > Subject: [Engine-devel] Trusted Compute Pools > > Hi, > > I am an engineer working in Intel Open Source Technology Center, > interested > in integrating Intel initiated OpenAttestation(OAT) project > (https://github.com/OpenAttestation/OpenAttestation.git) into oVirt > to > provide a way for Administrator to deploy VMs on trusted hosts > hardened with > H/W-based security features, such as Intel TXT. > > I made a draft feature page for this: > http://wiki.ovirt.org/wiki/Trusted_compute_pools > > My draft idea is to provide trust_level requirement while doing vm > creation > like below: > > curl -v -u "[email protected]" > -H "Content-type: application/xml" > -d '<vm><name>my_new_vm</name> > <cluster id="99408929-82cf-4dc7-a532-9d998063fa95" /> > <template id="00000000-0000-0000-0000-000000000000"/> > <trust_level>trusted</trust_level></vm>' > 'http://10.35.1.1/rhevm-api/vms' > > Then oVirt Engine should query attestation server built with OAT via > RESTful > API to get all trusted hosts and select one to create the VM. > > Attestation server performs host verification through following > steps: > 1. Hosts boot with Intel TXT technology enabled > 2. The hosts' BIOS, hypervisor and OS are measured > 3. These measured data is sent to Attestation server when challenged > by > attestation server > 4. Attestation server verifies those measurements against good/known > database to determine hosts' trustworthiness > > Hosts need to be installed with OAT host agent to report host > integrity to > attestation server. > > By far, I am still in process of getting familiar with oVirt code and > not > get solid idea yet on how the oVirt Engine should be modified to > support > this feature. > > Any kind of comments or suggestions will be highly appreciated. > > Thanks > Gang (Jimmy) Wei > > _______________________________________________ > Engine-devel mailing list > [email protected] > http://lists.ovirt.org/mailman/listinfo/engine-devel > _______________________________________________ Engine-devel mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-devel
