Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2
Motivation - Detect Malware/Changes
Can we trust a node to host an OpenStack Service?
Can we trust a relinquished Bare Metal Node to be free
of malware - to allocate to another tenant?
http://en.wikipedia.org/wiki/Trusted_Platform_Module
#mediaviewer/File:TPM_Asus.jpg
TPM 1.2
SHA-1 hashes
TPM 2.0
SHA-1 & SHA-2 hashes &
custom hash algorithms
22 PCRs
TrouSerS
Library to access TPM
Open source software (C )
Intel platform
OpenSource Technology Center
Setup
Setup - OAT Server
1. Deploy OAT server in OpenStack
2. Provision Known Good Values
For Bare Metal images
OEMs can provide BIOS and PCIe firmware measures
HPC images deployed 1000s of times are worth full measure
2. Ironic Boot
<image>
3. PCR hash values
tboot
BIOS 1. Enable VT-x, VT-d, take TPM ownership
Intel Platform
+ TPM hardware
"""
extra_specs = flavor['extra_specs']
deploy_kernel = extra_specs.get('baremetal:deploy_kernel_id')
deploy_ramdisk = extra_specs.get('baremetal:deploy_ramdisk_id')
deploy_trust = extra_specs.get('baremetal:deploy_trust')
deploy_ids = {}
if deploy_kernel and deploy_ramdisk:
deploy_ids['pxe_deploy_kernel'] = deploy_kernel
deploy_ids['pxe_deploy_ramdisk'] = deploy_ramdisk
if deploy_trust=='True':
deploy_ids['pxe_deploy_trust'] = deploy_trust
return deploy_ids
This method validates whether the 'driver_info' property of the This method continues the deployment of the baremetal node over
supplied node contains the required information for this driver to iSCSI
deploy images to the node. from where the deployment ramdisk has left off.
:param node: a single Node. :param task: a TaskManager instance containing the node to act on.
:returns: A dict with the driver_info values.
:param kwargs: kwargs for performing iscsi deployment.
:raises: MissingParameterValue
"""
"""
info = node.driver_info
d_info = {} try:
d_info['deploy_kernel'] = info.get('pxe_deploy_kernel') d_info = _parse_deploy_info(node)
d_info['deploy_ramdisk'] = info.get('pxe_deploy_ramdisk') trust_boot = d_info['deploy_trust']
d_info['deploy_trust'] = info.get('pxe_deploy_trust', 'False')
deploy_utils.switch_pxe_config(pxe_config_path, root_uuid,
error_msg = _("Cannot validate PXE bootloader") driver_utils.get_node_capability(node, 'boot_mode'),
deploy_utils.check_for_missing_params(d_info, error_msg, 'pxe_') trust_boot)
return d_info
label deploy
kernel http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/deploy_kernel
append initrd=http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/deploy_ramdisk rootfstype=ramfs selinux=0
disk=cciss/c0d0,sda,hda,vda iscsi_target_iqn=iqn-40595e7e-7841-4ac4-9878-fd7cbcac1d9f deployment_id=40595e7e-7841-4ac4-9878-fd7cbcac1d9f
deployment_key=Z33C3N5N644QJH50T6SCZDEXR7FIYB0K ironic_api_url=http://10.239.48.36:6385 troubleshoot=0 text nofb nomodeset vga=normal
ipappend 3
label boot
kernel http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/kernel
append initrd=http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/ramdisk root=UUID=106b4e5c-128a-461a-a191-0c035efc4768 ro text
nofb nomodeset vga=normal
label trust_boot
kernel mboot
append tboot.gz --- http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/kernel root=UUID=106b4e5c-128a-461a-a191-0c035efc4768 ro
text nofb nomodeset vga=normal intel_iommu=on --- http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/ramdisk
~