Trusted compute pools enable administrators to designate a group of compute hosts as trusted. These hosts use hardware-based security features, such as the Intel Trusted Execution Technology (TXT), to provide an additional level of security. Combined with an external stand-alone, web-based remote attestation server, cloud providers can ensure that the compute node runs only software with verified measurements and can ensure a secure cloud stack. Using the trusted compute pools, cloud subscribers can request services to run on verified compute nodes. The remote attestation server performs node verification as follows: Compute nodes boot with Intel TXT technology enabled. The compute node BIOS, hypervisor, and OS are measured. Measured data is sent to the attestation server when challenged by the attestation server. The attestation server verifies those measurements against a good and known database to determine node trustworthiness. A description of how to set up an attestation service is beyond the scope of this document. For an open source project that you can use to implement an attestation service, see the Open Attestation project.

Enable scheduling support for trusted compute pools by adding the following lines in the DEFAULT section in the /etc/nova/nova.conf file: [DEFAULT] compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler scheduler_available_filters=nova.scheduler.filters.all_filters scheduler_default_filters=AvailabilityZoneFilter,RamFilter,ComputeFilter,TrustedFilter Specify the connection information for your attestation service by adding the following lines to the trusted_computing section in the /etc/nova/nova.conf file: [trusted_computing] server=10.1.71.206 port=8443 server_ca_file=/etc/nova/ssl.10.1.71.206.crt # If using OAT v1.5, use this api_url: api_url=/AttestationService/resources # If using OAT pre-v1.5, use this api_url: #api_url=/OpenAttestationWebServices/V1.0 auth_blob=i-am-openstack Where: server Host name or IP address of the host that runs the attestation service. port HTTPS port for the attestation service. server_ca_file Certificate file used to verify the attestation server's identity. api_url The attestation service's URL path. auth_blob An authentication blob, which is required by the attestation service. Restart the nova-compute and nova-scheduler services.

To customize the trusted compute pools, use the following configuration option settings:

To designate hosts as trusted: Configure one or more flavors as trusted by using the nova flavor-key set command. For example, to set the m1.tiny flavor as trusted: $ nova flavor-key m1.tiny set trust:trusted_host trusted Request that your instance be run on a trusted host, by specifying a trusted flavor when booting the instance. For example: $ nova boot --flavor m1.tiny --key_name myKeypairName --image myImageID newInstanceName