Re: [Engine-devel] Trusted Compute Pools

Fri, 01 Feb 2013 00:25:24 -0800 

Design page updated according to in process Patchset 2.
http://wiki.ovirt.org/wiki/Trusted_compute_pools.

Jimmy

Wei, Gang wrote onĀ 2012-11-20:
> Hi,
> 
> I am an engineer working in Intel Open Source Technology Center,
interested
> in integrating Intel initiated OpenAttestation(OAT) project
> (https://github.com/OpenAttestation/OpenAttestation.git) into oVirt to
> provide a way for Administrator to deploy VMs on trusted hosts hardened
with
> H/W-based security features, such as Intel TXT.
> 
> I made a draft feature page for this:
> http://wiki.ovirt.org/wiki/Trusted_compute_pools
> 
> My draft idea is to provide trust_level requirement while doing vm
creation
> like below:
> 
> curl -v -u "[email protected]"
>     -H "Content-type: application/xml"
>     -d '<vm><name>my_new_vm</name>
> <cluster id="99408929-82cf-4dc7-a532-9d998063fa95" />
> <template id="00000000-0000-0000-0000-000000000000"/>
> <trust_level>trusted</trust_level></vm>'
>     'http://10.35.1.1/rhevm-api/vms'
> Then oVirt Engine should query attestation server built with OAT via
RESTful
> API to get all trusted hosts and select one to create the VM.
> 
> Attestation server performs host verification through following steps:
> 1. Hosts boot with Intel TXT technology enabled
> 2. The hosts' BIOS, hypervisor and OS are measured
> 3. These measured data is sent to Attestation server when challenged by
> attestation server
> 4. Attestation server verifies those measurements against good/known
> database to determine hosts' trustworthiness
> 
> Hosts need to be installed with OAT host agent to report host integrity to
> attestation server.
> 
> By far, I am still in process of getting familiar with oVirt code and not
> get solid idea yet on how the oVirt Engine should be modified to support
> this feature.
> 
> Any kind of comments or suggestions will be highly appreciated.
> 
> Thanks
> Gang (Jimmy) Wei

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Engine-devel mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-devel

Reply via email to