Bare Metal Trust Openstack Summit Paris Nov 2014

Bare Metal Trust OpenStack Summit Paris Nov 2014

Tan Lin, Wei Chen, Wei Gang, Malini Bhandaru, Shane Wang Agenda • Motivation • Trust - HW & SW • Ironic with Attestation • Demo • Blueprints & References

2 Motivation - Detect Malware/Changes Can we “trust” a node to host an OpenStack Service? Can we “trust” a relinquished Bare Metal Node to be free of malware - to allocate to another tenant?

• Detect change in BIOS? YES! • Detect change in PCIe device(s) • number, • firmware • Change in Kernel, VMM, Operating System?

OpenSource Technology Center 3 Intel TXT Enables detection on boot, and exit from platform sleep Changes in • BIOS (root kits), replay attacks • PCIe device changes YES! • number of devices • their firmware • Kernel - updates

OpenSource Technology Center 4 Motivation - A closer look at the Nodes Compute Nodes: Host Tenant VMs Trusted Compute Pools Service Nodes: Nova, KeyStone, Neutron.. hosts OpenStack services: scheduler, networking, identity etc Bare Metal Nodes Nova Cinder Performance sensitive Tenants Neutron KeyStone HPC, Containers Compute Bare Metal

OpenSource Technology Center 5 Trust – TPM, TXT, OAT Platform with TPM module

http://en.wikipedia.org/wiki/Trusted_Platform_Module #mediaviewer/File:TPM_Asus.jpg

OpenSource Technology Center 7 Trusted Platform Module (TPM)

TPM 1.2 SHA-1 hashes

TPM 2.0 SHA-1 & SHA-2 hashes & custom hash algorithms

22 PCRs

Image credit: http://en.wikipedia.org/wiki/Trusted_Platform_Module#mediaviewer/File:TPM.svg OpenSource Technology Center 8 Trust – Hardware & Software TPM/TXT/TBoot/TrouSerS/OAT OAT, Remote Attestation Mt. Wilson(closed source) 1.7, 2.0 Client, Server (Java)

TrouSerS Library to access TPM Open source software (C )

Software Tboot Measures BIOS, Option ROM, kernel Open source software (C ) into TPM registers

Intel TXT – VT-X, VT-d, BIOS enable HW and SW virtualization support

1.2 original, 2.0 Global/export, TPM software hash algorithms, Hardware NationZ, Infinion

Intel platform OpenSource Technology Center Setup Setup - OAT Server

1. Deploy OAT server in OpenStack 2. Provision Known Good Values • For Bare Metal images • OEMs can provide BIOS and PCIe firmware measures • HPC images deployed 1000s of times are worth full measure

OpenSource Technology Center 11 Setup – Node(s)

1. Enable TPM 2. Enable TXT, VT-x, VT-d in BIOS 3. Take TPM ownership

Currently manual steps • Scripts nice, need OEM help • Secure save Password

OpenSource Technology Center 12 Setup – OpenStack

1. Ironic flavor – trusted 2. Whitelist – Glance image 3. iPXE/PXE boot image 4. Inject OAT client 5. Ironic second boot 6. Attest

OpenSource Technology Center 13 Workflow 5. allocate to tenant PXE or OAT iPXE attestation Glance service 4. trusted/not

2. Ironic Boot 3. PCR hash values tboot BIOS 1. Enable VT-x, VT-d, take TPM ownership Intel Platform + TPM hardware

OpenSource Technology Center 14 Demos Use Cases

• Bare Metal Trust • Detect Fireware change - new PCIe device • Upgrade - whitelist change

OpenSource Technology Center 16 Horizon – Bare Metal Instances

OpenSource Technology Center 17 Limitations

• Linux bare metal images in OpenStack • Trust too • Trust client injection required • OSV adoption (RedHat, Suse, Ubuntu ) will eliminate • Chicken-egg problem: demand/integration/adoption • Manual enable trust-measurement • OEM help for scripts.

OpenSource Technology Center Next Steps • Alert Admin about untrusted bare metal – BIOS/firmware/optionROM modified? – Kernel modified? – Missing whitelist entry? • Re-try trusted bare metal schedule (configure #tries) – To avoid Denial-of-service through missing whitelist • Upstream code – https://blueprints.launchpad.net/ironic/+spec/bare-metal-trust – https://blueprints.launchpad.net/horizon/+spec/bare-metal-trust- status Blueprints • https://blueprints.launchpad.net/ironic/+spec /bare-metal-trust References

• Trusted Compute Group • http://www.intel.com/content/www/us/en/architecture-and- technology/trusted-execution-technology/malware-reduction-general- technology.html • http://www.intel.com/content/dam/www/public/us/en/documents/white- papers/trusted-execution-technology-security-paper.pdf • http://www.intel.com/content/dam/www/public/us/en/documents/guides/in tel-txt-software-development-guide.pdf • Intel® Trusted Execution Technology for Server Platforms (Apres) • A Guide to More Secure Datacenters -- free eBook -- http://www.apress.com/9781430261483 Backup Inject OAT-Client minicloud@minicloud:~$ disk-image-create -u fedora baremetal local-config stackuser oat-client -o oat-client-21 minicloud@minicloud:/opt/stack/diskimage-builder/elements$ find oat-client/ oat-client/ oat-client/install.d oat-client/install.d/package-installs-oat oat-client/element-deps oat-client/README.md oat-client/pre-install.d oat-client/pre-install.d/02-set-oat-repo

OpenSource Technology Center 23 Trust Flavor

class PXEDriverFields(GenericDriverFields):

def _get_kernel_ramdisk_dict(self, flavor): """Get the deploy ramdisk and kernel IDs from the flavor.

:param flavor: the flavor object. :returns: a dict with the pxe options for the deploy ramdisk and kernel if the IDs were found in the flavor, otherwise an empty dict is returned.

""" extra_specs = flavor['extra_specs'] deploy_kernel = extra_specs.get('baremetal:deploy_kernel_id') deploy_ramdisk = extra_specs.get('baremetal:deploy_ramdisk_id') deploy_trust = extra_specs.get('baremetal:deploy_trust') deploy_ids = {} if deploy_kernel and deploy_ramdisk: deploy_ids['pxe_deploy_kernel'] = deploy_kernel deploy_ids['pxe_deploy_ramdisk'] = deploy_ramdisk if deploy_trust=='True': deploy_ids['pxe_deploy_trust'] = deploy_trust return deploy_ids

OpenSource Technology Center 24 Trust Node

def _parse_driver_info(node): def _continue_deploy(self, task, **kwargs): """Gets the driver specific Node deployment info. """Continues the deployment of baremetal node over iSCSI.

This method validates whether the 'driver_info' property of the This method continues the deployment of the baremetal node over supplied node contains the required information for this driver to iSCSI deploy images to the node. from where the deployment ramdisk has left off.

:param node: a single Node. :param task: a TaskManager instance containing the node to act on. :returns: A dict with the driver_info values. :param kwargs: kwargs for performing iscsi deployment. :raises: MissingParameterValue """ """ info = node.driver_info d_info = {} try: d_info['deploy_kernel'] = info.get('pxe_deploy_kernel') d_info = _parse_deploy_info(node) d_info['deploy_ramdisk'] = info.get('pxe_deploy_ramdisk') trust_boot = d_info['deploy_trust'] d_info['deploy_trust'] = info.get('pxe_deploy_trust', 'False') deploy_utils.switch_pxe_config(pxe_config_path, root_uuid, error_msg = _("Cannot validate PXE bootloader") driver_utils.get_node_capability(node, 'boot_mode'), deploy_utils.check_for_missing_params(d_info, error_msg, 'pxe_') trust_boot)

return d_info

OpenSource Technology Center 25 PXE configuration with trust_boot

default trust_boot label deploy kernel http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/deploy_kernel append initrd=http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/deploy_ramdisk rootfstype=ramfs selinux=0 disk=cciss/c0d0,sda,hda,vda iscsi_target_iqn=iqn-40595e7e-7841-4ac4-9878-fd7cbcac1d9f deployment_id=40595e7e-7841-4ac4-9878-fd7cbcac1d9f deployment_key=Z33C3N5N644QJH50T6SCZDEXR7FIYB0K ironic_api_url=http://10.239.48.36:6385 troubleshoot=0 text nofb nomodeset vga=normal ipappend 3

label boot kernel http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/kernel append initrd=http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/ramdisk root=UUID=106b4e5c-128a-461a-a191-0c035efc4768 ro text nofb nomodeset vga=normal

label trust_boot kernel mboot append tboot.gz --- http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/kernel root=UUID=106b4e5c-128a-461a-a191-0c035efc4768 ro text nofb nomodeset vga=normal intel_iommu=on --- http://10.239.48.36:8081/40595e7e-7841-4ac4-9878-fd7cbcac1d9f/ramdisk ~

OpenSource Technology Center 26 TrouSerS

• I have a TPM. What can I use TrouSerS for? • TPM services provided through the TSS API are: o RSA key pair generation o RSA encryption and decryption using PKCS v1.5 and OAEP padding o RSA sign/verify o Extend data into the TPM's PCRs and log these events o Seal data to arbitrary PCRs o Random Number Generation o RSA key storage OpenSource Technology Center