Bare metal trust using Intel TXT

Registered by Malini Bhandaru on 2014-06-17

Be able to assert that a host node has a trusted BIOS, OptionROM, and kernel/OS . Be able to detect changes in BIOS, attached PCIe devices, changes to their firmware, and/or kernel. Leverages Intel TXT to "measure" BIOS and OS software and save their hashes on the trusted-platform-module (TPM) on chip. Will increase confidence in the cloud that OpenStack service nodes can be attested as Trusted. Tenants seeking bare metal can also ascertain whether the allocated node on launching their provided images can be "trusted" before deploying applications on them. The solution involves an open source attestation server that determines whether the hashes match provisioned known-good-values.

Blueprint information

Status:
Started
Approver:
None
Priority:
Medium
Drafter:
Malini Bhandaru
Direction:
Approved
Assignee:
Tan Lin
Definition:
Approved
Series goal:
Accepted for mitaka
Implementation:
Needs Code Review
Milestone target:
None
Started by
Jim Rollenhagen on 2015-10-15

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/bare-metal-trust-using-intel-txt,n,z

Addressed by: https://review.openstack.org/191661
    Add a new boot section 'trusted_boot' for PXE

Addressed by: https://review.openstack.org/207278
    Support trusted boot with iPXE

Just the iPXE patch needs to land to complete this work. Leaving it open until that happens. I'd like to see that completed during Mitaka.
// jroll 2015-10-15

Hi Malini (or anyone planning to work on this), thanks for the proposal. We're moving from using blueprints to track features to RFE bugs. vdrok filed one for your change - https://bugs.launchpad.net/ironic/+bug/1526219. Please track further work there using Closes-Bug, Partial-Bug or Related-Bug in commit messages and use this newly created RFE bug.
//rloo 2015-12-15

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.