Jump to: navigation, search

TrustedComputingPools

  • Launchpad Entry: Essex
  • Created: 2011-09-20
  • Contributors: Fred Yang

Summary

In cloud computing environment, there can be thousands of compute nodes located in different geographical, or remote locations. Cloud subscribers may require their applications or virtual machines to only run on compute nodes which are verified in running known and good hypervisors to ensure the trustworthiness of the running environment . The feature enables cloud hosting providers to build trusted computing pools based on H/W-based security features, such as Intel Trusted Execution Technology (TXT). Combined with external standalone web-based remote attestation server done by a separate open source project (i.e. "remote attestation"), the providers can ensure that the compute node is running software with verified measurements, thus they can establish the foundation for the secure cloud stack. Through the Trusted Computing Pools, cloud subscribers can request services to be run on verified compute nodes.

Remote Attestation server performs nodes verification through following steps -

1. Compute nodes boot with Intel TXT technology enabled

2. The compute node's BIOS, hypervisor and OS are measured

3. These measured data is sent to Attestation server when challenged by attestation server

4. Attestation server verifies those measurements against good/known database to determine nodes' trustworthiness

OpenStackTrustedComputePool1.png

Release Note

The cloud providers who deploy Trusted Computing Pools can provide premiere services to users who require services to be only run on compute nodes which are verified in running known and good hypervisors for ensured trustworthy environment. Users will have the option to specify services to be run on compute nodes with verified environment. This set of enhancement will not impact users consuming the HTTP OSAPI.

Rationale

Cloud computing pool can involve thousands of compute nodes located at different geographical locations which are not easy for cloud providers to identify a node's trustworthiness. With enhancement to verify remote attestation service combined with Intel TXT, Openstack scheduler can provide VMs to run on compute nodes with verified software

User Stories

Users can have options to specify their services to be run on compute nodes within the trusted computing pools

OpenStackTrustedComputePool2.png

Design

Trusted Computing Pools are created by utilizing a new trusted_filter in the Abstract Scheduler. The trusted_filter utilizes a trusted key/value pair that is stored in the extra_specs field of the flavor. The value of this pair is compared against the trust value that is returned by the Attesation Service for a host. If the value matches the Attestation Service value then the host passes the filter. If the values do not match then the host does not pass the filter and is not a candidate for hosting the scheduled instance. The Attestation Service returns the value trusted for trusted hosts and untrusted for non-trusted hosts.

Implementation

The new trusted_filter is the only change requred for the Abstract Scheduler

A new section, trusted_computing, is added to the nova.conf configuration file containing the following parameters:

  • server - URL host supplying the Attestation Service
  • port - HTTPS port for the Attestation Service
  • server_ca_file - certificate file used to verify Attestation server's identity
  • api_url - URL within server to accesses the Attestation Service
  • auth_blob - authentication blob required by the Attestation Service

UI Changes

The only UI change is the addition of the optional trusted_computing key/value pair added to the extra_specs field for the instance flavor.

Code Changes

Code changes should be isolated from the existing API, compute and scheduler modules. Rather, a new filter is now available and only take effect when Trusted Computing Pools are created via flavors that include the trusted_comput extra_specs.

Migration

No issue since this is strictly an optional extension.

Test/Demo Plan

Unit tests will be provided as part of enhancements. Integration and large scale testing can be added once there is infrastructure exist

Unresolved Issues

None

BoF agenda and Discussion

The following relevant sessions were discussed at the Diablo design summit