Proposed F19 Feature: OpenAttestation
Josh Boyer
jwboyer at gmail.com
Fri Feb 1 12:49:28 UTC 2013
On Thu, Jan 31, 2013 at 10:02 PM, Wei, Gang <gang.wei at intel.com> wrote:
> Josh Boyer wrote on 2013-02-01:
>> On Thu, Jan 31, 2013 at 12:40 AM, Wei, Gang <gang.wei at intel.com> wrote:
>>> Bill Nottingham wrote on 2013-01-29:
>>>> Jaroslav Reznik (jreznik at redhat.com) said:
>>>>> = Features/OpenAttestation =
>>>>> https://fedoraproject.org/wiki/Features/OpenAttestation
>>>>>
>>>>> Feature owner(s): Gang Wei <gang.wei at intel.com>
>>>>>
>>>>> Provide fedora packages for OpenAttestation to support Trusted Compute
>>>>> Pools(TCP) feature in OpenStack since Folsom release & in future oVirt
>>>>> releases.
>>>>
>>>> Wow, TCP is a horribly unfortunate acronym collision.
>>>>
>>>>> == Detailed description ==
>>>>> This feature would include mostly packaging OpenAttestation project for
>>>>> fedora.
>>>>>
>>>>> * the source package will be named oat
>>>>> * the binary packages will include oat-appraiser & oat-client
>>
>> <snip>
>>
>>>> How does it intend to attest the OS in a rapidly updating Fedora
>>>> environment? Just the kernel + initramfs? An image-based checksum such
>>>> as what is used in ChromeOS?
>>>
>>> By far, just kernel + initramfs. Every time the kernel/initramfs got
>>> updated, the Know Good Value in OpenAttestation Server should be
>>> updated to take new kernel/initramfs as "trusted" one.
>>
>> Does this feature require any kernel options set in the Fedora kernel?
>> The dependency on Intel TXT machines and tboot would lead me to believe
>> that it might require IMA/EVA support. Is that the case? If so, those
>> are currently disabled in the Fedora kernel.
>
> This feature doesn't require any kernel options set directly. But tboot
> package will require intel_iommu=on and it will do it by providing grub2
> scripts.
> It doesn't require IMA/EVA by far.
Great. Thanks for the quick reply.
josh
More information about the devel
mailing list