Trusted compute pools Trusted compute pools enable administrators to designate a group of compute hosts as trusted. These hosts use hardware-based security features, such as the Intel Trusted Execution Technology (TXT), to provide an additional level of security. Combined with an external stand-alone web-based remote attestation server, cloud providers can ensure that the compute node runs only software with verified measurements and can ensure a secure cloud stack. Through the trusted compute pools, cloud subscribers can request services to run on verified compute nodes. The remote attestation server performs node verification as follows: Compute nodes boot with Intel TXT technology enabled. The compute node BIOS, hypervisor, and OS are measured. Measured data is sent to the attestation server when challenged by attestation server. The attestation server verifies those measurements against a good and known database to determine nodes' trustworthiness. A description of how to set up an attestation service is beyond the scope of this document. For an open source project that you can use to implement an attestation service, see the Open Attestation project.
Configure Compute to use trusted compute pools Configure the Compute service with the connection information for the attestation service. Specify these connection options in the trusted_computing section in the nova.conf configuration file: server Host name or IP address of the host that runs the attestation service port HTTPS port for the attestation service server_ca_file Certificate file used to verify the attestation server's identity. api_url The attestation service URL path. auth_blob An authentication blob, which is required by the attestation service. To enable scheduling support for trusted compute pools, add the following lines to the DEFAULT and trusted_computing sections in the /etc/nova/nova.conf file. Edit the details in the trusted_computing section based on the details of your attestation service: [DEFAULT] compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler scheduler_available_filters=nova.scheduler.filters.all_filters scheduler_default_filters=AvailabilityZoneFilter,RamFilter,ComputeFilter,TrustedFilter [trusted_computing] server=10.1.71.206 port=8443 server_ca_file=/etc/nova/ssl.10.1.71.206.crt # If using OAT v1.5, use this api_url: api_url=/AttestationService/resources # If using OAT pre-v1.5, use this api_url: #api_url=/OpenAttestationWebServices/V1.0 auth_blob=i-am-openstack Restart the nova-compute and nova-scheduler services.
Configuration reference
Specify trusted flavors You must configure one or more flavors as trusted. Users can request trusted nodes by specifying a trusted flavor when they boot an instance. Use the nova flavor-key set command to set a flavor as trusted. For example, to set the m1.tiny flavor as trusted: # nova flavor-key m1.tiny set trust:trusted_host trusted To request that their instances run on a trusted host, users can specify a trusted flavor on the nova boot command: