<div dir="ltr"><div>On Thu, Dec 12, 2013 at 12:50 AM, Lu, Lianhao <span dir="ltr"><<a href="mailto:lianhao.lu@intel.com" target="_blank">lianhao.lu@intel.com</a>></span> wrote:<br></div><div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi Ironic folks,<br>
<br>
I remembered once seeing that ironic was calling for firmware security. Can anyone elaborate with a little bit details about what Ironic needs for this "firmware security"? I'm wondering if there are some existing technologies(e.g. TPM, TXT, etc) that can be used for this purpose.<br>
<br>
Best Regards,<br>
-Lianhao<br></blockquote><div><br></div>Hi Lianhao,<div><br></div><div>The topic of firmware support in Ironic has lead to very interesting discussions: questions about scope, multi-vendor support, and, invariably, questions about how we might validate / ensure the integrity of existing firmware or the firmware Ironic would be loading onto a machine. A proposal was put forward at the last summit to add a generic mechanism for flashing firmware, as part of a generic utility ramdisk. Other work is taking priority this cycle, but here are the blueprints / discussion.</div>
<div> <a href="https://blueprints.launchpad.net/ironic/+spec/firmware-update">https://blueprints.launchpad.net/ironic/+spec/firmware-update</a></div><div> <a href="https://blueprints.launchpad.net/ironic/+spec/utility-ramdisk">https://blueprints.launchpad.net/ironic/+spec/utility-ramdisk</a></div>
<div><br></div><div>To get back to your question about security, UEFI + hardware TPM is, as far as I know, the commonly-acknowledged best approach today, even though it is not necessarily available on all hardware. I believe Ironic will need to support interacting with these both locally (eg, via CPU bus) and remotely (eg, via vendor's OOB management controllers).</div>
<div><br></div><div>-Devananda</div><div> </div></div></div></div>