Josh Boyer wrote on 2013-02-01: > On Thu, Jan 31, 2013 at 12:40 AM, Wei, Gang <gang.wei@xxxxxxxxx> wrote: >> Bill Nottingham wrote on 2013-01-29: >>> Jaroslav Reznik (jreznik@xxxxxxxxxx) said: >>>> = Features/OpenAttestation = >>>> https://fedoraproject.org/wiki/Features/OpenAttestation >>>> >>>> Feature owner(s): Gang Wei <gang.wei@xxxxxxxxx> >>>> >>>> Provide fedora packages for OpenAttestation to support Trusted Compute >>>> Pools(TCP) feature in OpenStack since Folsom release & in future oVirt >>>> releases. >>> >>> Wow, TCP is a horribly unfortunate acronym collision. >>> >>>> == Detailed description == >>>> This feature would include mostly packaging OpenAttestation project for >>>> fedora. >>>> >>>> * the source package will be named oat >>>> * the binary packages will include oat-appraiser & oat-client > > <snip> > >>> How does it intend to attest the OS in a rapidly updating Fedora >>> environment? Just the kernel + initramfs? An image-based checksum such >>> as what is used in ChromeOS? >> >> By far, just kernel + initramfs. Every time the kernel/initramfs got >> updated, the Know Good Value in OpenAttestation Server should be >> updated to take new kernel/initramfs as "trusted" one. > > Does this feature require any kernel options set in the Fedora kernel? > The dependency on Intel TXT machines and tboot would lead me to believe > that it might require IMA/EVA support. Is that the case? If so, those > are currently disabled in the Fedora kernel. This feature doesn't require any kernel options set directly. But tboot package will require intel_iommu=on and it will do it by providing grub2 scripts. It doesn't require IMA/EVA by far. Jimmy
<<attachment: smime.p7s>>
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
