OSSN/OSSN-0031
Nova Baremetal is insecure for use in multi-tenant environments
Summary
Data of previous tenants may be exposed to new ones when using Nova Baremetal.
Affected Services / Software
Nova Baremetal, All Releases
Discussion
Nova Baremetal is intended for testing and development only, it is not intended to be production ready. Experience has shown that despite that warning the OpenStack community is keen to embrace new technologies and deploy at-risk. This OSSN serves to signpost some of the risks.
Without secure boot, and without full openflow hardware networking during the boot process, it is impossible to trust multiple tenants on baremetal at all - because the vectors for attack are so low level that instances may be running in a virtual environment and unaware of it, with the virtual environment capturing secrets, forcing entropy pools to be predictable and other such hostile behaviour.
Recommended Actions
Do not use Nova Baremetal where secure separation of tenants on hardware is a requirement without a full verifiable boot chain and network hardware.
Contacts / References
- Author: Robert Clark, HP
- This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0031
- Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1174153
- OpenStack Security ML : openstack-security@lists.openstack.org
- OpenStack Security Group : https://launchpad.net/~openstack-ossg