0

Xen has the ability to attach virtual trusted platform modules (vTPMs) to guest VMs: http://wiki.xenproject.org/wiki/Virtual_Trusted_Platform_Module_(vTPM). I would like to know if there is any Openstack integration for this feature - can managed VM for instance be provisioned vTPMs?

I saw something similar for Hyper-V here:

http://specs.openstack.org/openstack/nova-specs/specs/mitaka/approved/hyper-v-vtpm-devices.html

Paul Sweatte
  • 24,148
  • 7
  • 127
  • 265
DaTaBomB
  • 623
  • 3
  • 11
  • 23

1 Answers1

0

OpenStack provides the following as part of Cloud tenant threat mitigation:

  • Use separated clouds for tenants, if necessary.
  • Use storage encryption per VM or per tenant.
  • OpenStack Nova has a Trusted Filter for Filter Scheduler to schedule workloads to trusted resources only (trusted computing pools), so workloads not requiring trusted execution can be scheduled on any node, depending on utilization, while workloads with a trusted execution requirement will be scheduled only to trusted nodes.

XenServer Architecture

With the following process:

Before you can run OpenStack with XenServer, you must install the hypervisor on an appropriate server .

Xen is a type 1 hypervisor: When your server starts, Xen is the first software that runs. Consequently, you must install XenServer before you install the operating system where you want to run OpenStack code. You then install nova-compute into a dedicated virtual machine on the host.

While XAPI is the preferred mechanism for supporting XenServer (and its deprecated sibling XCP), most existing Xen Project integration with OpenStack is done through libvirt below.

compute_driver = libvirt.LibvirtDriver
[libvirt]
virt_type = xen

Hardware TPM is also supported:

Our solution essentially mimics how one may download software and compute its SHA-256 hash and compare against its advertised SHA-256 hash to determine its legitimacy. It involves using Intel TXT, which is composed of hardware, software, and firmware. The hardware, attached to the platform, called the Trusted Platform Module (TPM)[3], provides the hardware root of trust. Firmware on the TPM is used to compute secure hashes and save the secure hashes to a set of registers called Platform Configuration Registers (PCRs), with different registers containing different measurements. Other components are Intel virtualization technology, signed code modules, and a trusted boot loader called TBOOT1. Essentially the BIOS, option ROM, and kernel/Ramdisk are all measured in the various PCRs. From a bare metal trust standpoint, we are interested in PCRs 0-7(BIOS, option ROM). The kernel/Ramdisk measurements would depend on the image the tenant seeks to launch on their bare metal instance. PCR value testing is provided by an Open Attestation service, OAT[2]. Additional details in references.

with these security considerations:

At the time of this writing, very few clouds are using secure boot technologies in a production environment. As a result, these technologies are still somewhat immature. We recommend planning carefully in terms of hardware selection. For example, ensure that you have a TPM and Intel TXT support. Then verify how the node hardware vendor populates the PCR values. For example, which values will be available for validation. Typically the PCR values listed under the software context in the table above are the ones that a cloud architect has direct control over. But even these may change as the software in the cloud is upgraded. Configuration management should be linked into the PCR policy engine to ensure that the validation is always up to date.

References

Community
  • 1
  • 1
Paul Sweatte
  • 24,148
  • 7
  • 127
  • 265