I really hope people don't run the attestation server as a VM managed by ACS - that sounds like an excellent way to shoot ones self in the foot…
On Jan 9, 2013, at 10:41 PM, Devdeep Singh <[email protected]> wrote: > I would like to get some of the requirements cleared before working on the > FS. There were several assumptions made in the POC and they need to be > clarified. > > 1. CloudStack will have to talk to a attestation server to check if a host is > trusted or not. Is it correct to assume the attestation server; which can be > a virtual appliance; is not managed by CloudStack? > 2. The trust relation between the attestation server and hosts will be > established outside the scope of CloudStack. CloudStack will just check with > the attestation server whether a host is trusted or not. > 3. Intel attestation server is called Mt. Wilson. Anyone who is interested in > using the feature will have to setup the Mt. Wilson server and configure > CloudStack to talk to it. > 4. Mt. Wilson provides an API Client toolkit (jar files) for quick > integration. I am not sure how they are licensed, but if they are not > compatible with apache license, this feature will have be under 'nonoss'. > > Regards, > Devdeep > >> -----Original Message----- >> From: Animesh Chaturvedi [mailto:[email protected]] >> Sent: Thursday, January 10, 2013 2:48 AM >> To: [email protected] >> Subject: RE: [DISCUSS] Support for Intel TXT technology >> >> Sure Devdeep can provide the details >> >>> -----Original Message----- >>> From: Chip Childers [mailto:[email protected]] >>> Sent: Wednesday, January 09, 2013 1:00 PM >>> To: [email protected] >>> Subject: Re: [DISCUSS] Support for Intel TXT technology >>> >>> On Wed, Jan 9, 2013 at 3:56 PM, Hari Kannan <[email protected]> >> wrote: >>>> Hi Chip, >>>> >>>> I will let Animesh comment on the IP/repo stuff - regarding the >>>> other >>>> 2 topics you raised >>>> >>>> - I wouldn't claim code at a "done" level yet - we did develop code >>>> to a sufficient level to demo, but it would need some more work for >>>> sure. It hadn't made it as part of any Citrix commercial product >>>> either - it was developed, showcased but hasn't yet seen the light >>>> of the day >>> >>> Understood... so perhaps there isn't a design document. Perhaps the >>> author of the code (not sure who it is) wouldn't mind adding some >>> basic design elements to the FS wiki page. That will help the >>> community evaluate the inclusion of the donated code. >>> >>>> - Regarding the XS part, it has been developed/tested only for XS - >>>> however, >>> the feature is not restricted for XS - in other words, unlike the host >>> updates, which was meant to be for XS only, this feature eventually >>> must support all hypervisors (or even baremetal servers) - at this >>> time, it has been developed for XS only.. >>>> >>> >>> Excellent. I'd like to see that reflected in the design / code as >>> well, but glad to hear it was a consideration! >>> >>>> Hari >>>> >>>> -----Original Message----- >>>> From: Chip Childers [mailto:[email protected]] >>>> Sent: Wednesday, January 9, 2013 12:52 PM >>>> To: [email protected] >>>> Subject: Re: [DISCUSS] Support for Intel TXT technology >>>> >>>> On Wed, Jan 9, 2013 at 3:44 PM, David Nalley <[email protected]> wrote: >>>>> On Wed, Jan 9, 2013 at 3:37 PM, Animesh Chaturvedi >>>>> <[email protected]> wrote: >>>>>> This came in as I was following up on action item from IRC today. >>>>>> This >>> feature is something that has already been developed before ACS 4.0 >>> and processes were formalized and also had been demonstrated in public >>> forms such as in Intel Developers Forum last Sept but somehow missed >> getting filed. >>> Can we consider it as an exception and take it for 4.1. I understand >>> we are few days past cutoff, I will ensure we are more diligent in future. >>>>>> >>>>>> Animesh >>>>> >>>>> >>>>> Is the code already in the repo? Or was it developed externally? >>>>> >>>> >>>> Good question. My previous email made the assumption that it was >>>> not >>> currently in the project repo, but I could certainly be mistaken. >>>> >>>> -chip >>>> > Stratosec - Secure Infrastructure as a Service o: 415.315.9385 @johnlkinsella
