Scribd Logo
Carica

Benvenuto in Scribd!

  • Bare Metal Trust Nov3 2014

    Caricato da

    lndyaBhai
    35 visualizzazioni28 pagine
    Baremetal Trust With OpenStack

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Baremetal Trust With OpenStack

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    35 visualizzazioni28 pagine

    Bare Metal Trust Nov3 2014

    Caricato da

    lndyaBhai
    Baremetal Trust With OpenStack

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 28

    Bare Metal Trust

    OpenStack Summit Paris


    Nov 2014

    Tan Lin, Wei Chen, Wei Gang,


    Malini Bhandaru, Shane Wang
    Agenda
    Motivation
    Trust - HW & SW
    Ironic with Attestation
    Demo
    Blueprints & References

    2
    Motivation - Detect Malware/Changes
    Can we trust a node to host an OpenStack Service?
    Can we trust a relinquished Bare Metal Node to be free
    of malware - to allocate to another tenant?

    Detect change in BIOS? YES!


    Detect change in PCIe device(s)
    number,
    firmware
    Change in Kernel, VMM, Operating System?
    OpenSource Technology Center
    3
    Intel TXT
    Enables detection on boot, and exit from platform
    sleep
    Changes in
    BIOS (root kits), replay attacks
    PCIe device changes YES!
    number of devices
    their firmware
    Kernel - updates

    OpenSource Technology Center


    4
    Motivation - A closer look at the Nodes
    Compute Nodes:
    Host Tenant VMs
    Trusted Compute Pools

    Service Nodes: Nova, KeyStone, Neutron..


    hosts OpenStack services: scheduler, networking, identity etc

    Bare Metal Nodes


    Performance sensitive Tenants Nova Cinder
    Neutron
    KeyStone
    HPC, Containers
    Compute
    Bare Metal
    OpenSource Technology Center
    5
    Trust TPM, TXT, OAT
    Platform with TPM module

    http://en.wikipedia.org/wiki/Trusted_Platform_Module
    #mediaviewer/File:TPM_Asus.jpg

    OpenSource Technology Center


    7
    Trusted Platform Module (TPM)

    TPM 1.2
    SHA-1 hashes

    TPM 2.0
    SHA-1 & SHA-2 hashes &
    custom hash algorithms

    22 PCRs

    Image credit: http://en.wikipedia.org/wiki/Trusted_Platform_Module#mediaviewer/File:TPM.svg


    OpenSource Technology Center
    8
    Trust Hardware & Software
    TPM/TXT/TBoot/TrouSerS/OAT
    OAT,
    Remote Attestation
    Mt. Wilson(closed source)
    1.7, 2.0
    Client, Server (Java)
    Software

    TrouSerS
    Library to access TPM
    Open source software (C )

    Tboot Measures BIOS, Option ROM, kernel


    Open source software (C ) into TPM registers

    Intel TXT VT-X, VT-d, BIOS enable HW and SW virtualization support

    1.2 original, 2.0 Global/export,


    TPM software hash algorithms,
    Hardware NationZ, Infinion

    Intel platform
    OpenSource Technology Center
    Setup
    Setup - OAT Server
    1. Deploy OAT server in OpenStack
    2. Provision Known Good Values
    For Bare Metal images
    OEMs can provide BIOS and PCIe firmware measures
    HPC images deployed 1000s of times are worth full measure

    OpenSource Technology Center


    11
    Setup Node(s)
    1. Enable TPM
    2. Enable TXT, VT-x, VT-d in BIOS
    3. Take TPM ownership

    Currently manual steps


    Scripts nice, need OEM help
    Secure save Password
    OpenSource Technology Center
    12
    Setup OpenStack
    1. Ironic flavor trusted
    2. Whitelist Glance image
    3. iPXE/PXE boot image
    4. Inject OAT client
    5. Ironic second boot
    6. Attest
    OpenSource Technology Center
    13
    Workflow
    5. allocate to tenant
    PXE or OAT
    iPXE attestation
    Glance service 4. trusted/not

    2. Ironic Boot
    <image>
    3. PCR hash values
    tboot
    BIOS 1. Enable VT-x, VT-d, take TPM ownership
    Intel Platform
    + TPM hardware

    OpenSource Technology Center


    14
    Demos
    Use Cases
    Bare Metal Trust
    Detect Fireware change - new PCIe device
    Upgrade - whitelist change

    OpenSource Technology Center


    16
    Horizon Bare Metal Instances

    OpenSource Technology Center


    17
    Limitations
    Linux bare metal images in OpenStack
    Trust too

    Trust client injection required


    OSV adoption (RedHat, Suse, Ubuntu ) will eliminate
    Chicken-egg problem: demand/integration/adoption

    Manual enable trust-measurement


    OEM help for scripts.

    OpenSource Technology Center


    Next Steps
    Alert Admin about untrusted bare metal
    BIOS/firmware/optionROM modified?
    Kernel modified?
    Missing whitelist entry?
    Re-try trusted bare metal schedule (configure #tries)
    To avoid Denial-of-service through missing whitelist
    Upstream code
    https://blueprints.launchpad.net/ironic/+spec/bare-metal-trust
    https://blueprints.launchpad.net/horizon/+spec/bare-metal-trust-
    status
    Blueprints
    https://blueprints.launchpad.net/ironic/+spec
    /bare-metal-trust
    References
    Trusted Compute Group
    http://www.intel.com/content/www/us/en/architecture-and-
    technology/trusted-execution-technology/malware-reduction-general-
    technology.html
    http://www.intel.com/content/dam/www/public/us/en/documents/white-
    papers/trusted-execution-technology-security-paper.pdf
    http://www.intel.com/content/dam/www/public/us/en/documents/guides/in
    tel-txt-software-development-guide.pdf
    Intel Trusted Execution Technology for Server Platforms (Apres)
    A Guide to More Secure Datacenters -- free eBook --
    http://www.apress.com/9781430261483
    Backup
    Inject OAT-Client
    minicloud@minicloud:~$ disk-image-create -u fedora baremetal local-config stackuser oat-client -o oat-client-21
    minicloud@minicloud:/opt/stack/diskimage-builder/elements$ find oat-client/
    oat-client/
    oat-client/install.d
    oat-client/install.d/package-installs-oat
    oat-client/element-deps
    oat-client/README.md
    oat-client/pre-install.d
    oat-client/pre-install.d/02-set-oat-repo

    OpenSource Technology Center


    23
    Trust Flavor
    class PXEDriverFields(GenericDriverFields):

    def _get_kernel_ramdisk_dict(self, flavor):


    """Get the deploy ramdisk and kernel IDs from the flavor.

    :param flavor: the flavor object.


    :returns: a dict with the pxe options for the deploy ramdisk and
    kernel if the IDs were found in the flavor, otherwise an empty
    dict is returned.

    """
    extra_specs = flavor['extra_specs']
    deploy_kernel = extra_specs.get('baremetal:deploy_kernel_id')
    deploy_ramdisk = extra_specs.get('baremetal:deploy_ramdisk_id')
    deploy_trust = extra_specs.get('baremetal:deploy_trust')
    deploy_ids = {}
    if deploy_kernel and deploy_ramdisk:
    deploy_ids['pxe_deploy_kernel'] = deploy_kernel
    deploy_ids['pxe_deploy_ramdisk'] = deploy_ramdisk
    if deploy_trust=='True':
    deploy_ids['pxe_deploy_trust'] = deploy_trust
    return deploy_ids

    OpenSource Technology Center


    24
    Trust Node
    def _parse_driver_info(node): def _continue_deploy(self, task, **kwargs):
    """Gets the driver specific Node deployment info. """Continues the deployment of baremetal node over iSCSI.

    This method validates whether the 'driver_info' property of the This method continues the deployment of the baremetal node over
    supplied node contains the required information for this driver to iSCSI
    deploy images to the node. from where the deployment ramdisk has left off.

    :param node: a single Node. :param task: a TaskManager instance containing the node to act on.
    :returns: A dict with the driver_info values.
    :param kwargs: kwargs for performing iscsi deployment.
    :raises: MissingParameterValue
    """
    """
    info = node.driver_info
    d_info = {} try:
    d_info['deploy_kernel'] = info.get('pxe_deploy_kernel') d_info = _parse_deploy_info(node)
    d_info['deploy_ramdisk'] = info.get('pxe_deploy_ramdisk') trust_boot = d_info['deploy_trust']
    d_info['deploy_trust'] = info.get('pxe_deploy_trust', 'False')
    deploy_utils.switch_pxe_config(pxe_config_path, root_uuid,
    error_msg = _("Cannot validate PXE bootloader") driver_utils.get_node_capability(node, 'boot_mode'),
    deploy_utils.check_for_missing_params(d_info, error_msg, 'pxe_') trust_boot)

    return d_info

    OpenSource Technology Center


    25
    PXE configuration with trust_boot
    default trust_boot

    label deploy
    kernel http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/deploy_kernel
    append initrd=http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/deploy_ramdisk rootfstype=ramfs selinux=0
    disk=cciss/c0d0,sda,hda,vda iscsi_target_iqn=iqn-40595e7e-7841-4ac4-9878-fd7cbcac1d9f deployment_id=40595e7e-7841-4ac4-9878-fd7cbcac1d9f
    deployment_key=Z33C3N5N644QJH50T6SCZDEXR7FIYB0K ironic_api_url=http://10.239.48.36:6385 troubleshoot=0 text nofb nomodeset vga=normal
    ipappend 3

    label boot
    kernel http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/kernel
    append initrd=http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/ramdisk root=UUID=106b4e5c-128a-461a-a191-0c035efc4768 ro text
    nofb nomodeset vga=normal

    label trust_boot
    kernel mboot
    append tboot.gz --- http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/kernel root=UUID=106b4e5c-128a-461a-a191-0c035efc4768 ro
    text nofb nomodeset vga=normal intel_iommu=on --- http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/ramdisk
    ~

    OpenSource Technology Center


    26
    TrouSerS
    I have a TPM. What can I use TrouSerS for?
    TPM services provided through the TSS API are:
    o RSA key pair generation
    o RSA encryption and decryption using PKCS v1.5
    and OAEP padding
    o RSA sign/verify
    o Extend data into the TPM's PCRs and log these
    events
    o Seal data to arbitrary PCRs
    o Random Number Generation
    o RSA key storage
    OpenSource Technology Center

    Potrebbero piacerti anche