Ironic

[RFE] Bare metal trust using Intel TXT

Bug #1526280 reported by Vladyslav Drok on 2015-12-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ironic	Fix Released	Wishlist	Tan Lin

Bug Description

Be able to assert that a host node has a trusted BIOS, OptionROM, and kernel/OS . Be able to detect changes in BIOS, attached PCIe devices, changes to their firmware, and/or kernel. Leverages Intel TXT to "measure" BIOS and OS software and save their hashes on the trusted-platform-module (TPM) on chip. Will increase confidence in the cloud that OpenStack service nodes can be attested as Trusted. Tenants seeking bare metal can also ascertain whether the allocated node on launching their provided images can be "trusted" before deploying applications on them. The solution involves an open source attestation server that determines whether the hashes match provisioned known-good-values.

Tags:

Vladyslav Drok (vdrok) on 2015-12-15

Changed in ironic:
status:	New → Confirmed
importance:	Undecided → Wishlist
tags:	added: rfe

Ruby Loo (rloo) on 2015-12-15

Changed in ironic:
assignee:	nobody → Tan Lin (tan-lin-good)

Revision history for this message

Ruby Loo (rloo) wrote on 2015-12-15:

Spec is available at http://specs.openstack.org/openstack/ironic-specs/specs/approved/bare-metal-trust-using-intel-txt.html.

Copying this from its corresponding BP (https://blueprints.launchpad.net/ironic/+spec/bare-metal-trust-using-intel-txt):

Gerrit topic: https://review.openstack.org/#q,topic:bp/bare-metal-trust-using-intel-txt,n,z

Addressed by: https://review.openstack.org/191661
Add a new boot section 'trusted_boot' for PXE

Addressed by: https://review.openstack.org/207278
Support trusted boot with iPXE

Just the iPXE patch needs to land to complete this work. Leaving it open until that happens. I'd like to see that completed during Mitaka.
// jroll 2015-10-15