On Thu, Dec 12, 2013 at 12:50 AM, Lu, Lianhao <lianhao...@intel.com> wrote:
> Hi Ironic folks, > > I remembered once seeing that ironic was calling for firmware security. > Can anyone elaborate with a little bit details about what Ironic needs for > this "firmware security"? I'm wondering if there are some existing > technologies(e.g. TPM, TXT, etc) that can be used for this purpose. > > Best Regards, > -Lianhao > Hi Lianhao, The topic of firmware support in Ironic has lead to very interesting discussions: questions about scope, multi-vendor support, and, invariably, questions about how we might validate / ensure the integrity of existing firmware or the firmware Ironic would be loading onto a machine. A proposal was put forward at the last summit to add a generic mechanism for flashing firmware, as part of a generic utility ramdisk. Other work is taking priority this cycle, but here are the blueprints / discussion. https://blueprints.launchpad.net/ironic/+spec/firmware-update https://blueprints.launchpad.net/ironic/+spec/utility-ramdisk To get back to your question about security, UEFI + hardware TPM is, as far as I know, the commonly-acknowledged best approach today, even though it is not necessarily available on all hardware. I believe Ironic will need to support interacting with these both locally (eg, via CPU bus) and remotely (eg, via vendor's OOB management controllers). -Devananda
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev