2. Agenda
Trusted Pools
• Concept
• Implementation & Usage
Trusted Launch with Trusted Boot (Tboot)
Remote Attestation with OpenAttestation (OAT)
More on Trusted Pools
• Patches
• Deployment & Configuration
Summary
2
3. Trusted Pools - Concept
Trusted Pools is also called Trusted Pools
Control VMs based on platform trust
• Trusted Computing to better protect data
Pools (TCP)
Trusted Launch
Trusted Pools relies on: Verified platform integrity
reduces malware threat
• Trusted Launch
• Remote Attestation Internet
Compliance
Hardware support for compliance reporting
enhances auditability of cloud environment
3
4. Trusted Pools - Implementation
User specifies ::
OpenStack App
App
App
App
App App
Host
Mem > 2G agent
Disk > 50G OS OS
GPGPU=Intel Hypervisor / tboot
EC2 API
trusted_host=trusted Create VM HW/TXT
Tboot-
Scheduler Enabled
Create TrustedFilter
OSAPI
Query
Report
Attest
untrusted
trusted/
Query API Attestation
Server
Host Agent API
Privacy OAT-
Query API
CA
Based
Attestation Appraiser
Service Whitelist
Whitelist API
DB
4
5. Using Trusted Pools
Create a trusted flavor(instance type)
• Create a new flavor ‘m1.trusted’
• Add a ‘trusted_host=trusted’ property in flavor extra spec
Create a trusted instance
• Issue a request to start a new instance and specify a trusted
flavor like`m1.trusted‘
• The filter scheduler call the trusted filter for each node in the
system.
• The trusted filter query the attestation service to get the trust
level for each of those nodes.
• Only those nodes that have a trust level as ‘trusted’ will be
schedulable, all others will be ignored.
5
6. Agenda
Trusted Pools
• Concept
• Implementation & Usage
Trusted Launch with Trusted Boot (Tboot)
Remote Attestation with OpenAttestation (OAT)
More on Trusted Pools
• Patches
• Deployment & Configuration
Summary
6
7. Intel® Trusted Execution Technology (TXT)
Trusted Execution Technology
extensions for measured
launch & memory protection Memory
CPU
(SMX) 3rd party Trusted Platform
Module(TPM)
Processor contains hardware stores and reports
to authenticate AC Modules trusted environment
and perform measurements TPM measurements
Chipset
VT-d chipset feature BIOS / Flash
blocks device access BIOS AC Module and
(e.g DMA) to protected platform initialization
memory pages
3rd party Software
SINIT AC Module VMM/OS uses TXT
BIOS AC Module Intel Authenticated Software mechanisms to establish
a measured launch
environment
7
8. Trusted Boot (Tboot) Project
http://sourceforge.net/projects/tboot
Open source, pre-kernel/VMM module, BSD licensed
Uses Intel TXT to perform verified launch of OS kernel/VMM
• Supports ELF and Linux file formats
• Extends LCP to verify VMM / kernel
Mercurial repo http://tboot.hg.sourceforge.net:8000/hgroot/tboot/tboot
Project also contains tools for policy creation and provisioning
• Intel TXT Launch Control Policy (LCP)
• Tboot Verified Launch policy
Distributions containing tboot package (Xen 3.4+, Linux 2.6.35+):
• Fedora 14+, RHEL 6.1+, SLE11 SP2, Ubuntu 11.10+
8
9. Trusted Launch with Tboot
time
Bootstrap GRUB tboot TXT SENTER SINIT tboot post- VMM/kernel
Processor (BSP) pre-launch launch starts
BIOS Extend Extend Extend PCR All VMM / kernel
boot PCR 17 PCR 18 17/18/19/… Threads ops
Application SENTER tboot AP
Processor (AP) Event join
BIOS loads and verify & prepare SINIT starts put APs in All threads
starts bootloader tboot wait-for-SIPI participating
GRUB loads
tboot + VMM / kernel + SINIT tboot starts SMP bringup wakes
and starts tboot APs APs
* PCR – Platform Configuration Register in TPM
9
10. Agenda
Trusted Pools
• Concept
• Implementation & Usage
Trusted Launch with Trusted Boot (Tboot)
Remote Attestation with OpenAttestation (OAT)
More on Trusted Pools
• Patches
• Deployment & Configuration
Summary
10
11. OpenAttestation Project
https://github.com/OpenAttestation/OpenAttestation.git
SDK for managing host integrity verification using Trust Computing
Group (TCG) defined remote attestation protocol
• Targeted at cloud and enterprise management tools
Key features:
• Supports major Linux host OS’s
• PCR-based report schema and policy rules
• RESTful based Query API
• Reference web portal/GUI implementation
– Historical PCRs data tracking/comparison
– Whitelist management * Whitelist –known good PCR values
• Flexible access control to attestation server
– Supports Tomcat 2-way SSL/TLS for Query APIs
– Hook for ISVs to implement custom access control
11
12. SDK Architecture
Code base is from National Information Assurance Research Lab
(NIARL) of NSA
– Privacy Certificate Authority(Privacy CA), Appraiser, Host Agent are Java
– Host Agent accesses TPM through TrouSerS
Attestation App App
App App
Server (Tomcat) Host
App App
agent
OS OS
Hypervisor / tboot
HW/TXT
Query API
Host Agent API
Privacy
CA
Installation and
provisioning scripts hosts table
Appraiser
whitelist table
Hibernate
Portal reference code Whitelist API
DB(mysql)
SDK Components
12
13. A Example for Query
Synchronically request host state from server
• Post and wait for hosts trustworthiness to return
Request Response
POST OpenAttestationWebServices/V1.0/PollHosts HTTP/1.1 200 OK
Host: Attestation.ras.com:8443 Server: BaseHTTP/0.3 Python/2.7.1+
Context-Type: application/json Date: Wed, 24 Aug 2011 03:19:56 GMT
Accept: application/json Context-Type: application/json
Auth_blob: authenticationBlob Content-length: 112
Content-length: 39
{
{ “count”:1,
“count”:1, “hosts”:[{“host_name”:“host1.compute.com”,
“hosts”: [host1.compute.com] “trust_lvl”:“trusted”,
} “vtime”: “Wed Aug 24 03:19:56 2011”}]
}
13
14. Query API – Query Hosts’ Trust State
Command Input Output Comment
parameters parameters
POST Auth_blob, RequestId Request to Attestation server for
https://server/PostHosts SelectedPCRs bitmask, Hosts trust state and selected
{HostNames…} PCR values asynchronously
GET Auth_blob, RequestId Hosts’ trust state data Retrieve previously posted result
https://server/PostedHosts & Selected PCR values
POST Auth_blob, Hosts’ trust state data Poll and wait for Attestation
https://server/PollHosts SelectedPCRs bitmask, & Selected PCR values server to retrieve Hosts trust
{HostNames…} state and selected PCR values
synchronously
• HTTPS Query API access control, setup/operated by Cloud
Provider, is thru. Tomcat Truststore by verifying both Server and
Client Certificates
• ISV specific Auth_blob is included in all request headers
• Opaque to Attestation SDK
• ISV to implement authentication hook per its access control requirement
14
15. WhiteList Data API – Add/Delete good/known
WhiteList entries
Command w/ input Output parameters Comment
parameters
PUT /PCR Entry Index Create a new PCR entry for update (PCRindex,
PCRvalue, PCRdesc)
UPDATE /PCR?Index=n N/A Update specific entry data
DELETE /PCR?Index=n N/A Delete specific entry data
GET /PCR PCRindex,PCRvalue,PCRdesc Display all the entries
entries
GET /PCR?Index=n PCRindex,PCRvalue,PCRdesc Retrieve a specific entry
GET /PCR?PCRindex=n PCRindex,PCRvalue,PCRdesc Retrieve all the entries w/ PCRindex=n
entries
GET /PCR?PCRdesc=desc PCRindex,PCRvalue,PCRdesc Retrieve all the entries w/ PCRdesc=secription
entries
GET PCRindex,PCRvalue,PCRdesc Retrieve the entry with matched specification
/PCR?PCRindex=n&PCRdesc
=desc
HTTPS access with both Server and Client Certificates verified through Tomcat
Truststore
ISV specific Auth_blob included in all request headers
• ISV to implement verification hook per access control requirement
15
16. Attestation Flow in OpenAttestation – HostAgent to
Server
Attesting Hosts Appraiser
Request appraisal
*
Create random nonce and get
PCR_SELECT mask
Load AIK Send Nonce and requested PCRs
TPM
Quote = Sign(Requested PCR, Nonce)AIKpriv
HostName, Quote
*
Retrieve AIK Certificate base HostName
Verify AIK Certificate base on PrivacyCA.cert
Verify Quote signature thru
* AIK – Attestation Identity Key AIK Cert
Verify HostName and nonce
Validate PCR
16
17. Agenda
Trusted Pools
• Concept
• Implementation & Usage
Trusted Launch with Trusted Boot (Tboot)
Remote Attestation with OpenAttestation (OAT)
More on Trusted Pools
• Patches
• Deployment & Configuration
Summary
17
18. commit 14c01e09b68b367d708c6ddd6f3d4e440687727c
Author: Don Dugger <donald.d.dugger@intel.com>
TrustedFilter Date: Tue May 8 18:30:57 2012 -0600
Add scheduler filter for trustedness of a host
Implements blueprint trusted-computing-pools
TrustedFilter
• Select current host as a candidate if
– trusted_host property not exist
– Or trusted_host property have a same value as trust level of current host got
via AttestationService
AttestationService
• Provide access wrapper to attestation server to get integrity
report.
18
19. commit 8644584eb6daf4d2870cee9bba5b849bc37e36d0
Author: Yunhong, Jiang <yunhong.jiang@intel.com>
Set Flavor Extra Specs Date: Wed Jul 18 14:32:36 2012 +0800
Enhance nova-manage to set flavor extra specs
blueprint update-flavor-key-value
TrustedFilter requires a ‘trusted_host’ property in flavor extra spec
4 ways to set flavor extra specs:
• Access database directly
– mysql -u$MYSQL_USER -p$MYSQL_PASSWORD nova -e 'insert into
instance_type_extra_specs (`deleted`,`instance_type_id`,`key`,`value`)
values (0,6,"trusted_host",“trusted");‘
• Enhance nova-manage to set flavor extra specs
– nova-manage instance_type add_key m1.trusted trusted_host trusted
• Enhance nova-client to set flavor extra specs
• Enhance Dashboard(Horizon) to set flavor extra specs
19
20. Trusted Pools Deployment & Configuration
Steps:
• Deploy normal Nova controller & compute nodes
• Deploy OAT based attestation service
• Enable TPM & TXT in BIOS on compute nodes
• Install Host Agent on compute nodes
• Install tboot and enable trusted launch on compute nodes
• Configure attestation service and provision White List
• Configure Nova controller for Trusted Pools
20
21. Deploy OAT Based Attestation Service
Future approach: Install package(s) shipped with Linux distributions
Current approach: Build and install from source code.
• Build: https://github.com/OpenAttestation/OpenAttestation/raw/master/docs/Build.pdf
– Build system could be Ubuntu/SuSE/Fedora/RHEL
– Download & install required tools/libraries
– Build package with scripts
• Install: https://github.com/OpenAttestation/OpenAttestation/raw/master/docs/Installation.pdf
– Support Ubuntu/SuSE/Fedora/RHEL
– Install required modules
– Install the package generated in previous step
– Verify with accessing http://localhost/OAT/ in browser
21
22. Install Host Agent
System must have TPM 1.2 compliant device with driver installed, and
TPM/TXT enabled in BIOS.
Steps: https://github.com/OpenAttestation/OpenAttestation/raw/master/docs/Installation.pdf
• Install dependent packages
• Download Client Installation Package from OAT server:
– http://<server.domain>/ClientInstaller.html
• Unzip & run general-install.sh to install package
• Verify the Host Agent is registered into OAT service
– http://<server.domain>/OAT/reports.php
• There are hints for how to setup two way SSL/TLS auth
22
23. Install Tboot and Enable Trusted Launch
Install with tboot package in Linux distributions
• For ubuntu1204, apt-get install tboot
• For Fedora17/RHEL6.3/SLES11sp2, yum install tboot, then
manually change grub.conf or.cfg.
Install from source
• Get source code from either upstream repo or released src
package on sourceforge
• Install trousers/trousers-devel/libtsp package
• Make & make install with root priviledge
• Change grub.conf or .cfg
Refer to README of tboot project for more information
23
24. Configure Attestation Service & Provision White
List
Service Configuration: https://github.com/OpenAttestation/OpenAttestation/raw/master/docs/Installation.pdf
• in /usr/lib/apache-tomcat-6.0.29/webapps/
HisWebServices/WEB-INF/classes/OAT.properties
– PCR_SELECT=FFFFFF --- Include pcr 0~23 in integrity reports
– ALERT_MASK_CSV=0,17,18 --- Verify PCR0, 17, 18 to report trust level
White List provisioning:
• Get desired PCR value for PCRs specified in ALERT_MASK_CSV
• Create White List entry
– With Admin Console
https://<server.domain>:8443/OpenAttestationAdminConsole/PCRManifest.jsp
– Or via invoking White List API through app or tools like curl
24
25. Configure Nova Controller
/etc/nova/nova.conf
[default]
compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
scheduler_default_filters=TrustedFilter
[trusted_computing]
server=aa.bb.com --- attestation server http
server_ca_file=/a/b/c.cer --- attestation server Cert file for Identity verification
port=8443 --- attestation server port
api_url=/OpenAttestationWebServices/V1.0
--- attestation web API URL
auth_blob=xxxx --- attestation authorization blob - optional
25
26. Agenda
Trusted Pools
• Concept
• Implementation & Usage
Trusted Launch with Trusted Boot (Tboot)
Remote Attestation with OpenAttestation (OAT)
More on Trusted Pools
• Patches
• Deployment & Configuration
Summary
26
27. Summay
Trusted Pools feature in OpenStack was implemented and pushed into
Nova for next Folsom release.
The implementation is based on the Query API of attestation services
deployed using SDK provided by OpenAttestation (OAT) project.
It is strongly recommended to enable Trusted Boot (tboot) for each
compute node to take advantage of Intel TXT technology to involve
OS/VMM integrity into the host trust level judgment.
Call for Action:
• Try Trusted Pools Capability, seeking chances to do
optimization.
27