Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing OpenStack with Intel Trusted Computing OpenStack Summit Atlanta 2014 12 May 2014 Christian Huebner Cloud Architect

Published byElisa Dolph Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing OpenStack with Intel Trusted Computing OpenStack Summit Atlanta 2014 12 May 2014 Christian Huebner Cloud Architect"— Presentation transcript:

1 Securing OpenStack with Intel Trusted Computing OpenStack Summit Atlanta 2014 12 May 2014 Christian Huebner Cloud Architect chuebner@mirantis.comchuebner@mirantis.com

2 Overview Using established server protection to protect cloud infrastructure with existing tools

3 Section 1 The 10000 Foot View

4 The Challenge Cloud infrastructure is vulnerable Compromised cloud infrastructure not detectable from Guest OS Protect the infrastructure

5 Established Server Protection Intel Trusted Computing (TXT) measures system components during boot BIOS/UEFI Boot loader OS startup stores metrics in hardware device (TPM) provides verification with a remote server

6 How Does This Apply To The Cloud? Cloud infrastructure consists of traditional bare-metal servers Servers can be secured with Intel TXT We need a mechanism to make the cloud TXT aware This mechanism exists today

7 Section 2 Technology

8 Intel Trusted Execution Technology (TXT) Prerequisites Intel TXT capable CPU/chipset (most Xeon, i5/i7) TPM hardware module TPM capable BIOS/UEFI Trusted boot module (tboot) Optional: Trusted Grub

9 How does Intel TXT work? Prerequisites Boot sequence (example: tboot / Linux) BIOS, attested by hardware, loads (trusted) bootloader Bootloader loads tboot, which wraps around kernel Tboot loads kernel, initrd On legacy platforms SINIT module may be required SINIT functionality is part of BIOS on modern platforms

10 Intel TXT Metrics Boot sequence (example: tboot / Linux) Platform Control Registers (PCR) Contain metrics of all stages of trusted boot /sys/devices/pnp0/00:0a/pcrs provides PCR values of running system PCR values used for local verification and remote attestation

11 What is Attestation? “Good” TXT boot metrics transferred to attestation server after system build or change to boot environment Attestation server retrieves actual state from clients TXT aware software requests trust states of available servers from attestation server Attestation server informs software of trusted or unknown state of attested servers

12 OpenStack Compute Resources How does Nova allocate resources? Nova schedulers FilterScheduler with TrustedFilter plugin TrustedFilter uses TXT attestation Nova flavors determine needed trust level (Trust_lvl) Instances with Trust_lvl=trusted only scheduled on trusted nodes

13 Attestation in OpenStack

14 Attestation server has known good state for all clients Attestation server polls actual state from all clients (1) Attestation server compares states and builds pool of trusted nodes TrustedFilter has cache of trusted nodes that gets updated periodically from attestation server TrustedFilter selects node from trusted pool for launch

15 TrustedFilter Under The Microscope

16 TrustedFilter under the microscope class TrustedFilter(filters.BaseHostFilter): Base class of the filter, instantiates ComputeAttestation. host_passes method returns true or false for a specific host. class ComputeAttestation(object): Instantiates ComputeAttestationCache. is_trusted method returns true or false for host. class ComputeAttestationCache(object): Local cache of attestation results. Invalidated on timeout. If cache not valid, _update_cache is executed. Cache is updated with AttestationService: class AttestationService(object): Pieces together request URL for attestation and requests data from Attestation Server via HTTPS

17 Section 3 Practical Application

18 Practical application: Attestation Server Attestation Server Can run on standalone server, VM, Controller Location depends on security requirements Needs: oat-appraiser package Firewall: Port 8443 traffic to all clients and OpenStack controllers Major dependencies: Apache2, Tomcat On RHEL/CentOS: EPEL repository required

19 Practical application: Trusted Host TPM installation: Packages trousers, tpm-tools TPM and Intel TXT must be enabled in BIOS tpm_takeownership -z to set credentials tboot installation: Use /boot/tboot.gz as wrapper, load kernel and initrd as modules for tboot.gz Modify grub to load tboot and load kernel and initrd from tboot as modules If BIOS does not include SINIT functionality, download and install SINIT from Intel

20 Practical application: Trusted Host cont’d OAT installation OAT_client.sh and provisioner.sh scripts Transfer keys from attestation server to clients Add necessary entries to the TPM (Certificate, OEM, OS, PCR values) Transfer known good state to attestation server

21 Practical application: Controller(s) Specify FilterScheduler and TrustedFilter /etc/nova/nova.conf … [DEFAULT] compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler scheduler_available_filters=nova.scheduler.filters.all_filters scheduler_default_filters=AvailabilityZoneFilter,RamFilter,ComputeFilter,TrustedFilter …

22 Practical application: Controller(s) cont’d Configure TrustedFilter /etc/nova/nova.conf … [trusted_computing] server= port=8443 server_ca_file=/etc/nova/ api_url=/AttestationService/resources auth_blob= …

23 How to use OpenStack with TXT Operation: Modify flavors to require trust: $ nova flavor-key myflavor set trust:trusted_host trusted Build instances with trusted flavors Trusted instances will only be scheduled on trusted nodes

24 Summary Intel TXT protects infrastructure Attestation allows centralized verification Nova uses attestation to get trusted pool Nova flavors set up to define trust level Nova only schedules trusted workload on hosts from trusted pool

25 Questions? Recommended Reading: TXT: https://github.com/OpenAttestation/OpenAttestation/wiki/F edora-oat-packages-installation https://github.com/OpenAttestation/OpenAttestation/wiki/F edora-oat-packages-installation tboot: https://fedoraproject.org/wiki/Tboothttps://fedoraproject.org/wiki/Tboot openstack:http://docs.openstack.org/grizzly/openstack- compute/admin/content/trusted-compute-pools.htmlhttp://docs.openstack.org/grizzly/openstack- compute/admin/content/trusted-compute-pools.html

26 Thank you. Christian Huebner | Cloud Architect chuebner@mirantis.com chuebner@mirantis.com

Download ppt "Securing OpenStack with Intel Trusted Computing OpenStack Summit Atlanta 2014 12 May 2014 Christian Huebner Cloud Architect"

Similar presentations

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Vpn-info.com.

Vpn-info.com.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.

 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.
Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.

Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.
11 HDS TECHNOLOGY DEMONSTRATION Steve Sonnenberg May 12, 2014 © Hitachi Data Systems Corporation 2014. All Rights Reserved.

11 HDS TECHNOLOGY DEMONSTRATION Steve Sonnenberg May 12, 2014 © Hitachi Data Systems Corporation All Rights Reserved.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.

Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.
outline Purpose Design Implementation Market Conclusion presentation Outline.

outline Purpose Design Implementation Market Conclusion presentation Outline.
Architecture overview 6/03/12 F. Desprez - ISC Cloud Context : Development of a toolbox for deploying application services providers with a hierarchical.

Architecture overview 6/03/12 F. Desprez - ISC Cloud Context : Development of a toolbox for deploying application services providers with a hierarchical.
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
Patch Management Module 13. Module 2-421 You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.

Patch Management Module 13. Module You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.
VMware vCenter Server Module 4.

VMware vCenter Server Module 4.
Adaptive Server Farms for the Data Center Contact: Ron Sheen Fujitsu Siemens Computers, Inc Sever Blade Summit, Getting the.

Adaptive Server Farms for the Data Center Contact: Ron Sheen Fujitsu Siemens Computers, Inc Sever Blade Summit, Getting the.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 3 Desktop Virtualization McGraw-Hill.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 3 Desktop Virtualization McGraw-Hill.
Linux Operations and Administration

Linux Operations and Administration
Esri UC 2014 | Demo Theater | Using ArcGIS for Server in the Microsoft Azure Cloud Nikhil Shampur.

Esri UC 2014 | Demo Theater | Using ArcGIS for Server in the Microsoft Azure Cloud Nikhil Shampur.
Additional SugarCRM details for complete, functional, and portable deployment.

Additional SugarCRM details for complete, functional, and portable deployment.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Similar presentations

Ads by Google