- Launchpad Entry: Essex
- Created: 2011-09-20
- Contributors: Fred Yang
- 1 Summary
- 2 Release Note
- 3 Rationale
- 4 User Stories
- 5 Design
- 6 Implementation
- 7 UI Changes
- 8 Code Changes
- 9 Migration
- 10 Test/Demo Plan
- 11 Unresolved Issues
- 12 BoF agenda and Discussion
In cloud computing environment, there can be thousands of compute nodes located in different geographical, or remote locations. Cloud subscribers may require their applications or virtual machines to only run on compute nodes which are verified in running known and good hypervisors to ensure the trustworthiness of the running environment . The feature enables cloud hosting providers to build trusted computing pools based on H/W-based security features, such as Intel Trusted Execution Technology (TXT). Combined with external standalone web-based remote attestation server done by a separate open source project (i.e. "remote attestation"), the providers can ensure that the compute node is running software with verified measurements, thus they can establish the foundation for the secure cloud stack. Through the Trusted Computing Pools, cloud subscribers can request services to be run on verified compute nodes.
Remote Attestation server performs nodes verification through following steps -
1. Compute nodes boot with Intel TXT technology enabled
2. The compute node's BIOS, hypervisor and OS are measured
3. These measured data is sent to Attestation server when challenged by attestation server
4. Attestation server verifies those measurements against good/known database to determine nodes' trustworthiness
The cloud providers who deploy Trusted Computing Pools can provide premiere services to users who require services to be only run on compute nodes which are verified in running known and good hypervisors for ensured trustworthy environment. Users will have the option to specify services to be run on compute nodes with verified environment. This set of enhancement will not impact users consuming the HTTP OSAPI.
Cloud computing pool can involve thousands of compute nodes located at different geographical locations which are not easy for cloud providers to identify a node's trustworthiness. With enhancement to verify remote attestation service combined with Intel TXT, Openstack scheduler can provide VMs to run on compute nodes with verified software
Users can have options to specify their services to be run on compute nodes within the trusted computing pools
Trusted Computing Pools are created by utilizing a new trusted_filter in the Abstract Scheduler. The trusted_filter utilizes a trusted key/value pair that is stored in the extra_specs field of the flavor. The value of this pair is compared against the trust value that is returned by the Attesation Service for a host. If the value matches the Attestation Service value then the host passes the filter. If the values do not match then the host does not pass the filter and is not a candidate for hosting the scheduled instance. The Attestation Service returns the value trusted for trusted hosts and untrusted for non-trusted hosts.
The new trusted_filter is the only change requred for the Abstract Scheduler
A new section, trusted_computing, is added to the nova.conf configuration file containing the following parameters:
- server - URL host supplying the Attestation Service
- port - HTTPS port for the Attestation Service
- server_ca_file - certificate file used to verify Attestation server's identity
- api_url - URL within server to accesses the Attestation Service
- auth_blob - authentication blob required by the Attestation Service
The only UI change is the addition of the optional trusted_computing key/value pair added to the extra_specs field for the instance flavor.
Code changes should be isolated from the existing API, compute and scheduler modules. Rather, a new filter is now available and only take effect when Trusted Computing Pools are created via flavors that include the trusted_comput extra_specs.
No issue since this is strictly an optional extension.
Unit tests will be provided as part of enhancements. Integration and large scale testing can be added once there is infrastructure exist
BoF agenda and Discussion
The following relevant sessions were discussed at the Diablo design summit