On 09/04/2014 11:48 AM, Daniel P. Berrange wrote: > On Thu, Sep 04, 2014 at 11:41:48AM -0400, Dan Genin wrote: >> I would like to request a feature freeze exception for >> >> LVM ephemeral storage encryption. >> >> The spec for which was approved early in the Juno release cycle. >> >> This feature provides security for data at-rest on compute nodes. The >> proposed feature protects user data from disclosure due to disk block reuse >> and improper storage media disposal among other threats and also eliminates >> the need to sanitize LVM volumes. The feature is crucial to data security >> in OpenStack as explained in the OpenStack Security Guide and benefits >> cloud users and operators regardless of their industry and scale. >> >> The feature was first submitted for review on August 6, 2013 and two of the >> three patches implementing this feature were merged in Icehouse[4,5]. The >> remaining patch has had approval from a core reviewer for most of the >> Icehouse >> and Juno development cycles. The code is well vetted and ready to be merged. >> >> The main concern about accepting this feature pertains to key management. >> In particular, it uses Barbican to avoid storing keys on the compute host, >> and Barbican at present has no gate testing. However, the risk of >> regression in case of failure to integrate Barbican is minimal because the >> feature interacts with the key manager through an*existing* abstract keymgr >> interface, i.e., has no*explicit* dependence on Barbican. Moreover, the >> feature provides some measure of security even with the existing >> place-holder key manager, for example, against disk block reuse attack. >> >> For all of the above reasons I request a feature freeze exception for >> LVM ephemeral storage encryption. > > I'm happy to sponsor this, since I've positively reviewed it and it is > a pretty well isolated feature so risk to other existing code is low.
I'm happy to sponsor this one. The last patch is pretty straight forward, I think one change around the way barbican is included should make it ready (reviewed yesterday). -Sean -- Sean Dague http://dague.net _______________________________________________ OpenStack-dev mailing list OpenStackemail@example.com http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev