Bill Nottingham wrote on 2013-01-29: > Jaroslav Reznik (jreznik@xxxxxxxxxx) said: >> = Features/OpenAttestation = >> https://fedoraproject.org/wiki/Features/OpenAttestation >> >> Feature owner(s): Gang Wei <gang.wei@xxxxxxxxx> >> >> Provide fedora packages for OpenAttestation to support Trusted Compute >> Pools(TCP) feature in OpenStack since Folsom release & in future oVirt >> releases. > > Wow, TCP is a horribly unfortunate acronym collision. > >> == Detailed description == >> This feature would include mostly packaging OpenAttestation project for >> fedora. >> >> * the source package will be named oat >> * the binary packages will include oat-appraiser & oat-client > > If you're attempting to create a framework that attests the integrity > of systems for use by 'trusted' software, it would (in theory) only be as > secure as its weakest link. Given that... PHP? I am not sure whether PHP is the weakest link, but the integrity checking done by OpenAttestation is to ensure the system is running the expected software like BIOS/OS/etc. As to whether the expected software is secure enough it is another story. > How does it intend to attest the OS in a rapidly updating Fedora > environment? Just the kernel + initramfs? An image-based checksum such > as what is used in ChromeOS? By far, just kernel + initramfs. Every time the kernel/initramfs got updated, the Know Good Value in OpenAttestation Server should be updated to take new kernel/initramfs as "trusted" one. Jimmy
<<attachment: smime.p7s>>
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
