accelerate openstack* together - 01.org · vm instance created by openstack scheduler by finding...
TRANSCRIPT
Accelerate
OpenStack*
Together
* OpenStack is a registered trademark of the OpenStack Foundation
Where are your workloads running – Ensuring
Boundary Control in OpenStack Cloud.
Raghu Yeluri
Principal Engineer, Datacenter and Cloud Products Group
Intel Corporation
Contents• Trust and Boundary Requirements in the Cloud
• Solution: Geo-Tagging and Boundary Control with OpenStack*
• Looking ahead: Additional use-cases/solutions targeted for Kilo+ release
• Geo-tagging for storage volumes
• Tenant-controlled VM encryption/decryption
• Summary
• Q & A
Private Cloud DC
Security Challenges in the Cloud
Public Cloud DC
Company CCompany B
Company A
Pool nPool 1 …
Visibility Enhance AuditsCompliance
Control
Company B
Challenge: Complying with “location-based” workload security and compliance requirements
Data Privacy & National/Regional Regulations constraint workload movement
Sensitive Data & Applications MUST remain Internal to Organizations
Very Sensitive Data MUST remain on Specific Data Center Hardware or Security Zones.
Virtualization, Public and Private Cloud Agility adds to the Challenges.
• Virtual Servers are files that can be moved or copied and executed anywhere.
• Hybrid Clouds blur boundary between what is “internal” and “external”.
Policy Challenges To add to these challenges….
Requirement: Ensure that Virtual Workloads are placed, or migrated, based on location and assurance of hardware platform
Policy Requirements
Run only on Internal Enterprise Network – not in the public cloud
Run in the correct geography or datacenter
Run on hardware in particular Security Zone, or, Assurance Level
Technical Need: How do you provide Trusted Geo-location/Asset-location in Virtualization and Cloud Environment to meet these Policy Requirements?
Intel TXT provides integrity assurance for x86 server hardware, and the software stack above
Root of Trust is Intel Xeon processors & motherboard chipsets
Measured Boot + Attestation extends the chain of Trust to OS/VMM.
– Chain of Trust: H/W->FW->BIOS->OS/VMM
Leverages TPM for secure storage and TXT Measured Boot + Attestation for Trusted Geo/Asset-location -
Geo/Asset-tagging
Intel Trusted Execution Technology (TXT)-based H/W Provides a Strong Foundation for Platform Security & Trusted Geo/Asset-location
TPM
Intel® TXT HardwareSolutionComponents
Intel®
5500/5520 Chipset
FlashBIOS
A trusted execution platform for sensitive apps and data
Geo/Asset-tagging - Enabling Boundary Control
Geo/Asset descriptor (asset-tag) stored in the TPM of the Server.
Used to control placement & migration of workloads
Broad support across bare metal OS and hypervisors (ESX, XenServer, Xen, KVM).
Digital
SignatureUUID of
Host
Asset Certificate
TPMNVRAM Index
SHA-1
SHA-2Asset
CertificateAsset Tag
TAG
NV Index Index used: index 0x40000010
Size of Index: TPM 1.2: 20 Bytes; TPM 2.0 (future): 32 Bytes (for 256) and 64 (for 512)
Data Format:20 Bytes of Binary data ;
Asset Tag used with Geo-Location attributes is a Geo-Tag
What is Asset Tag?
VM Boundary Control With OpenStack* - How it works
Nova
AttestationAuthority
Glance
TrustedFilter,LocationFilterRequest
LocationAttestation
Challenge
Workload AWorkload ALaunch Policy
Challenge
API Server
Trust Verified.Geo=France
Upload Workload A to Glance with Launch Policy.
1
2 Launch VM A
3
55
6
AttestationReport
Workload A launchedwith appropriatepolicy
4
0 OOB: Provision Geo-Tag on to Server TPMs
New: LocationFilter
Guest VMs(workloads)Guest VMs(workloads)
End Users(accessing guest vm)
AttestationService
Disk Image(for Guest VMs)
Tag Provisioning
Service
Horizon(dashboard)
Glance(Image Store
+ Registry)
VM Policiesas Image
Properties
Geo-tagSelection UI
OS/VMM
TXT+TPM
Geo-Tag extensions in OpenStack
Targeting Kilo release; Downloadable scripts in Q4 for Icehouse & Juno
OpenStack Extensions
Intel/ISV provided components
Blueprints: https://blueprints.launchpad.net/nova/+
spec/nova-trusted-geo-asset-tag
https://blueprints.launchpad.net/horizon/+spec/trust-n-geo-display
https://wiki.openstack.org/wiki/Trusted-Location-Control
Step 1: Defining and Selecting of Geo/Asset Tags- Tags can be logical or physical geo information, and/or, business functions (Finance, Benefits, Inv Banking, etc)- Uses Tag Mgt APIs.
Tags that will be Provisioned to a Server.
1 Tag Definition& Selection
2 3 4Tag Provisioningto Servers
VM PolicyCreation
Orchestration &VM Launch
5 Dashboard
Geo-Tagging Flow in OpenStack - 1
1 Tag Definition& Selection
2 3 4Tag Provisioningto Servers
VM PolicyCreation
Orchestration &VM Launch
5 Dashboard
Step 2: Provision Selected Tag(s) from Step 1, onto the server.Mt. Wilson Provisioning Tool & Provisioning APIs to Provision TPMs on the hosts.
1. Select the Host to Provision
Geo-Tagging Flow in OpenStack - 2
2. Select the Tags and Provision the Server TPMs
1 Tag Definition& Selection
2 3 4Tag Provisioningto Servers
VM PolicyCreation
Orchestration &VM Launch
5 Dashboard
Step 3: Create VM Policies. 1) Policies are associated with VM Images as “Properties” in Glance. 2) Horizon Extended to select “Geo-location” Policies.
Two Policies for this Image1. Trust 2. Geo-Location
Geo-Tagging Flow in OpenStack - 3
1 Tag Definition& Selection
2 3 4Tag Provisioningto Servers
VM PolicyCreation
Orchestration &VM Launch
5 Dashboard
Step 4: Determine best Server to meet VM Trust and Geo-Location Policy. Launch VM instance of specific Flavor.OpenStack Scheduler Extended with Asset/Geo-Tag Filter.New Filter invokes Mt. Wilson Geo-Tag Attestation APIs to determine best Server to meet VM Polices.
VM Instance created by OpenStack Scheduler by finding the best Server matching the VM Policy to Geo-Tag on the Server
Geo-Tagging Flow in OpenStack - 4
1Tag Definition& Selection
2 3 4Tag Provisioningto Servers
VM PolicyCreation
Orchestration &VM Launch
5 Dashboard
Geo-Tagging Flow in OpenStack - 5
16
Looking Ahead
1. Use-case 1: Extending Geo-Tagging/Location Control for Storage Volumes2. Use-case 2: Tenant-controlled encryption and decryption, based on
Location and Trust Policies.
Use-case #1: Extending Geo-Tagging/Location Control for Volumes
Current Implementation: Geo-tagging/location policies defined and enforced at the VM level .
launched
CloudController
Cinder
Trust Verified.Geo = France
AttestationAuthority
Create/attachStorage volumes
launched
Trust Verified.
Geo=France
CloudController
AttestationAuthority
VM2
Scenario 1: Two VMs. VM1 – no attached storage; VM2 – local attached storage;
Scenario 2: Two VMs. VM 1 = No attached Storage;VM 2 = External/Shared Storage Volume attached to VM2.
VM1 and VM2 (with local storage) launched.. VM policies enforced on Storage
VM1 and VM2
launched per Policy..
VM Policy not enforced on
Storage. Location Policy violation!!!
VM2
OpenStack Extensions: Location Policy Enforcement on storage volumes
Extend VM Location Policy Control to Cinder volumes
Leverage Intel TXT Measured Boot, Remote Attestation and Geo-Tag Provisioning, for Location Compliance of Cinder Volumes. - Applies to x86-based External/Shared Storage. Not yet for SAN/NAS storage.
New Location filter in Cinder scheduler – Location Policy Compliance during “Volume Create”
Location Policy compatibility verified during “Volume Attach” – in the ‘Check Attach’ code of Nova API.
VM Location Policy == Volume Location Policy
Exploring ways to enforcing Location Policy for Volume Migration and Backups (for Swift: Storage Policies)
Cinder Client
Cinder API
Cinder Volume driver
Cinder backup
Cinder Scheduler
Storage(DAS, Scale Out, NAS, SAN)
REST
AMQP
AMQP AMQP
AMQP
SQL DB
LocationFilter
Creating a new Volume with Geo-tag Policy1) Policy is selected for Volume creation. You can select up to 5 policies from the Horizon extensions. 2) Create Volume – invokes “CinderLocationFilter”. Verifies Policy against Server (cinder node) Geo-tag.
Volumes with Trust and Geo-Tag
Attach Volume to a VM instance1)VM Policy == Volume Policy2)Attach Volume: Verifies Volume Geo-Tag against the VM Geo-Tag Policy for Compatibility.
Use-case 2: Tenant-Controlled VM encryption and decryption based on Location and Trust.
Goals:
VMs and data are encrypted at all times –
at-rest, in-transit, and up until execution.
Only allow virtual servers & data to be
decrypted on trusted hardware in a
particular location
Sensitive virtual server storage volumes
are prevented from being decrypted on
server not in approved location
EnterprisePrivate Cloud
Virtual server data only decrypted on approved servers in specified locations
PublicCloud
Demonstration at the Intel booth.
8
10
9
Tenant Controlled VM Protection in OpenStack - Architecture
KMS[Barbican &
Policy Engine]
Horizon
Gold VM Images
Trust
Director
EncryptedVM/Image
PUT-VM Blob
Key Store
Symmetric Key Generation
Launch VM Launch VM
Attestation
Launch VM
GetDecryptionKey (KID, AIK)
Attestation
Decrypt & Launch
Pro
xy
Blueprint later this year. Targeting ‘L’ release
4
1
3
2
AttestationAuthority
PolicyPlugin
7
Glance
CloudController
5
6
Nova compute
Cloud ServiceProvider
Enterprise Data Center
Summary Location-based policies to meet the most stringent security and compliance
requirements.
Tied to Intel TXT and TPM for reliable attestation of platform integrity and location attributes.
OpenStack Extensions for Geo-Tagging are available for Icehouse & above. Targeting Kilo release for upstream.
Blueprints: https://blueprints.launchpad.net/nova/+spec/nova-trusted-geo-asset-tag.
Looking ahead: Boundary Control for Cinder volumes on x86-based Storage.
Looking ahead: Tenant-controlled VM encryption and decryption-based on Location and Trust; Demonstration at Intel Booth. Targeting ‘L’ release.
Intel Confidential — Do Not Forward
Geo-Tagging Provisioning and Management Architecture
Tag Mgmt. Server
TA
G A
PI
Tag ProvisioningServer
Provisioning API
Quote
TA
G
SE
LE
CT
ION
S
Request Attestation
Coordinates
Place names
Asset Tag whitelists, Revoke
Provisioning Agent
TXT Node/Host
TPM
MTW Trust Agent
Asset-TagInvalidation
External Tag Source
Pro
visio
nin
g
AP
I
TAG DB
whitelists
TAG MGMT TOOL*
Country/State/DB
Geo-Location System
TAG PROV TOOL*
Quote
Geo-Tag
TAG DB
Attestation Authority
Geo Tag Invalidation Plugin*
Monitoring Service [Nagios]
Geo-Tag Invalidation
Orchestration,Policy Tools
Asset-Tag Provisioning & Management Service
Trusted Pools - Summary
• Establish and propagate a new security control attribute – “Platform Trust”
- Aggregate Trusted systems and Segregate them from untrusted resources
• Run sensitive workloads only on Trusted Servers (Policy Control)
• Tenant Visibility to remote platform status “Platform Trust”
• Enable automated monitoring of Trust based policies
• Platform Trust input to audit logs and compliancereporting
• Additional Controls: Geotag/Asset-Tags, VM payload en/decryption & Trusted VMs
APP
Report
Cloud Tenant Cloud Provider
Intel® Trusted Execution Technology + Remote Attestation are the basis for achieving Platform Trust
Virtual Workload and Location Policies
VM with no attached storage
VM using local attached storage(disks presented from the same physical host the VM runs on)
Host Host Host Remote Host + Storage
VM running an application that queries an external source(remote database connection, HTTP, etc)
Host SAN/NFS/NAS/Software Defined Storage
Attached Volumes
1 2 3
4VM using attached external/shared storage(SAN, vSAN, NFS, Scale Out Storage, DAS.. Etc.
VM Boundary Control with OpenStack* - Solution Components
TAGHost UUID
Sign.
Asset Certificate
Hash
TPMStoreAsset Tag
VM Geo policy
In Openstack Glance attributes
Openstack
NOVA scheduler
AttestationStore
Extract
Verify Trust, Geo
(Filter) Launch VM
on Trusted, Geo-verified server
TXT Serverattest
1
2
3
4
5
Enable Provisioning of geo-tags to Hosts
Add Asset/Location Filter to FilterScheduler
Enhance Attestation Server to attest Geo-Tags
Specify Geo Policies for VMs via Glance Registry
Enhance Horizon to show Location/Trust attributes