>>> >>> * CA pollution; generating a certificate on each reboot >>> for each node will create a huge number of certificates >>> in the engine side, which eventually may damage the CA. >>> (Unsure if there's a limitation to certificates number, >>> but having hundreds of junk cert's can't be good). >> >> We could have vdsm/engine store the certs on the engine side, and on >> boot, after validating the host (however that is done), it will load the >> certs onto the node machine. >> > This is a security issue, since the key pair should be > generated on the node. This will lead us back to your TPM > suggestion, but (although I like it, ) will cause us > to be tpm-dependent, not to mention a non-trivial implementation.
Not necessarily 1. generate cert on oVirt Node 2. generate symmetric key and embed in TPM or use embedded symmetric key (for secured network model) 3. encrypt certs w/ symmetric key 4. push encryted cert to oVirt Engine On reboot 1. download encrypted cert from OE 2. use either embedded symmetric key or retrieve TPM based symmetric key and use to decrypt cert So no dependency on TPM, but the security is definitely much better if you have it. Use cases like this are one of the fundamental reasons why TPM exists :) _______________________________________________ vdsm-devel mailing list vdsm-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/vdsm-devel
