>>> * CA pollution; generating a certificate on each reboot
>>> for each node will create a huge number of certificates
>>> in the engine side, which eventually may damage the CA.
>>> (Unsure if there's a limitation to certificates number,
>>> but having hundreds of junk cert's can't be good).
>> We could have vdsm/engine store the certs on the engine side, and on
>> boot, after validating the host (however that is done), it will load the
>> certs onto the node machine.  
> This is a security issue, since the key pair should be
> generated on the node. This will lead us back to your TPM
> suggestion, but (although I like it, ) will cause us
> to be tpm-dependent, not to mention a non-trivial implementation.

Not necessarily

1. generate cert on oVirt Node
2. generate symmetric key and embed in TPM or use embedded symmetric
   key (for secured network model)
3. encrypt certs w/ symmetric key
4. push encryted cert to oVirt Engine

On reboot

1. download encrypted cert from OE
2. use either embedded symmetric key or retrieve TPM based symmetric
   key and use to decrypt cert

So no dependency on TPM, but the security is definitely much better if
you have it.  Use cases like this are one of the fundamental reasons why
TPM exists :)
vdsm-devel mailing list

Reply via email to