<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="�" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin-top:0in;
margin-right:0in;
margin-bottom:9.6pt;
margin-left:0in;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
span.EmailStyle19
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN style='font-family:"Arial","sans-serif";color:#333333'>Trusted Computing Pool blueprint was proposed and discussed at Design Summit April 2011 <o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-family:"Arial","sans-serif"'><a href="http://etherpad.openstack.org/trusted-computing-pools">http://etherpad.openstack.org/trusted-computing-pools</a><o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Project goal : <o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span lang=EN style='font-family:"Arial","sans-serif";color:#333333'>Enable openstack with trusted computing pool capability. Through the capability, openstack scheduler can verify target compute node is indeed booted with expected Hypervisor before dispatch instances to the node. <o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span lang=EN style='font-family:"Arial","sans-serif";color:#333333'><o:p> </o:p></span></p><pre style='line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'>Background of Trusted computing pool –<o:p></o:p></span></pre><pre style='margin-left:.5in;line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'>Intel Trusted Executing Technology (TXT) <a href="http://www.intel.com/technology/security/">http://www.intel.com/technology/security/</a> provides platform Root of Trust to verify a platform is booted with expected Hypervisor by measuring its hash during platform boot. We have also enabled Intel TXT technology into Xen/KVM/VMWare already<o:p></o:p></span></pre><pre style='line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'>Following describes flow and highlights usage model -<o:p></o:p></span></pre><pre style='margin-left:.5in;line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'>1. A target compute node with Intel TXT hardware is booted with TXT enabled - hypervisor will be measured, during boot time, by TXT and hashes the measurement value into TPM hardware registers per <a href="http://www.trustedcomputinggroup.org/developers/">http://www.trustedcomputinggroup.org/developers/</a><o:p></o:p></span></pre><pre style='margin-left:.5in;line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'>2. Standalone Attestation Server challenges target hosts, during run-time, to retrieve TPM registers <o:p></o:p></span></pre><pre style='margin-left:.5in;line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'>3. Attestation Server verifies retrieved registers against Administrator pre-setup known/good hash database to decide trustworthiness of the target node is indeed booted with expected Hypervisor<o:p></o:p></span></pre><pre style='line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'>The Standalone Attestation Server is 1) Cloud provider hosted, 2) Attestation Server exports Restful query API to admin in verifying target compute node(s). 3) the server verifies target compute nodes through target hostname by requesting its measurement registers <o:p></o:p></span></pre><pre style='line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'>We are working on the attestation software stack currently which will also be open sourced<o:p></o:p></span></pre><pre style='line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'><o:p> </o:p></span></pre><pre style='line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'>Approach in supporting openstack -<o:p></o:p></span></pre><pre style='margin-left:.5in;line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'>1. Derive flavor Host_filter drivers from zone_aware_scheduler to support API interface to Attestation Server<o:p></o:p></span></pre><pre style='margin-left:.5in;line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'>2. Filter driver invokes Query(HostName) thru. Attestation Server to verify compute node’s trustworthiness if instance(s) specifies Trusted compute node through flavor; drops the node from candidate list if fail the verification<o:p></o:p></span></pre><pre style='line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'>Through the capability, Cloud provider can build trusted computing pool and provide premiere service.<o:p></o:p></span></pre><pre style='line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'><o:p> </o:p></span></pre><pre style='line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'>Feedback and comments are welcome,<o:p></o:p></span></pre><pre style='line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'>Thanks,<o:p></o:p></span></pre><pre style='line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'>-Fred<o:p></o:p></span></pre><pre style='line-height:13.5pt'><span lang=EN style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#333333'><o:p> </o:p></span></pre><p class=MsoNormal><span lang=EN style='font-family:"Arial","sans-serif"'><o:p> </o:p></span></p></div></body></html>