文档介绍:Using New Trusted Pools
Capability in Folsom Release
Gang Wei
Agenda
Trusted Pools
• Concept
• Implementation & Usage
Trusted Launch with Trusted Boot (Tboot)
Remote Attestation with OpenAttestation (OAT)
More on Trusted Pools
• Patches
• Deployment & Configuration
Summary
2
Trusted Pools - Concept
Trusted Pools is also called Trusted Pools
Control VMs based on platform trust
• puting to better protect data
Pools (TCP)
Trusted Launch
Verified platform integrity
Trusted Pools relies on: reduces malware threat
• Trusted Launch
• Remote Attestation
Compliance
Hardware support pliance reporting
enhances auditability of cloud environment
3
Trusted Pools - Implementation
OpenStack App App
User specifies :: App App
Host App App
Mem > 2G agent
Disk > 50G OS OS
Hypervisor / tboot
GPGPU=Intel EC2 API
trusted_host=trusted Create VM HW/TXT
Tboot-
Scheduler Enabled
Create TrustedFilter
OSAPI
Query
Report
Attest
u t
rusted
ntrusted
Query API / Attestation
Server Host Agent API
QueryAPI Privacy OAT-
CA Based
Attestation Appraiser
Service
Whitelist API Whitelist
DB
4
Using Trusted Pools
Create a trusted flavor(instance type)
• Create a new flavor ‘’
• Add a ‘trusted_host=trusted’ property in flavor extra spec
Create a trusted instance
• Issue a request to start a new instance and specify a trusted
flavor like`‘
• The filter scheduler call the trusted filter for each node in the
system.
• The trusted filter query the attestation service to get the trust
level for each of those nodes.
• Only those nodes that have a trust level as ‘trusted’ will be
schedulable, all others will be ignored.
5
Agenda
Trusted Pools
• Concept
• Implementation & Usage
Trusted Launch with Trusted Boot (Tboot)
Remote Attestation with OpenAttestation (OAT)
More on Tr