[RFE] Bare metal trust using Intel TXT

Bug #1526280 reported by Vladyslav Drok
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Tan Lin

Bug Description

Be able to assert that a host node has a trusted BIOS, OptionROM, and kernel/OS . Be able to detect changes in BIOS, attached PCIe devices, changes to their firmware, and/or kernel. Leverages Intel TXT to "measure" BIOS and OS software and save their hashes on the trusted-platform-module (TPM) on chip. Will increase confidence in the cloud that OpenStack service nodes can be attested as Trusted. Tenants seeking bare metal can also ascertain whether the allocated node on launching their provided images can be "trusted" before deploying applications on them. The solution involves an open source attestation server that determines whether the hashes match provisioned known-good-values.

Tags: rfe-approved
Vladyslav Drok (vdrok)
Changed in ironic:
status: New → Confirmed
importance: Undecided → Wishlist
tags: added: rfe
Ruby Loo (rloo)
Changed in ironic:
assignee: nobody → Tan Lin (tan-lin-good)
Revision history for this message
Ruby Loo (rloo) wrote :

Spec is available at http://specs.openstack.org/openstack/ironic-specs/specs/approved/bare-metal-trust-using-intel-txt.html.

Copying this from its corresponding BP (https://blueprints.launchpad.net/ironic/+spec/bare-metal-trust-using-intel-txt):

Gerrit topic: https://review.openstack.org/#q,topic:bp/bare-metal-trust-using-intel-txt,n,z

Addressed by: https://review.openstack.org/191661
    Add a new boot section 'trusted_boot' for PXE

Addressed by: https://review.openstack.org/207278
    Support trusted boot with iPXE

Just the iPXE patch needs to land to complete this work. Leaving it open until that happens. I'd like to see that completed during Mitaka.
// jroll 2015-10-15

Changed in ironic:
status: Confirmed → In Progress
tags: added: rfe-approved
removed: rfe
Revision history for this message
Ruby Loo (rloo) wrote :

The iPXE part was removed from the spec/feature, so this was completed in Liberty, 4.2.

Changed in ironic:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.