← Back to team overview

openstack team mailing list archive

Re: Plans for Trusted Computing in OpenStack

 

Hi,

so basically my questions/thoughts about support for TC in OpenStack are
based on a
somewhat different attack model where the IaaS is actually not trusted.

That is in contrast with the Trusted Compute Pools, where the
scheduler/trusted_filter
is assumed to reject the host as a candidate for running the VM if it does
not have a
corresponding "trust value". However, nothing prevents a really evil IaaS
deployment
to ignore this trust value and go ahead, launch the VM and return it to the
client. So
there's an improvement suggestion focusing on that part.

The model that I have in mind assumes both no trust in the IaaS
setup/provider.

So the gist is that:

1. Client could upload a secret encrypted with the public key of the
authentication service
(possible to include in the extra_specs)

2. The Attestation Service, after verifying the compute host could bind the
secret to the
hosts trusted configuration, so that the host can inject the secret into
the VM

With this approach, a malicious IaaS provider can still launch the VM on an
untrusted host, but
now he client can verify that the VM has been started on a 'trusted' host.

So the questions around this are --
1. Is the scenario of an untrusted IaaS deployment considered for Trusted
Compute Pools?

2. Is there any work ongoing to extend Trusted Compute Polls for storage as
well? Or otherwise
put, what about the storage, is the solution to encrypt all data on the
compute host prior to
storing it in the object store?

3. Is there any work ongoing on the evaluation side, namely the evaluation
of the trust attributes
obtained from the host -- and do Trusted Compute Pools consider a binary
value (trusted/untrusted)
or a scale of security profiles?

Cheers,
/Nico.



On 6 November 2012 19:07, Dugger, Donald D <donald.d.dugger@xxxxxxxxx>wrote:

>  Nico-****
>
> ** **
>
> This is the appropriate place for discussions about Trusted Compute Pools
> under OpenStack.  Feel free to send out any ideas you have, I know I and
> others would be very interested in what you have.****
>
> ** **
>
> --****
>
> Don Dugger****
>
> "Censeo Toto nos in Kansa esse decisse." - D. Gale****
>
> Ph: 303/443-3786****
>
> ** **
>
> *From:* openstack-bounces+donald.d.dugger=intel.com@xxxxxxxxxxxxxxxxxxx[mailto:
> openstack-bounces+donald.d.dugger=intel.com@xxxxxxxxxxxxxxxxxxx] *On
> Behalf Of *Nicolae Paladi
> *Sent:* Tuesday, November 06, 2012 8:35 AM
> *To:* openstack
> *Subject:* [Openstack] Plans for Trusted Computing in OpenStack****
>
> ** **
>
> Hi, ****
>
> ** **
>
> I am involved in a project that aims to use TPM modules to ensure that****
>
> the compute nodes run a 'trusted' software stack in a public IaaS
> deployment.****
>
> ** **
>
> I've read about trusted computing pools (
> http://wiki.openstack.org/TrustedComputingPools)****
>
> checked out the OpenAttestation project and seen a presentation from the
> OpenStack****
>
> summit (Putting Trust in OpenStack<http://www.openstack.org/summit/san-diego-2012/openstack-summit-sessions/presentation/putting-trust-in-openstack>)
> in order to get a better understading of where****
>
> OpenStack is heading towards wrt TPM support.****
>
> ** **
>
> Are there any more resources, discussions, mailing lists that I could
> check out and****
>
> where I could potentially bounce ideas?****
>
> ** **
>
> Cheers, ****
>
> /Nico.****
>

Follow ups

References