Trusted compute poolsTrusted compute pools enable administrators to designate a
group of compute hosts as trusted. These hosts use hardware-based
security features, such as the Intel Trusted Execution
Technology (TXT), to provide an additional level of security.
Combined with an external stand-alone web-based remote
attestation server, cloud providers can ensure that the
compute node runs only software with verified measurements and
can ensure a secure cloud stack.Through the trusted compute pools, cloud subscribers can
request services to run on verified compute nodes.The remote attestation server performs node verification as
follows:Compute nodes boot with Intel TXT technology
enabled.The compute node BIOS, hypervisor, and OS are
measured.Measured data is sent to the attestation server when
challenged by attestation server.The attestation server verifies those measurements
against a good and known database to determine nodes'
trustworthiness.A description of how to set up an attestation service is
beyond the scope of this document. For an open source project
that you can use to implement an attestation service, see the
Open Attestation project.Configure Compute to use trusted compute poolsConfigure the Compute service with the
connection information for the attestation
service.Specify these connection options in the
trusted_computing section
in the nova.conf
configuration file:serverHost name or IP address of the host
that runs the attestation
serviceportHTTPS port for the attestation
serviceserver_ca_fileCertificate file used to verify the
attestation server's identity.api_urlThe attestation service URL
path.auth_blobAn authentication blob, which is
required by the attestation
service.To enable scheduling support for trusted compute
pools, add the following lines to the
DEFAULT and
trusted_computing sections
in the /etc/nova/nova.conf
file. Edit the details in the
trusted_computing section
based on the details of your attestation
service:[DEFAULT]
compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
scheduler_available_filters=nova.scheduler.filters.all_filters
scheduler_default_filters=AvailabilityZoneFilter,RamFilter,ComputeFilter,TrustedFilter
[trusted_computing]
server=10.1.71.206
port=8443
server_ca_file=/etc/nova/ssl.10.1.71.206.crt
# If using OAT v1.5, use this api_url:
api_url=/AttestationService/resources
# If using OAT pre-v1.5, use this api_url:
#api_url=/OpenAttestationWebServices/V1.0
auth_blob=i-am-openstackRestart the nova-compute and nova-scheduler
services.Configuration referenceSpecify trusted flavorsYou must configure one or more flavors as
trusted. Users can request
trusted nodes by specifying a trusted flavor when they
boot an instance.Use the nova flavor-key set command
to set a flavor as trusted. For example, to set the
m1.tiny flavor as trusted:#nova flavor-key m1.tiny set trust:trusted_host trustedTo request that their instances run on a trusted host,
users can specify a trusted flavor on the nova
boot command: