Jump to: navigation, search

Trusted-Location-Control

Revision as of 15:29, 22 August 2014 by Jerry Wheeler (talk | contribs) (Hardware assisted Geo location and Boundary Control)

Hardware assisted Geo tagging and Asset Tagging

While the cloud enables workloads and data to reside anywhere, users may be constrained to run their workloads and save their data in certain geographies due to regulatory reasons. This extends beyond trusting the cloud's hardware resources to be free of malware and rootkits. Extensions to Trusted Compute Pools (TCP) enable associating with hardware at provision time geo-tags. Intel Trusted Execution Environment (TXT) and other measured launch environments (MLEs) facilitate measuring such provision time information into the Trusted Platform Module (TPM). Attestation services can be used to ascertain that provision time meta data have not been tampered.

Asset and Geo Tags can be used to:

Monitor and Enforce policies to control placement, migration or bursting to trusted systems in specific geographical locations

  1. Control workload placement
  2. Provide Control and Visibility to Cloud End-users
    1. Display in dashboard the asset/geo associations of VM and hosts
    2. Generate audit logs of Hardware/VMs/data with asset/geo details.


Geo Tagging builds on the Trusted Compute Pools feature, covered in TrustedComputingPools


Proposed Changes

HW-Geo-tag overview.gif

Geo-Location/Asset-tag process

  1. Provision Geo-Location/Asset-tag to Host
    1. Create a tag or tags in the Attestation Server (Mt Wilson)
    2. Create a selection with one or more tags
    3. Provision host with hash of the selection
    4. Write the geo-tag to the TPM
  2. Add Geo-Location/Asset-tag VM Policies as VM Image Properties
    1. On Horizon dashboard Image creation/edit page(s), User to select a tag key from the pre-configured tag key list [Country, State/Province, City, Region, Classification]
    2. Associate the keys with the appropriate values
    3. On image creation or editing, Horizon updates the glance database to store the list of tag key/value pairs as image properties.
  3. Add Asset/Location Filter to Scheduler
    1. Create a new filter scheduler for geo-tag and trust attestation. It does the following
    2. For the selected image, retrieves the list of tag key/value pairs from the glance database.
    3. For each host, retrieves the trust and geo-tag details
    4. Maps the image trust and geo-tag requirements with the server geo-tag and filters appropriately.
    5. NOTE: This filter does not assign a weight to the hosts
  4. Geo-Tag Attestation Service – additions to Trust Attestation Service
  5. UI/Portal Extensions for Trust/Location info/attestation
    1. Adding Trust and geo location information to the horizon dashboard
    2. Added trust and geo-tag indicators(icons) to images, instances and hypervisor pages


Nova Aggregates and Availability Zones

The partitioning, resource reservation, and fault tolerance benefits that Nova aggregates and availability zones bring have a lot in common with geo tags. However, the main difference is that trusted tags are provision time values, and attached to the hardware resource. Re-purposing a machine is more easy via the command line with aggregates and availability zones, does not require machine reboot, but to modify trusted geo-tags more deliberate action is required, a machine reboot. The trusted geo-tag by virtue of being associated with a hardware root of trust is more valuable with respect to meeting regulatory requirements.

Further, the Attestation service could be independent of the cloud provider to increase credibility and better meet regulatory requirements. In addition, geo-tags can be verified with about 90% accuracy using software techniques using the Internet Protocol (IP) address of the device being attested.


This blueprint details how geo-tags can be incorporated and taken advantage of in OpenStack clouds.


Nova Compute Node Provisioning

During compute nodes provisioning for trust, geo-tags may also be assigned. These can be simple strings, such as, "3 rd Floor, Expo Center, Hong Kong", or complex, such as XML data providing sub-items such as GPS co-ordinates, postal address, and more, or json strings.

Dashboard

  1. Flavor Extra Specs, Volume Extra Specs The extra specs field readily supports specifying geo and other asset tag constraints.
  2. Displaying VM and Volume geo/asset tag affiliations The Horizon UI for instance and volume lists could be extended to display in addition to current information, trusted and geo tags. For instance, it would be logical to add a little trusted seal if a compute node is trusted, and by extension a VM running on the same compute node. A country flag would be a good geo indicator.
  3. Object listings Could also contain geo indicators.

Nova Scheduler Filter

Asset /Geo Tag filters should be specified. They will be very similar to todays Aggregate and Availability filters with the distinction that the data they retrieve from the Attestation service may need to be parsed. For instance, geo-tag data may be retrieved as a json string or as XML. In the case of XML,

Attestation Service

Existing Attestion services need to be upgraded to understand geo tags, support an API to retrieve them for registered hardware resources. The geo tags retrieved for hardware resource could be cached at the attestation service or even at the nova scheduler to speed scheduling decisions as long as the cached value is no older than some specifiable time window.

The simplest geo tag is a string, while more complex variants are XML and json strings. A match policy (country match, state and country match, or city, state, and country match) and a formatter to parse a given representation is required to facilitate match.

Retrieved from "https://wiki.openstack.org/w/index.php?title=Trusted-Location-Control&oldid=61115"