[openstack-dev] [Ironic] firmware security

Devananda van der Veen devananda.vdv at gmail.com
Thu Dec 12 21:12:33 UTC 2013


On Thu, Dec 12, 2013 at 12:50 AM, Lu, Lianhao <lianhao.lu at intel.com> wrote:

> Hi Ironic folks,
>
> I remembered once seeing that ironic was calling for firmware security.
> Can anyone elaborate with a little bit details about what Ironic needs for
> this "firmware security"? I'm wondering if there are some existing
> technologies(e.g. TPM, TXT, etc) that can be used for this purpose.
>
> Best Regards,
> -Lianhao
>

Hi Lianhao,

The topic of firmware support in Ironic has lead to very interesting
discussions: questions about scope, multi-vendor support, and, invariably,
questions about how we might validate / ensure the integrity of existing
firmware or the firmware Ironic would be loading onto a machine. A proposal
was put forward at the last summit to add a generic mechanism for flashing
firmware, as part of a generic utility ramdisk. Other work is taking
priority this cycle, but here are the blueprints / discussion.
  https://blueprints.launchpad.net/ironic/+spec/firmware-update
  https://blueprints.launchpad.net/ironic/+spec/utility-ramdisk

To get back to your question about security, UEFI + hardware TPM is, as far
as I know, the commonly-acknowledged best approach today, even though it is
not necessarily available on all hardware. I believe Ironic will need to
support interacting with these both locally (eg, via CPU bus) and remotely
(eg, via vendor's OOB management controllers).

-Devananda
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131212/9f01647d/attachment.html>


More information about the OpenStack-dev mailing list