[Openstack-security] [Bug 1456228] Re: Trusted vm can be powered on untrusted host
Nathan Reller
rellerreller at yahoo.com
Mon Jun 8 13:54:10 UTC 2015
Can you confirm that the hashes have changed? If you make the boot order
change you mentioned above and try to launch a trusted VM does that
result in a failure to launch? I'm trying to confirm that this actual
results in different hash and that PCR is checked against.
Does Trusted Pools do a re-check on machine reboot or is it only invoked
with the scheduler?
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1456228
Title:
Trusted vm can be powered on untrusted host
Status in OpenStack Compute (Nova):
New
Status in OpenStack Security Advisories:
Incomplete
Bug description:
This is related to the trusted compute.
I recently setup trusted compute pool in my company and have observed
that although new trusted vm is not able to be launched from an
untrusted host, but if an trusted vm that have launched earlier on a
trusted host which is compromised later on, that VM can still be
powered on.
1. Exact version of Nova/Openstack:
[root at grunt2 ~]# rpm -qa | grep nova
python-nova-2014.1.2-100+45c2cbc.fc20.noarch
openstack-nova-network-2014.1.2-100+45c2cbc.fc20.noarch
openstack-nova-compute-2014.1.2-100+45c2cbc.fc20.noarch
openstack-nova-conductor-2014.1.2-100+45c2cbc.fc20.noarch
openstack-nova-2014.1.2-100+45c2cbc.fc20.noarch
openstack-nova-cells-2014.1.2-100+45c2cbc.fc20.noarch
openstack-nova-api-2014.1.2-100+45c2cbc.fc20.noarch
openstack-nova-console-2014.1.2-100+45c2cbc.fc20.noarch
python-novaclient-2.17.0-2.fc21.noarch
openstack-nova-cert-2014.1.2-100+45c2cbc.fc20.noarch
openstack-nova-scheduler-2014.1.2-100+45c2cbc.fc20.noarch
openstack-nova-objectstore-2014.1.2-100+45c2cbc.fc20.noarch
openstack-nova-common-2014.1.2-100+45c2cbc.fc20.noarch
openstack-nova-novncproxy-2014.1.2-100+45c2cbc.fc20.noarch
openstack-nova-doc-2014.1.2-100+45c2cbc.fc20.noarch
2. Relevant log files:
this is not a error, don't think logs will help..
3. Reproduce steps:
* create trusted compute pool with only one compute node
* create an trusted VM on that compute node
* compromise the trusted compute node by changing the boot order
* power on the trusted Vm created earlier.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1456228/+subscriptions
More information about the Openstack-security
mailing list