[Cryptography] TPM and SHA-1
Jeremy Stanley
fungi at yuggoth.org
Fri Mar 3 14:56:04 EST 2017
On 2017-03-03 15:55:07 +0000 (+0000), Darren Moffat wrote:
[...]
> There have been some talks at the OpenStack conferences by people from HP
> and Intel about using TPM attestation of a hypervisor host as part of the
> VM placement criteria that Nova uses when scheduling where a VM is started
> or moved to.
>
> I have no idea if anyone is using that in production though.
It's a good question. The upstream OpenStack Administrator Guide
covers that feature at
https://docs.openstack.org/admin-guide/compute-security.html#trusted-compute-pools
which goes into a fair amount of detail, though the service
documentation at
https://docs.openstack.org/developer/nova/filter_scheduler.html
currently lists the TrustedFilter as "experimental" so YMMV (the
developer community is typically pretty conservative about not
calling a feature production-ready until they're very comfortable
it's working and stable). There was also some discussion of
shortcomings and possible deprecation a couple years ago which can
be found at
http://lists.openstack.org/pipermail/openstack-dev/2015-June/067766.html
and https://wiki.openstack.org/wiki/OSSN/OSSN-0059 if you're
interested.
I don't think the periodic OpenStack User Surveys ask any questions
about deployments using trusted compute pools, but I'll suggest it.
I do at least see Red Hat's documentation mentioning the possibility
under "Host Aggregates and Availability Zones" at
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/9/html-single/architecture_guide/#comp-compute
so maybe some of their customers are doing it. There's also an Intel
glossy at
http://www.intel.com.au/content/dam/www/public/us/en/documents/technology-briefs/trusted-execution-technology-trusted-compute-pools.pdf
with some more markety diagrams/bullets about how it works.
--
Jeremy Stanley
More information about the cryptography
mailing list