Video recording and post production done by OpenStack Foundation.
You are a cloud user who wants bare metal for performance forging the security benefits of virtualization. All the OpenStack services, such as, Nova, Keystone, and Glance, all run on bare metal. At launch time, can we trust that they are free of malware?
Ironic in OpenStack provides support for flashing machines using network boot, PXE/iPXE. We propose modifying Ironic for trusted boot by using a two phase measured launch approach. In Phase 1, measure the Ironic boot loader, and in Phase 2, measure the Glance image we seek to install on the machine. Glance images could carry expected hash values.
The solution described relies on tboot, an open source trusted boot loader, OAT, an open source remote attestation service, Intel TXT technology, and a trusted platform module (TPM). We round out the talk with a demo illustrating trusted boot.
Contributors: Tan Lin (Intel), Gang Wei (Intel), and Devananda van der Veen (HP)