The OpenAttestation (OAT) Project
By GangWei, senior software engineer in CSD’s Cloud and Virtualization team\
Remote attestation services, based on open source, are critical for implementing security solutions in the cloud.
Security is a major concern impeding cloud adoption, so, to ease concerns, Intel created three important use models, based on Intel® Trusted Execution Technology (TXT): trusted launch, trusted compute pools, and compliance support. One important component was missing before these use models could be widely implemented in the open source cloud environment: an open source remote attestation service.
OpenAttestation(OAT) project was created in 2010, with the mission to provide an SDK to build a remote attestation service for cloud security use models implemented by ISVs, managing host integrity verification through the TCG-defined remote attestation protocol. After a formal open source launch in early 2012, OAT (v1.6.0 and v2.x) moved forward to become a top vehicle driving Intel TXT into cloud environments.
Remote attestation is a process to check whether a platform is launched with known-good firmware and software components. We can simply represent it with:
$ diff launch_values known_good_values
Remote attestation is a core component of the TXT solution. It communicates the trustworthiness of an entity to users and provides desired visibility and auditability.
Remote attestation helps:
- Enforce detection of launch components to reduce malware threats
- Control VMs, based on platform trust (and other attributes), to better protect data
- Provide hardware support for compliance and auditability
Here’s the remote attestation flow:
OAT is easy to deploy and use:
- Install the OAT based attestation service on a server
- Enable TPM and TXT in the BIOS on hosts
- Install tboot and enable measured launch on hosts
- Install host agent on hosts, then provision and register it into the attestation service
- Configure the attestation service and provision the white list
- Configure management tools for access to the attestation service
After OAT is deployed, a user can start to query the trustworthiness of hosts.
Trusted Compute Pools (TCP)
Trusted compute pools are collections of computing platforms that have been verified to be trustworthy because the launch process has been measured and verified. Intel TXT and OAT verify trust status. Whether a platform is in a public cloud or in your own data center, it is considered trustworthy because the integrity of the pre-operating system launch components has been verified. By definition, trusted compute pools can only include systems with launch stacks that have not been compromised.
No security measure can guarantee complete protection from determined attackers. However, you can significantly increase your level of confidence if you can be assured that critical elements of the launch environment—such as the firmware, the BIOS, and the hypervisor—have not been tampered with. These elements execute before the operating system and its anti-malware drivers load, so without integrity verification they would be a blind spot in your view of the enterprise security landscape. In a cloud environment, where computing and storage assets are managed as flexible pools, the state of these critical elements would be even more opaque.
This trustworthiness is established through a measured launch environment (MLE) and an attestation procedure that compares signatures from a host’s boot process with signatures that are known to be valid. If the boot process contains unknown elements, or known elements behave uncharacteristically, the host is marked as untrusted and is not included in a trusted compute pool. This approach strengthens protection against attacks that target lower levels of the launch environment, including the BIOS and the hypervisor.
Trusted compute pools provide additional benefits:
- They improve security for virtualized data centers and cloud environments because the environment controller isolates platforms with unknown elements or elements that have unexpected traits
- They support compliance by design by providing verifiable audit trails of a sensitive workload’s execution environment
- They enhance operational agility when combined with intelligent management software that can automate workload assignment
OAT has become a major force in driving Intel TXT into cloud environments. We have implemented the trusted compute pools feature for both OpenStack and oVirt projects through integrations with OAT.
In OpenStack, a new component named TrustedFilter was added into Nova scheduler to let trusted hosts via communication communicate with the OAT based attestation service, so a user could create a VM that runs only on trusted hosts. This was done in the OpenStack Folsom release and was enhanced in the Grizzly release. The TCP feature is already in the Ubuntu Cloud archive, and is in the process of being added to Red Hat OpenStack (RHOS) and SUSE Cloud.
In oVirt, a new property, TrustedService, was added into the Cluster entity, so it is possible to create trusted clusters. Only trusted hosts, with trustworthiness verified through communication with the OAT based attestation service, can be added to trusted clusters. This was done in oVirt 3.3, and was added to the Red Hat Enterprise Virtualization (RHEV) product line.
OAT itself has been packaged for Ubuntu in the canonical partner repository, and has been packaged for Fedora in Fedora 19. We have side repository for RHEL and in process of doing the same thing for SUSE.
We will continue the enabling efforts to package OAT 2.x for RHEL, SUSE and Ubuntu to facilitate easier deployment of the RHOS/SUSE Cloud/Ubuntu Cloud with the TCP feature.
In OAT 2.x, we will add geo-tagging support and TPM 2.0 support to enable upgraded TXT features for Grantley and future Intel platforms.
 "Creating Trust in the Cloud" a joint trusted compute pools white paper by Intel and Ubuntu.