Proposed F19 Feature: OpenAttestation

[Wei, Gang]

Josh Boyer wrote on 2013-02-01:
> On Thu, Jan 31, 2013 at 12:40 AM, Wei, Gang <gang.wei at intel.com> wrote:
>> Bill Nottingham wrote on 2013-01-29:
>>> Jaroslav Reznik (jreznik at redhat.com) said:
>>>> = Features/OpenAttestation =
>>>> https://fedoraproject.org/wiki/Features/OpenAttestation
>>>>
>>>> Feature owner(s): Gang Wei <gang.wei at intel.com>
>>>>
>>>> Provide fedora packages for OpenAttestation to support Trusted Compute
>>>> Pools(TCP) feature in OpenStack since Folsom release & in future oVirt
>>>> releases.
>>>
>>> Wow, TCP is a horribly unfortunate acronym collision.
>>>
>>>> == Detailed description ==
>>>> This feature would include mostly packaging OpenAttestation project for
>>>> fedora.
>>>>
>>>> * the source package will be named oat
>>>> * the binary packages will include oat-appraiser & oat-client
>
> <snip>
>
>>> How does it intend to attest the OS in a rapidly updating Fedora
>>> environment? Just the kernel + initramfs? An image-based checksum such
>>> as what is used in ChromeOS?
>>
>> By far, just kernel + initramfs. Every time the kernel/initramfs got
>> updated, the Know Good Value in OpenAttestation Server should be
>> updated to take new kernel/initramfs as "trusted" one.
>
> Does this feature require any kernel options set in the Fedora kernel?
> The dependency on Intel TXT machines and tboot would lead me to believe
> that it might require IMA/EVA support.  Is that the case?  If so, those
> are currently disabled in the Fedora kernel.

This feature doesn't require any kernel options set directly. But tboot 
package will require intel_iommu=on and it will do it by providing grub2 
scripts.
It doesn't require IMA/EVA by far.

Jimmy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8586 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130201/15fdd095/attachment.p7s>