Difference between revisions of "Trusted-Location-Control"

Hardware assisted Geo and Asset Tagging

While the cloud enables workloads and data to reside anywhere, users may be constrained to run their workloads and save their data in certain geographies due to regulatory requirements. This solution will extend to include trusting the location and boundary of the hardware resources, extending the current functionality of trusting the integrality of the compute platform to be free of malware and rootkits. Extensions from this solution enable associating geo and asset tags with hardware at provision time. Intel Trusted Execution Environment (TXT) and other measured launch environments (MLEs) facilitate measurement of provision time information into the Trusted Platform Module (TPM). Remote attestation services can then be used to ascertain that provision time meta-data have not been tampered. Geo and Asset tagging builds on the Trusted Compute Pools feature, covered in TrustedComputingPools

This blueprint details how geo and asset tagging can be incorporated and taken advantage of in OpenStack clouds to provide location and boundary control of workloads/OpenStack images. With Geo/Asset Tags, you can enforce policies to control placement, migration or bursting of workloads to trusted systems in specific geographical locations or boundaries, provide visibility and compliance of your workload policies to ensure tenants that of its compliance to Trust and location policies.

Principles of Operation

What is Geo/Asset Tag?

Proposed Changes

Geo and Asset Tagging Solution

1. Provision geo tags to Compute Hosts using ‘Remote Attestation solution’
   1. Create a tag or tags
   2. Create a selection ID by selecting one or more tags
   3. Provision a selection ID to the asset (ex: Compute Host). The Provisioning process will include generation of Asset Certificate and writing the SHA1 of the certificate to TPM’s NVRAM
   4. Reboot the host to complete the provisioning process, which will extend the hash to PCR 22 register of TPM.
   5. For more details follow the instructions in Remote Attestation Solution product guide.
2. Create and Add Geo-Location/Asset-tag Policies to VM Image Properties in ‘Open Stack’
   1. The following changes have been made to Image <add which screen> within open stack
   2. fill technical details on changes – what code was change, where is data stored and more…
   3. <add screen shots>
   4. On Horizon dashboard Image creation/edit page(s), User to select a tag key from the pre-configured tag key list [Country, State/Province, City, Region, Classification]
   5. Associate the keys with the appropriate values
   6. On image creation or editing, Horizon updates the glance database to store the list of tag key/value pairs as image properties.
3. Add Asset/Location Filter to Scheduler
   1. Naresh to add technical details including API calls.
   2. For the selected image, retrieves the list of tag key/value pairs from the glance database.
   3. For each host, retrieves the trust and geo-tag details
   4. Maps the image trust and geo-tag requirements with the server geo-tag and filters appropriately
   5. NOTE: This filter does not assign a weight to the hosts
   6. Screen shots before and after launching an instance with a image policy

Nova Aggregates and Availability Zones

The partitioning, resource reservation, and fault tolerance benefits that Nova aggregates and availability zones bring have a lot in common with geo tags. However, the main difference is that trusted tags are provision time values, and attached to the hardware resource. The trusted geo-tag by virtue of being associated with a hardware root of trust is more valuable with respect to meeting regulatory requirements.

Nova Compute Node Provisioning

During compute nodes provisioning for trust, geo-tags may also be assigned. These can be simple strings, such as, "3 rd Floor, Expo Center, Hong Kong", or complex, such as XML data providing sub-items such as GPS co-ordinates, postal address, and more, or json strings.

Nova Scheduler Filter

Asset /Geo Tag filters should be specified. They will be very similar to todays Aggregate and Availability filters with the distinction that the data they retrieve from the Attestation service may need to be parsed. For instance, geo-tag data may be retrieved as a json string or as XML. In the case of XML,

Attestation Service

Existing Remote Attestion servers need to be upgraded to understand geo tags, supporting the API to retrieve them for registered hardware resources. The geo tags retrieved for hardware resource could be cached at the attestation service or even at the nova scheduler to speed scheduling decisions as long as the cached value is no older than some specifiable time window.

The simplest geo tag is a string, while more complex variants are XML and json strings. A match policy (country match, state and country match, or city, state, and country match) and a formatter to parse a given representation is required to facilitate match.