Trusted Computing Pool blueprint was proposed and discussed at Design Summit April 2011 http://etherpad.openstack.org/trusted-computing-pools
Project goal : Enable openstack with trusted computing pool capability. Through the capability, openstack scheduler can verify target compute node is indeed booted with expected Hypervisor before dispatch instances to the node. Background of Trusted computing pool - Intel Trusted Executing Technology (TXT) http://www.intel.com/technology/security/ provides platform Root of Trust to verify a platform is booted with expected Hypervisor by measuring its hash during platform boot. We have also enabled Intel TXT technology into Xen/KVM/VMWare already Following describes flow and highlights usage model - 1. A target compute node with Intel TXT hardware is booted with TXT enabled - hypervisor will be measured, during boot time, by TXT and hashes the measurement value into TPM hardware registers per http://www.trustedcomputinggroup.org/developers/ 2. Standalone Attestation Server challenges target hosts, during run-time, to retrieve TPM registers 3. Attestation Server verifies retrieved registers against Administrator pre-setup known/good hash database to decide trustworthiness of the target node is indeed booted with expected Hypervisor The Standalone Attestation Server is 1) Cloud provider hosted, 2) Attestation Server exports Restful query API to admin in verifying target compute node(s). 3) the server verifies target compute nodes through target hostname by requesting its measurement registers We are working on the attestation software stack currently which will also be open sourced Approach in supporting openstack - 1. Derive flavor Host_filter drivers from zone_aware_scheduler to support API interface to Attestation Server 2. Filter driver invokes Query(HostName) thru. Attestation Server to verify compute node's trustworthiness if instance(s) specifies Trusted compute node through flavor; drops the node from candidate list if fail the verification Through the capability, Cloud provider can build trusted computing pool and provide premiere service. Feedback and comments are welcome, Thanks, -Fred
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
