Security in the Cloud: OpenAttestation Using Intel® TXT
The OpenAttestation project announced its v2.0 Gold release on September 30, 2013.
Security is a major concern impeding cloud adoption, so, to ease concerns, Intel created three important usage models, based on Intel® Trusted Execution Technology (TXT):
- trusted launch
- trusted compute pools
- compliance support
The single remaining critical component of the TXT solution, required before these usage models could be widely implemented in the open source cloud environment, however, was an open source-based remote attestation service.
Remote attestation services are critical for implementing security solutions in the cloud. They check whether a platform is launched with known-good firmware and software components, communicating the trustworthiness of an entity to users and providing desired visibility and auditability.
Remote attestation helps:
- Enforce detection of launch components to reduce malware threats
- Control VMs, based on platform trust (and other attributes), to better protect data
- Provide hardware support for compliance and auditability
Started in 2010, the OpenAttestation project's mission is to provide an SDK to build a remote attestation service for cloud security usage models implemented by ISVs, managing host integrity verification through the TCG-defined remote attestation protocol. After a formal open source launch in early 2012, OAT (v1.6.0) moved forward to become a top vehicle driving Intel TXT into cloud environments.
- OpenAttestation (OAT) is easy to deploy and use:
- Install the OAT based attestation service on a server.
- Enable TPM and TXT in the BIOS on hosts.
- Install tboot and enable measured launch on hosts.
- Install host agent on hosts, then provision and register it into the attestation service.
- Configure the attestation service and provision the white list.
- Configure management tools for access to the attestation service.
Once OAT is deployed, a user can start to query the trustworthiness of hosts.
Find out more about the OpenAttestation project (https://01.org/openattestation).