Red Hat Training

A Red Hat training course is available for Red Hat Virtualization

9.9. Trusted Compute Pools

Trusted compute pools are secure clusters based on Intel Trusted Execution Technology (Intel TXT). Trusted clusters only allow hosts that are verified by Intel’s OpenAttestation, which measures the integrity of the host’s hardware and software against a White List database. Trusted hosts and the virtual machines running on them can be assigned tasks that require higher security. For more information on Intel TXT, trusted systems, and attestation, see https://software.intel.com/en-us/articles/intel-trusted-execution-technology-intel-txt-enabling-guide.

Creating a trusted compute pool involves the following steps:

  • Configuring the Manager to communicate with an OpenAttestation server.
  • Creating a trusted cluster that can only run trusted hosts.
  • Adding trusted hosts to the trusted cluster. Hosts must be running the OpenAttestation agent to be verified as trusted by the OpenAttestation sever.

For information on installing an OpenAttestation server, installing the OpenAttestation agent on hosts, and creating a White List database, see https://github.com/OpenAttestation/OpenAttestation/wiki.

9.9.1. Connecting an OpenAttestation Server to the Manager

Before you can create a trusted cluster, the Red Hat Virtualization Manager must be configured to recognize the OpenAttestation server. Use engine-config to add the OpenAttestation server’s FQDN or IP address:

# engine-config -s AttestationServer=attestationserver.example.com

The following settings can also be changed if required:

Table 9.6. OpenAttestation Settings for engine-config

OptionDefault ValueDescription

AttestationServer

oat-server

The FQDN or IP address of the OpenAttestation server. This must be set for the Manager to communicate with the OpenAttestation server.

AttestationPort

8443

The port used by the OpenAttestation server to communicate with the Manager.

AttestationTruststore

TrustStore.jks

The trust store used for securing communication with the OpenAttestation server.

AttestationTruststorePass

password

The password used to access the trust store.

AttestationFirstStageSize

10

Used for quick initialization. Changing this value without good reason is not recommended.

SecureConnectionWithOATServers

true

Enables or disables secure communication with OpenAttestation servers.

PollUri

AttestationService/resources/PollHosts

The URI used for accessing the OpenAttestation service.

9.9.2. Creating a Trusted Cluster

Trusted clusters communicate with an OpenAttestation server to assess the security of hosts. When a host is added to a trusted cluster, the OpenAttestation server measures the host’s hardware and software against a White List database. Virtual machines can be migrated between trusted hosts in the trusted cluster, allowing for high availability in a secure environment.

Creating a Trusted Cluster

  1. Click ComputeClusters.
  2. Click New.
  3. Enter a Name for the cluster.
  4. Select the Enable Virt Service check box.
  5. Click the Scheduling Policy tab and select the Enable Trusted Service check box.
  6. Click OK.

9.9.3. Adding a Trusted Host

Red Hat Enterprise Linux hosts can be added to trusted clusters and measured against a White List database by the OpenAttestation server. Hosts must meet the following requirements to be trusted by the OpenAttestation server:

  • Intel TXT is enabled in the BIOS.
  • The OpenAttestation agent is installed and running.
  • Software running on the host matches the OpenAttestation server’s White List database.

Adding a Trusted Host

  1. Click ComputeHosts.
  2. Click New.
  3. Select a trusted cluster from the Host Cluster drop-down list.
  4. Enter a Name for the host.
  5. Enter the Hostname of the host.
  6. Enter the host’s root Password.
  7. Click OK.

After the host is added to the trusted cluster, it is assessed by the OpenAttestation server. If a host is not trusted by the OpenAttestation server, it will move to a Non Operational state and should be removed from the trusted cluster.