Proposed F19 Feature: OpenAttestation

Wei, Gang gang.wei at
Fri Feb 1 03:02:50 UTC 2013

Josh Boyer wrote on 2013-02-01:
> On Thu, Jan 31, 2013 at 12:40 AM, Wei, Gang <gang.wei at> wrote:
>> Bill Nottingham wrote on 2013-01-29:
>>> Jaroslav Reznik (jreznik at said:
>>>> = Features/OpenAttestation =
>>>> Feature owner(s): Gang Wei <gang.wei at>
>>>> Provide fedora packages for OpenAttestation to support Trusted Compute
>>>> Pools(TCP) feature in OpenStack since Folsom release & in future oVirt
>>>> releases.
>>> Wow, TCP is a horribly unfortunate acronym collision.
>>>> == Detailed description ==
>>>> This feature would include mostly packaging OpenAttestation project for
>>>> fedora.
>>>> * the source package will be named oat
>>>> * the binary packages will include oat-appraiser & oat-client
> <snip>
>>> How does it intend to attest the OS in a rapidly updating Fedora
>>> environment? Just the kernel + initramfs? An image-based checksum such
>>> as what is used in ChromeOS?
>> By far, just kernel + initramfs. Every time the kernel/initramfs got
>> updated, the Know Good Value in OpenAttestation Server should be
>> updated to take new kernel/initramfs as "trusted" one.
> Does this feature require any kernel options set in the Fedora kernel?
> The dependency on Intel TXT machines and tboot would lead me to believe
> that it might require IMA/EVA support.  Is that the case?  If so, those
> are currently disabled in the Fedora kernel.

This feature doesn't require any kernel options set directly. But tboot 
package will require intel_iommu=on and it will do it by providing grub2 
It doesn't require IMA/EVA by far.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8586 bytes
Desc: not available
URL: <>

More information about the devel mailing list