SlideShare uma empresa Scribd logo

Pm 02 track1-- 魏刚--osac-trusted-computing-pools-in-folsom-v2

OpenCity Community
OpenCity Community
Tecnologia
1 de 29
Baixar para ler offline
Using New Trusted Pools Capability in Folsom Release Gang Wei
Agenda Trusted Pools • Concept • Implementation & Usage Trusted Launch with Trusted Boot (Tboot) Remote Attestation with OpenAttestation (OAT) More on Trusted Pools • Patches • Deployment & Configuration Summary 2
Trusted Pools - Concept Trusted Pools is also called Trusted Pools Control VMs based on platform trust • Trusted Computing to better protect data Pools (TCP) Trusted Launch Trusted Pools relies on: Verified platform integrity reduces malware threat • Trusted Launch • Remote Attestation Internet Compliance Hardware support for compliance reporting enhances auditability of cloud environment 3
Trusted Pools - Implementation User specifies :: OpenStack App App App App App App Host Mem > 2G agent Disk > 50G OS OS GPGPU=Intel Hypervisor / tboot EC2 API trusted_host=trusted Create VM HW/TXT Tboot- Scheduler Enabled Create TrustedFilter OSAPI Query Report Attest untrusted trusted/ Query API Attestation Server Host Agent API Privacy OAT- Query API CA Based Attestation Appraiser Service Whitelist Whitelist API DB 4
Using Trusted Pools Create a trusted flavor(instance type) • Create a new flavor ‘m1.trusted’ • Add a ‘trusted_host=trusted’ property in flavor extra spec Create a trusted instance • Issue a request to start a new instance and specify a trusted flavor like`m1.trusted‘ • The filter scheduler call the trusted filter for each node in the system. • The trusted filter query the attestation service to get the trust level for each of those nodes. • Only those nodes that have a trust level as ‘trusted’ will be schedulable, all others will be ignored. 5
Agenda Trusted Pools • Concept • Implementation & Usage Trusted Launch with Trusted Boot (Tboot) Remote Attestation with OpenAttestation (OAT) More on Trusted Pools • Patches • Deployment & Configuration Summary 6
Intel® Trusted Execution Technology (TXT) Trusted Execution Technology extensions for measured launch & memory protection Memory CPU (SMX) 3rd party Trusted Platform Module(TPM) Processor contains hardware stores and reports to authenticate AC Modules trusted environment and perform measurements TPM measurements Chipset VT-d chipset feature BIOS / Flash blocks device access BIOS AC Module and (e.g DMA) to protected platform initialization memory pages 3rd party Software SINIT AC Module VMM/OS uses TXT BIOS AC Module Intel Authenticated Software mechanisms to establish a measured launch environment 7
Trusted Boot (Tboot) Project http://sourceforge.net/projects/tboot Open source, pre-kernel/VMM module, BSD licensed Uses Intel TXT to perform verified launch of OS kernel/VMM • Supports ELF and Linux file formats • Extends LCP to verify VMM / kernel Mercurial repo http://tboot.hg.sourceforge.net:8000/hgroot/tboot/tboot Project also contains tools for policy creation and provisioning • Intel TXT Launch Control Policy (LCP) • Tboot Verified Launch policy Distributions containing tboot package (Xen 3.4+, Linux 2.6.35+): • Fedora 14+, RHEL 6.1+, SLE11 SP2, Ubuntu 11.10+ 8
Trusted Launch with Tboot time        Bootstrap GRUB tboot TXT SENTER SINIT tboot post- VMM/kernel Processor (BSP) pre-launch launch starts BIOS Extend Extend Extend PCR All VMM / kernel boot PCR 17 PCR 18 17/18/19/… Threads ops Application SENTER tboot AP Processor (AP) Event join BIOS loads and verify & prepare SINIT starts put APs in All threads starts bootloader tboot wait-for-SIPI participating GRUB loads tboot + VMM / kernel + SINIT tboot starts SMP bringup wakes and starts tboot APs APs * PCR – Platform Configuration Register in TPM 9
Agenda Trusted Pools • Concept • Implementation & Usage Trusted Launch with Trusted Boot (Tboot) Remote Attestation with OpenAttestation (OAT) More on Trusted Pools • Patches • Deployment & Configuration Summary 10
OpenAttestation Project https://github.com/OpenAttestation/OpenAttestation.git SDK for managing host integrity verification using Trust Computing Group (TCG) defined remote attestation protocol • Targeted at cloud and enterprise management tools Key features: • Supports major Linux host OS’s • PCR-based report schema and policy rules • RESTful based Query API • Reference web portal/GUI implementation – Historical PCRs data tracking/comparison – Whitelist management * Whitelist –known good PCR values • Flexible access control to attestation server – Supports Tomcat 2-way SSL/TLS for Query APIs – Hook for ISVs to implement custom access control 11
SDK Architecture Code base is from National Information Assurance Research Lab (NIARL) of NSA – Privacy Certificate Authority(Privacy CA), Appraiser, Host Agent are Java – Host Agent accesses TPM through TrouSerS Attestation App App App App Server (Tomcat) Host App App agent OS OS Hypervisor / tboot HW/TXT Query API Host Agent API Privacy CA Installation and provisioning scripts hosts table Appraiser whitelist table Hibernate Portal reference code Whitelist API DB(mysql) SDK Components 12
A Example for Query Synchronically request host state from server • Post and wait for hosts trustworthiness to return Request Response POST OpenAttestationWebServices/V1.0/PollHosts HTTP/1.1 200 OK Host: Attestation.ras.com:8443 Server: BaseHTTP/0.3 Python/2.7.1+ Context-Type: application/json Date: Wed, 24 Aug 2011 03:19:56 GMT Accept: application/json Context-Type: application/json Auth_blob: authenticationBlob Content-length: 112 Content-length: 39 { { “count”:1, “count”:1, “hosts”:[{“host_name”:“host1.compute.com”, “hosts”: [host1.compute.com] “trust_lvl”:“trusted”, } “vtime”: “Wed Aug 24 03:19:56 2011”}] } 13
Query API – Query Hosts’ Trust State Command Input Output Comment parameters parameters POST Auth_blob, RequestId Request to Attestation server for https://server/PostHosts SelectedPCRs bitmask, Hosts trust state and selected {HostNames…} PCR values asynchronously GET Auth_blob, RequestId Hosts’ trust state data Retrieve previously posted result https://server/PostedHosts & Selected PCR values POST Auth_blob, Hosts’ trust state data Poll and wait for Attestation https://server/PollHosts SelectedPCRs bitmask, & Selected PCR values server to retrieve Hosts trust {HostNames…} state and selected PCR values synchronously • HTTPS Query API access control, setup/operated by Cloud Provider, is thru. Tomcat Truststore by verifying both Server and Client Certificates • ISV specific Auth_blob is included in all request headers • Opaque to Attestation SDK • ISV to implement authentication hook per its access control requirement 14
WhiteList Data API – Add/Delete good/known WhiteList entries Command w/ input Output parameters Comment parameters PUT /PCR Entry Index Create a new PCR entry for update (PCRindex, PCRvalue, PCRdesc) UPDATE /PCR?Index=n N/A Update specific entry data DELETE /PCR?Index=n N/A Delete specific entry data GET /PCR PCRindex,PCRvalue,PCRdesc Display all the entries entries GET /PCR?Index=n PCRindex,PCRvalue,PCRdesc Retrieve a specific entry GET /PCR?PCRindex=n PCRindex,PCRvalue,PCRdesc Retrieve all the entries w/ PCRindex=n entries GET /PCR?PCRdesc=desc PCRindex,PCRvalue,PCRdesc Retrieve all the entries w/ PCRdesc=secription entries GET PCRindex,PCRvalue,PCRdesc Retrieve the entry with matched specification /PCR?PCRindex=n&PCRdesc =desc HTTPS access with both Server and Client Certificates verified through Tomcat Truststore ISV specific Auth_blob included in all request headers • ISV to implement verification hook per access control requirement 15
Attestation Flow in OpenAttestation – HostAgent to Server Attesting Hosts Appraiser Request appraisal * Create random nonce and get PCR_SELECT mask Load AIK Send Nonce and requested PCRs TPM Quote = Sign(Requested PCR, Nonce)AIKpriv HostName, Quote * Retrieve AIK Certificate base HostName Verify AIK Certificate base on PrivacyCA.cert Verify Quote signature thru * AIK – Attestation Identity Key AIK Cert Verify HostName and nonce Validate PCR 16
Agenda Trusted Pools • Concept • Implementation & Usage Trusted Launch with Trusted Boot (Tboot) Remote Attestation with OpenAttestation (OAT) More on Trusted Pools • Patches • Deployment & Configuration Summary 17
commit 14c01e09b68b367d708c6ddd6f3d4e440687727c Author: Don Dugger <donald.d.dugger@intel.com> TrustedFilter Date: Tue May 8 18:30:57 2012 -0600 Add scheduler filter for trustedness of a host Implements blueprint trusted-computing-pools TrustedFilter • Select current host as a candidate if – trusted_host property not exist – Or trusted_host property have a same value as trust level of current host got via AttestationService AttestationService • Provide access wrapper to attestation server to get integrity report. 18
commit 8644584eb6daf4d2870cee9bba5b849bc37e36d0 Author: Yunhong, Jiang <yunhong.jiang@intel.com> Set Flavor Extra Specs Date: Wed Jul 18 14:32:36 2012 +0800 Enhance nova-manage to set flavor extra specs blueprint update-flavor-key-value TrustedFilter requires a ‘trusted_host’ property in flavor extra spec 4 ways to set flavor extra specs: • Access database directly – mysql -u$MYSQL_USER -p$MYSQL_PASSWORD nova -e 'insert into instance_type_extra_specs (`deleted`,`instance_type_id`,`key`,`value`) values (0,6,"trusted_host",“trusted");‘ • Enhance nova-manage to set flavor extra specs – nova-manage instance_type add_key m1.trusted trusted_host trusted • Enhance nova-client to set flavor extra specs • Enhance Dashboard(Horizon) to set flavor extra specs 19
Trusted Pools Deployment & Configuration Steps: • Deploy normal Nova controller & compute nodes • Deploy OAT based attestation service • Enable TPM & TXT in BIOS on compute nodes • Install Host Agent on compute nodes • Install tboot and enable trusted launch on compute nodes • Configure attestation service and provision White List • Configure Nova controller for Trusted Pools 20
Deploy OAT Based Attestation Service Future approach: Install package(s) shipped with Linux distributions Current approach: Build and install from source code. • Build: https://github.com/OpenAttestation/OpenAttestation/raw/master/docs/Build.pdf – Build system could be Ubuntu/SuSE/Fedora/RHEL – Download & install required tools/libraries – Build package with scripts • Install: https://github.com/OpenAttestation/OpenAttestation/raw/master/docs/Installation.pdf – Support Ubuntu/SuSE/Fedora/RHEL – Install required modules – Install the package generated in previous step – Verify with accessing http://localhost/OAT/ in browser 21
Install Host Agent System must have TPM 1.2 compliant device with driver installed, and TPM/TXT enabled in BIOS. Steps: https://github.com/OpenAttestation/OpenAttestation/raw/master/docs/Installation.pdf • Install dependent packages • Download Client Installation Package from OAT server: – http://<server.domain>/ClientInstaller.html • Unzip & run general-install.sh to install package • Verify the Host Agent is registered into OAT service – http://<server.domain>/OAT/reports.php • There are hints for how to setup two way SSL/TLS auth 22
Install Tboot and Enable Trusted Launch Install with tboot package in Linux distributions • For ubuntu1204, apt-get install tboot • For Fedora17/RHEL6.3/SLES11sp2, yum install tboot, then manually change grub.conf or.cfg. Install from source • Get source code from either upstream repo or released src package on sourceforge • Install trousers/trousers-devel/libtsp package • Make & make install with root priviledge • Change grub.conf or .cfg Refer to README of tboot project for more information 23
Configure Attestation Service & Provision White List Service Configuration: https://github.com/OpenAttestation/OpenAttestation/raw/master/docs/Installation.pdf • in /usr/lib/apache-tomcat-6.0.29/webapps/ HisWebServices/WEB-INF/classes/OAT.properties – PCR_SELECT=FFFFFF --- Include pcr 0~23 in integrity reports – ALERT_MASK_CSV=0,17,18 --- Verify PCR0, 17, 18 to report trust level White List provisioning: • Get desired PCR value for PCRs specified in ALERT_MASK_CSV • Create White List entry – With Admin Console https://<server.domain>:8443/OpenAttestationAdminConsole/PCRManifest.jsp – Or via invoking White List API through app or tools like curl 24
Configure Nova Controller /etc/nova/nova.conf [default] compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler scheduler_default_filters=TrustedFilter [trusted_computing] server=aa.bb.com --- attestation server http server_ca_file=/a/b/c.cer --- attestation server Cert file for Identity verification port=8443 --- attestation server port api_url=/OpenAttestationWebServices/V1.0 --- attestation web API URL auth_blob=xxxx --- attestation authorization blob - optional 25
Agenda Trusted Pools • Concept • Implementation & Usage Trusted Launch with Trusted Boot (Tboot) Remote Attestation with OpenAttestation (OAT) More on Trusted Pools • Patches • Deployment & Configuration Summary 26
Summay Trusted Pools feature in OpenStack was implemented and pushed into Nova for next Folsom release. The implementation is based on the Query API of attestation services deployed using SDK provided by OpenAttestation (OAT) project. It is strongly recommended to enable Trusted Boot (tboot) for each compute node to take advantage of Intel TXT technology to involve OS/VMM integrity into the host trust level judgment. Call for Action: • Try Trusted Pools Capability, seeking chances to do optimization. 27
Notices and Disclaimers INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL® PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. INTEL PRODUCTS ARE NOT INTENDED FOR USE IN MEDICAL, LIFE SAVING, OR LIFE SUSTAINING APPLICATIONS. Intel may make changes to specifications and product descriptions at any time, without notice. All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice. Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request. Intel, and Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others. Copyright © 2012 Intel Corporation. All rights are protected. 28
Pm 02 track1-- 魏刚--osac-trusted-computing-pools-in-folsom-v2

Recomendados

Eyeball Server Management User and Administration Guide
Eyeball Server Management User and Administration GuideEyeball Server Management User and Administration Guide
Eyeball Server Management User and Administration GuideEyeball Networks
 
IEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationIEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationAxis Communications
 
API Days 2012 - 1 billion SMS through an API !
API Days 2012 - 1 billion SMS through an API !API Days 2012 - 1 billion SMS through an API !
API Days 2012 - 1 billion SMS through an API !Guilhem Ensuque
 
Eyeball XMPP Server Administrator Guide
Eyeball XMPP Server Administrator GuideEyeball XMPP Server Administrator Guide
Eyeball XMPP Server Administrator GuideEyeball Networks
 
SIPob Manual
SIPob ManualSIPob Manual
SIPob ManualYasin KAPLAN
 
ClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User GuideClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User GuideAruba, a Hewlett Packard Enterprise company
 
Summary for rough edit two idiots and a lady
Summary for rough edit two idiots and a ladySummary for rough edit two idiots and a lady
Summary for rough edit two idiots and a ladyFirstClassProductions
 
2011 2012 annual report
2011 2012 annual report2011 2012 annual report
2011 2012 annual reportScottsbluff Public Schools
 

Recomendados

Eyeball Server Management User and Administration Guide
Eyeball Server Management User and Administration GuideEyeball Server Management User and Administration Guide
Eyeball Server Management User and Administration GuideEyeball Networks
 
IEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationIEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationAxis Communications
 
API Days 2012 - 1 billion SMS through an API !
API Days 2012 - 1 billion SMS through an API !API Days 2012 - 1 billion SMS through an API !
API Days 2012 - 1 billion SMS through an API !Guilhem Ensuque
 
Eyeball XMPP Server Administrator Guide
Eyeball XMPP Server Administrator GuideEyeball XMPP Server Administrator Guide
Eyeball XMPP Server Administrator GuideEyeball Networks
 
SIPob Manual
SIPob ManualSIPob Manual
SIPob ManualYasin KAPLAN
 
ClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User GuideClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User GuideAruba, a Hewlett Packard Enterprise company
 
Summary for rough edit two idiots and a lady
Summary for rough edit two idiots and a ladySummary for rough edit two idiots and a lady
Summary for rough edit two idiots and a ladyFirstClassProductions
 
2011 2012 annual report
2011 2012 annual report2011 2012 annual report
2011 2012 annual reportScottsbluff Public Schools
 
Networked Intimate Citizenship: mediated social change?
Networked Intimate Citizenship: mediated social change?Networked Intimate Citizenship: mediated social change?
Networked Intimate Citizenship: mediated social change?Son Vivienne
 
Hyra sportbil
Hyra sportbilHyra sportbil
Hyra sportbilGiftIdeasForBoyfriend
 
Mit gnu scheme reference manual
Mit gnu scheme reference manualMit gnu scheme reference manual
Mit gnu scheme reference manualVitor Eduardo da Silva
 
BP Venezuela Indigenous Relations: Meeting the Challenge – Responsibly and S...
BP Venezuela Indigenous Relations: Meeting the Challenge – Responsibly and S...BP Venezuela Indigenous Relations: Meeting the Challenge – Responsibly and S...
BP Venezuela Indigenous Relations: Meeting the Challenge – Responsibly and S...Wayne Dunn
 
Juanh
JuanhJuanh
Juanhlesleymccardle
 
Mission Possible Day 1.ping.pong 2012
Mission Possible Day 1.ping.pong 2012Mission Possible Day 1.ping.pong 2012
Mission Possible Day 1.ping.pong 2012jmori1
 
C 11
C 11C 11
C 11Les Davy
 
Mba724 s4 3 survey methodology
Mba724 s4 3 survey methodologyMba724 s4 3 survey methodology
Mba724 s4 3 survey methodologyRachel Chung
 
Notam 05 fev 15
Notam 05 fev 15Notam 05 fev 15
Notam 05 fev 15Carlos Carvalho
 
Egoera: La economía de Bizkaia - Diciembre 2015
Egoera: La economía de Bizkaia - Diciembre 2015Egoera: La economía de Bizkaia - Diciembre 2015
Egoera: La economía de Bizkaia - Diciembre 2015Cámara de Comercio de Bilbao
 
BID NEXT 20 Mei Presentaties OCW Werkgroepen (DRAFT)
BID NEXT 20 Mei Presentaties OCW Werkgroepen (DRAFT)BID NEXT 20 Mei Presentaties OCW Werkgroepen (DRAFT)
BID NEXT 20 Mei Presentaties OCW Werkgroepen (DRAFT)Doemijmaar Friet
 
01 01-2015
01 01-201501 01-2015
01 01-2015Carlos Carvalho
 
Kudavi 3.3.2016
Kudavi 3.3.2016Kudavi 3.3.2016
Kudavi 3.3.2016Tom Currier
 
E-marketing
E-marketingE-marketing
E-marketingYellow Umbrella
 
PMP Course by ECC Team at EITACIES INC
PMP Course by ECC Team at EITACIES INCPMP Course by ECC Team at EITACIES INC
PMP Course by ECC Team at EITACIES INCEITACIES - Enterprise Information Technology Edge
 
Internationlization
InternationlizationInternationlization
InternationlizationTuan Ngo
 
iNduku.tv Portfolio June 2012
iNduku.tv Portfolio June 2012iNduku.tv Portfolio June 2012
iNduku.tv Portfolio June 2012Oscar Habeenzu
 
Training for Teachers
Training for TeachersTraining for Teachers
Training for TeachersDebjani Roy
 
Migration to panama
Migration to panamaMigration to panama
Migration to panamaAlexander Castrellon
 
Codeworks'12 Rock Solid Deployment of PHP Apps
Codeworks'12 Rock Solid Deployment of PHP AppsCodeworks'12 Rock Solid Deployment of PHP Apps
Codeworks'12 Rock Solid Deployment of PHP AppsPablo Godel
 
OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsEricsson Labs
 
apiGrove
apiGroveapiGrove
apiGrovegmthomps
 

Mais conteúdo relacionado

Destaque

Networked Intimate Citizenship: mediated social change?
Networked Intimate Citizenship: mediated social change?Networked Intimate Citizenship: mediated social change?
Networked Intimate Citizenship: mediated social change?Son Vivienne
 
BP Venezuela Indigenous Relations: Meeting the Challenge – Responsibly and S...
BP Venezuela Indigenous Relations: Meeting the Challenge – Responsibly and S...BP Venezuela Indigenous Relations: Meeting the Challenge – Responsibly and S...
BP Venezuela Indigenous Relations: Meeting the Challenge – Responsibly and S...Wayne Dunn
 
Mission Possible Day 1.ping.pong 2012
Mission Possible Day 1.ping.pong 2012Mission Possible Day 1.ping.pong 2012
Mission Possible Day 1.ping.pong 2012jmori1
 
Mba724 s4 3 survey methodology
Mba724 s4 3 survey methodologyMba724 s4 3 survey methodology
Mba724 s4 3 survey methodologyRachel Chung
 
BID NEXT 20 Mei Presentaties OCW Werkgroepen (DRAFT)
BID NEXT 20 Mei Presentaties OCW Werkgroepen (DRAFT)BID NEXT 20 Mei Presentaties OCW Werkgroepen (DRAFT)
BID NEXT 20 Mei Presentaties OCW Werkgroepen (DRAFT)Doemijmaar Friet
 
Internationlization
InternationlizationInternationlization
InternationlizationTuan Ngo
 
iNduku.tv Portfolio June 2012
iNduku.tv Portfolio June 2012iNduku.tv Portfolio June 2012
iNduku.tv Portfolio June 2012Oscar Habeenzu
 
Training for Teachers
Training for TeachersTraining for Teachers
Training for TeachersDebjani Roy
 
Codeworks'12 Rock Solid Deployment of PHP Apps
Codeworks'12 Rock Solid Deployment of PHP AppsCodeworks'12 Rock Solid Deployment of PHP Apps
Codeworks'12 Rock Solid Deployment of PHP AppsPablo Godel
 

Destaque (20)

Networked Intimate Citizenship: mediated social change?
Networked Intimate Citizenship: mediated social change?Networked Intimate Citizenship: mediated social change?
Networked Intimate Citizenship: mediated social change?
 
Hyra sportbil
Hyra sportbilHyra sportbil
Hyra sportbil
 
Mit gnu scheme reference manual
Mit gnu scheme reference manualMit gnu scheme reference manual
Mit gnu scheme reference manual
 
BP Venezuela Indigenous Relations: Meeting the Challenge – Responsibly and S...
BP Venezuela Indigenous Relations: Meeting the Challenge – Responsibly and S...BP Venezuela Indigenous Relations: Meeting the Challenge – Responsibly and S...
BP Venezuela Indigenous Relations: Meeting the Challenge – Responsibly and S...
 
Juanh
JuanhJuanh
Juanh
 
Mission Possible Day 1.ping.pong 2012
Mission Possible Day 1.ping.pong 2012Mission Possible Day 1.ping.pong 2012
Mission Possible Day 1.ping.pong 2012
 
C 11
C 11C 11
C 11
 
Mba724 s4 3 survey methodology
Mba724 s4 3 survey methodologyMba724 s4 3 survey methodology
Mba724 s4 3 survey methodology
 
Notam 05 fev 15
Notam 05 fev 15Notam 05 fev 15
Notam 05 fev 15
 
Egoera: La economía de Bizkaia - Diciembre 2015
Egoera: La economía de Bizkaia - Diciembre 2015Egoera: La economía de Bizkaia - Diciembre 2015
Egoera: La economía de Bizkaia - Diciembre 2015
 
BID NEXT 20 Mei Presentaties OCW Werkgroepen (DRAFT)
BID NEXT 20 Mei Presentaties OCW Werkgroepen (DRAFT)BID NEXT 20 Mei Presentaties OCW Werkgroepen (DRAFT)
BID NEXT 20 Mei Presentaties OCW Werkgroepen (DRAFT)
 
01 01-2015
01 01-201501 01-2015
01 01-2015
 
Kudavi 3.3.2016
Kudavi 3.3.2016Kudavi 3.3.2016
Kudavi 3.3.2016
 
E-marketing
E-marketingE-marketing
E-marketing
 
PMP Course by ECC Team at EITACIES INC
PMP Course by ECC Team at EITACIES INCPMP Course by ECC Team at EITACIES INC
PMP Course by ECC Team at EITACIES INC
 
Internationlization
InternationlizationInternationlization
Internationlization
 
iNduku.tv Portfolio June 2012
iNduku.tv Portfolio June 2012iNduku.tv Portfolio June 2012
iNduku.tv Portfolio June 2012
 
Training for Teachers
Training for TeachersTraining for Teachers
Training for Teachers
 
Migration to panama
Migration to panamaMigration to panama
Migration to panama
 
Codeworks'12 Rock Solid Deployment of PHP Apps
Codeworks'12 Rock Solid Deployment of PHP AppsCodeworks'12 Rock Solid Deployment of PHP Apps
Codeworks'12 Rock Solid Deployment of PHP Apps
 

Semelhante a Pm 02 track1-- 魏刚--osac-trusted-computing-pools-in-folsom-v2

OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsEricsson Labs
 
How to Use the CA Application Performance Management Command Center for Appli...
How to Use the CA Application Performance Management Command Center for Appli...How to Use the CA Application Performance Management Command Center for Appli...
How to Use the CA Application Performance Management Command Center for Appli...CA Technologies
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01Paul Madsen
 
Intoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture PresentationIntoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture Presentationsaddepalli
 
Qualipso factory
Qualipso factoryQualipso factory
Qualipso factoryfunckychris
 
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Atlassian
 
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Atlassian
 
Webinar: Embracing REST APIs through APPSeCONNECT
Webinar: Embracing REST APIs through APPSeCONNECTWebinar: Embracing REST APIs through APPSeCONNECT
Webinar: Embracing REST APIs through APPSeCONNECTAPPSeCONNECT
 
Productivity Acceleration Tools for SOA Testers
Productivity Acceleration Tools for SOA TestersProductivity Acceleration Tools for SOA Testers
Productivity Acceleration Tools for SOA TestersWSO2
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Codemotion
 
REST API 20.2 - Appworks Gateway Integration.pptx
REST API 20.2 - Appworks Gateway Integration.pptxREST API 20.2 - Appworks Gateway Integration.pptx
REST API 20.2 - Appworks Gateway Integration.pptxJason452803
 
59264945-Websphere-Security.pdf
59264945-Websphere-Security.pdf59264945-Websphere-Security.pdf
59264945-Websphere-Security.pdfDeepakAC3
 
Microservice creation using spring cloud, zipkin, ribbon, zull, eureka
Microservice creation using spring cloud, zipkin, ribbon, zull, eurekaMicroservice creation using spring cloud, zipkin, ribbon, zull, eureka
Microservice creation using spring cloud, zipkin, ribbon, zull, eurekaBinit Pathak
 
IdM in Smart Applications on Virtual Infrastructure
IdM in Smart Applications on Virtual InfrastructureIdM in Smart Applications on Virtual Infrastructure
IdM in Smart Applications on Virtual InfrastructureMohammad Faraji
 
API World 2013 - Transforming the Netflix API
API World 2013 - Transforming the Netflix APIAPI World 2013 - Transforming the Netflix API
API World 2013 - Transforming the Netflix APIBenjamin Schmaus
 
AWS 고객사를 위한 ‘AWS 컨테이너 교육’ - 유재석, AWS 솔루션즈 아키텍트
AWS 고객사를 위한 ‘AWS 컨테이너 교육’ - 유재석, AWS 솔루션즈 아키텍트AWS 고객사를 위한 ‘AWS 컨테이너 교육’ - 유재석, AWS 솔루션즈 아키텍트
AWS 고객사를 위한 ‘AWS 컨테이너 교육’ - 유재석, AWS 솔루션즈 아키텍트Amazon Web Services Korea
 
Hands-On Lab: Application Performance Management Command Center: Automate Mon...
Hands-On Lab: Application Performance Management Command Center: Automate Mon...Hands-On Lab: Application Performance Management Command Center: Automate Mon...
Hands-On Lab: Application Performance Management Command Center: Automate Mon...CA Technologies
 

Semelhante a Pm 02 track1-- 魏刚--osac-trusted-computing-pools-in-folsom-v2 (20)

OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson Labs
 
apiGrove
apiGroveapiGrove
apiGrove
 
How to Use the CA Application Performance Management Command Center for Appli...
How to Use the CA Application Performance Management Command Center for Appli...How to Use the CA Application Performance Management Command Center for Appli...
How to Use the CA Application Performance Management Command Center for Appli...
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01
 
Intoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture PresentationIntoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture Presentation
 
Qualipso factory
Qualipso factoryQualipso factory
Qualipso factory
 
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
 
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
 
Webinar: Embracing REST APIs through APPSeCONNECT
Webinar: Embracing REST APIs through APPSeCONNECTWebinar: Embracing REST APIs through APPSeCONNECT
Webinar: Embracing REST APIs through APPSeCONNECT
 
Productivity Acceleration Tools for SOA Testers
Productivity Acceleration Tools for SOA TestersProductivity Acceleration Tools for SOA Testers
Productivity Acceleration Tools for SOA Testers
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)
 
REST API 20.2 - Appworks Gateway Integration.pptx
REST API 20.2 - Appworks Gateway Integration.pptxREST API 20.2 - Appworks Gateway Integration.pptx
REST API 20.2 - Appworks Gateway Integration.pptx
 
Enterprise Security & SSO
Enterprise Security & SSOEnterprise Security & SSO
Enterprise Security & SSO
 
59264945-Websphere-Security.pdf
59264945-Websphere-Security.pdf59264945-Websphere-Security.pdf
59264945-Websphere-Security.pdf
 
Microservice creation using spring cloud, zipkin, ribbon, zull, eureka
Microservice creation using spring cloud, zipkin, ribbon, zull, eurekaMicroservice creation using spring cloud, zipkin, ribbon, zull, eureka
Microservice creation using spring cloud, zipkin, ribbon, zull, eureka
 
IdM in Smart Applications on Virtual Infrastructure
IdM in Smart Applications on Virtual InfrastructureIdM in Smart Applications on Virtual Infrastructure
IdM in Smart Applications on Virtual Infrastructure
 
API World 2013 - Transforming the Netflix API
API World 2013 - Transforming the Netflix APIAPI World 2013 - Transforming the Netflix API
API World 2013 - Transforming the Netflix API
 
AWS 고객사를 위한 ‘AWS 컨테이너 교육’ - 유재석, AWS 솔루션즈 아키텍트
AWS 고객사를 위한 ‘AWS 컨테이너 교육’ - 유재석, AWS 솔루션즈 아키텍트AWS 고객사를 위한 ‘AWS 컨테이너 교육’ - 유재석, AWS 솔루션즈 아키텍트
AWS 고객사를 위한 ‘AWS 컨테이너 교육’ - 유재석, AWS 솔루션즈 아키텍트
 
Hands-On Lab: Application Performance Management Command Center: Automate Mon...
Hands-On Lab: Application Performance Management Command Center: Automate Mon...Hands-On Lab: Application Performance Management Command Center: Automate Mon...
Hands-On Lab: Application Performance Management Command Center: Automate Mon...
 

Mais de OpenCity Community

物联网操作系统漫谈-GIAC大会.pdf
物联网操作系统漫谈-GIAC大会.pdf物联网操作系统漫谈-GIAC大会.pdf
物联网操作系统漫谈-GIAC大会.pdfOpenCity Community
 
2017开源年会-企业开源那些事儿-更新.pdf
2017开源年会-企业开源那些事儿-更新.pdf2017开源年会-企业开源那些事儿-更新.pdf
2017开源年会-企业开源那些事儿-更新.pdfOpenCity Community
 
Learn OpenStack from trystack.cn
Learn OpenStack from trystack.cnLearn OpenStack from trystack.cn
Learn OpenStack from trystack.cnOpenCity Community
 
OpenStack系列公开课2 -20130508
OpenStack系列公开课2 -20130508OpenStack系列公开课2 -20130508
OpenStack系列公开课2 -20130508OpenCity Community
 
How to master OpenStack in 2 hours
How to master OpenStack in 2 hoursHow to master OpenStack in 2 hours
How to master OpenStack in 2 hoursOpenCity Community
 
Learn OpenStack from trystack.cn ——Folsom in practice
Learn OpenStack from trystack.cn ——Folsom in practiceLearn OpenStack from trystack.cn ——Folsom in practice
Learn OpenStack from trystack.cn ——Folsom in practiceOpenCity Community
 
Open Stack Cheng Du Swift Alex Yang
Open Stack Cheng Du Swift Alex YangOpen Stack Cheng Du Swift Alex Yang
Open Stack Cheng Du Swift Alex YangOpenCity Community
 

Mais de OpenCity Community (20)

开源讲义.pdf
开源讲义.pdf开源讲义.pdf
开源讲义.pdf
 
物联网操作系统漫谈-GIAC大会.pdf
物联网操作系统漫谈-GIAC大会.pdf物联网操作系统漫谈-GIAC大会.pdf
物联网操作系统漫谈-GIAC大会.pdf
 
2017开源年会-企业开源那些事儿-更新.pdf
2017开源年会-企业开源那些事儿-更新.pdf2017开源年会-企业开源那些事儿-更新.pdf
2017开源年会-企业开源那些事儿-更新.pdf
 
社会化研发
社会化研发社会化研发
社会化研发
 
Containers & CaaS
Containers & CaaSContainers & CaaS
Containers & CaaS
 
OaaS:Open as a Strategy
OaaS:Open as a StrategyOaaS:Open as a Strategy
OaaS:Open as a Strategy
 
Hello openstack 2014
Hello openstack 2014Hello openstack 2014
Hello openstack 2014
 
Docker openstack-2014
Docker openstack-2014Docker openstack-2014
Docker openstack-2014
 
Learn OpenStack from trystack.cn
Learn OpenStack from trystack.cnLearn OpenStack from trystack.cn
Learn OpenStack from trystack.cn
 
OpenStack系列公开课2 -20130508
OpenStack系列公开课2 -20130508OpenStack系列公开课2 -20130508
OpenStack系列公开课2 -20130508
 
OpenStack ecosystem
OpenStack ecosystemOpenStack ecosystem
OpenStack ecosystem
 
How to master OpenStack in 2 hours
How to master OpenStack in 2 hoursHow to master OpenStack in 2 hours
How to master OpenStack in 2 hours
 
Learn OpenStack from trystack.cn ——Folsom in practice
Learn OpenStack from trystack.cn ——Folsom in practiceLearn OpenStack from trystack.cn ——Folsom in practice
Learn OpenStack from trystack.cn ——Folsom in practice
 
Quantum Networks
Quantum NetworksQuantum Networks
Quantum Networks
 
云计算思考
云计算思考云计算思考
云计算思考
 
Openstorage Openstack
Openstorage OpenstackOpenstorage Openstack
Openstorage Openstack
 
Openstack的研究与实践
Openstack的研究与实践Openstack的研究与实践
Openstack的研究与实践
 
Open Stack Cheng Du Swift Alex Yang
Open Stack Cheng Du Swift Alex YangOpen Stack Cheng Du Swift Alex Yang
Open Stack Cheng Du Swift Alex Yang
 
Nova与虚拟机管理
Nova与虚拟机管理Nova与虚拟机管理
Nova与虚拟机管理
 
Look Into Libvirt Osier Yang
Look Into Libvirt Osier YangLook Into Libvirt Osier Yang
Look Into Libvirt Osier Yang
 

Último

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Último (20)

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Pm 02 track1-- 魏刚--osac-trusted-computing-pools-in-folsom-v2

  • 1. Using New Trusted Pools Capability in Folsom Release Gang Wei
  • 2. Agenda Trusted Pools • Concept • Implementation & Usage Trusted Launch with Trusted Boot (Tboot) Remote Attestation with OpenAttestation (OAT) More on Trusted Pools • Patches • Deployment & Configuration Summary 2
  • 3. Trusted Pools - Concept Trusted Pools is also called Trusted Pools Control VMs based on platform trust • Trusted Computing to better protect data Pools (TCP) Trusted Launch Trusted Pools relies on: Verified platform integrity reduces malware threat • Trusted Launch • Remote Attestation Internet Compliance Hardware support for compliance reporting enhances auditability of cloud environment 3
  • 4. Trusted Pools - Implementation User specifies :: OpenStack App App App App App App Host Mem > 2G agent Disk > 50G OS OS GPGPU=Intel Hypervisor / tboot EC2 API trusted_host=trusted Create VM HW/TXT Tboot- Scheduler Enabled Create TrustedFilter OSAPI Query Report Attest untrusted trusted/ Query API Attestation Server Host Agent API Privacy OAT- Query API CA Based Attestation Appraiser Service Whitelist Whitelist API DB 4
  • 5. Using Trusted Pools Create a trusted flavor(instance type) • Create a new flavor ‘m1.trusted’ • Add a ‘trusted_host=trusted’ property in flavor extra spec Create a trusted instance • Issue a request to start a new instance and specify a trusted flavor like`m1.trusted‘ • The filter scheduler call the trusted filter for each node in the system. • The trusted filter query the attestation service to get the trust level for each of those nodes. • Only those nodes that have a trust level as ‘trusted’ will be schedulable, all others will be ignored. 5
  • 6. Agenda Trusted Pools • Concept • Implementation & Usage Trusted Launch with Trusted Boot (Tboot) Remote Attestation with OpenAttestation (OAT) More on Trusted Pools • Patches • Deployment & Configuration Summary 6
  • 7. Intel® Trusted Execution Technology (TXT) Trusted Execution Technology extensions for measured launch & memory protection Memory CPU (SMX) 3rd party Trusted Platform Module(TPM) Processor contains hardware stores and reports to authenticate AC Modules trusted environment and perform measurements TPM measurements Chipset VT-d chipset feature BIOS / Flash blocks device access BIOS AC Module and (e.g DMA) to protected platform initialization memory pages 3rd party Software SINIT AC Module VMM/OS uses TXT BIOS AC Module Intel Authenticated Software mechanisms to establish a measured launch environment 7
  • 8. Trusted Boot (Tboot) Project http://sourceforge.net/projects/tboot Open source, pre-kernel/VMM module, BSD licensed Uses Intel TXT to perform verified launch of OS kernel/VMM • Supports ELF and Linux file formats • Extends LCP to verify VMM / kernel Mercurial repo http://tboot.hg.sourceforge.net:8000/hgroot/tboot/tboot Project also contains tools for policy creation and provisioning • Intel TXT Launch Control Policy (LCP) • Tboot Verified Launch policy Distributions containing tboot package (Xen 3.4+, Linux 2.6.35+): • Fedora 14+, RHEL 6.1+, SLE11 SP2, Ubuntu 11.10+ 8
  • 9. Trusted Launch with Tboot time        Bootstrap GRUB tboot TXT SENTER SINIT tboot post- VMM/kernel Processor (BSP) pre-launch launch starts BIOS Extend Extend Extend PCR All VMM / kernel boot PCR 17 PCR 18 17/18/19/… Threads ops Application SENTER tboot AP Processor (AP) Event join BIOS loads and verify & prepare SINIT starts put APs in All threads starts bootloader tboot wait-for-SIPI participating GRUB loads tboot + VMM / kernel + SINIT tboot starts SMP bringup wakes and starts tboot APs APs * PCR – Platform Configuration Register in TPM 9
  • 10. Agenda Trusted Pools • Concept • Implementation & Usage Trusted Launch with Trusted Boot (Tboot) Remote Attestation with OpenAttestation (OAT) More on Trusted Pools • Patches • Deployment & Configuration Summary 10
  • 11. OpenAttestation Project https://github.com/OpenAttestation/OpenAttestation.git SDK for managing host integrity verification using Trust Computing Group (TCG) defined remote attestation protocol • Targeted at cloud and enterprise management tools Key features: • Supports major Linux host OS’s • PCR-based report schema and policy rules • RESTful based Query API • Reference web portal/GUI implementation – Historical PCRs data tracking/comparison – Whitelist management * Whitelist –known good PCR values • Flexible access control to attestation server – Supports Tomcat 2-way SSL/TLS for Query APIs – Hook for ISVs to implement custom access control 11
  • 12. SDK Architecture Code base is from National Information Assurance Research Lab (NIARL) of NSA – Privacy Certificate Authority(Privacy CA), Appraiser, Host Agent are Java – Host Agent accesses TPM through TrouSerS Attestation App App App App Server (Tomcat) Host App App agent OS OS Hypervisor / tboot HW/TXT Query API Host Agent API Privacy CA Installation and provisioning scripts hosts table Appraiser whitelist table Hibernate Portal reference code Whitelist API DB(mysql) SDK Components 12
  • 13. A Example for Query Synchronically request host state from server • Post and wait for hosts trustworthiness to return Request Response POST OpenAttestationWebServices/V1.0/PollHosts HTTP/1.1 200 OK Host: Attestation.ras.com:8443 Server: BaseHTTP/0.3 Python/2.7.1+ Context-Type: application/json Date: Wed, 24 Aug 2011 03:19:56 GMT Accept: application/json Context-Type: application/json Auth_blob: authenticationBlob Content-length: 112 Content-length: 39 { { “count”:1, “count”:1, “hosts”:[{“host_name”:“host1.compute.com”, “hosts”: [host1.compute.com] “trust_lvl”:“trusted”, } “vtime”: “Wed Aug 24 03:19:56 2011”}] } 13
  • 14. Query API – Query Hosts’ Trust State Command Input Output Comment parameters parameters POST Auth_blob, RequestId Request to Attestation server for https://server/PostHosts SelectedPCRs bitmask, Hosts trust state and selected {HostNames…} PCR values asynchronously GET Auth_blob, RequestId Hosts’ trust state data Retrieve previously posted result https://server/PostedHosts & Selected PCR values POST Auth_blob, Hosts’ trust state data Poll and wait for Attestation https://server/PollHosts SelectedPCRs bitmask, & Selected PCR values server to retrieve Hosts trust {HostNames…} state and selected PCR values synchronously • HTTPS Query API access control, setup/operated by Cloud Provider, is thru. Tomcat Truststore by verifying both Server and Client Certificates • ISV specific Auth_blob is included in all request headers • Opaque to Attestation SDK • ISV to implement authentication hook per its access control requirement 14
  • 15. WhiteList Data API – Add/Delete good/known WhiteList entries Command w/ input Output parameters Comment parameters PUT /PCR Entry Index Create a new PCR entry for update (PCRindex, PCRvalue, PCRdesc) UPDATE /PCR?Index=n N/A Update specific entry data DELETE /PCR?Index=n N/A Delete specific entry data GET /PCR PCRindex,PCRvalue,PCRdesc Display all the entries entries GET /PCR?Index=n PCRindex,PCRvalue,PCRdesc Retrieve a specific entry GET /PCR?PCRindex=n PCRindex,PCRvalue,PCRdesc Retrieve all the entries w/ PCRindex=n entries GET /PCR?PCRdesc=desc PCRindex,PCRvalue,PCRdesc Retrieve all the entries w/ PCRdesc=secription entries GET PCRindex,PCRvalue,PCRdesc Retrieve the entry with matched specification /PCR?PCRindex=n&PCRdesc =desc HTTPS access with both Server and Client Certificates verified through Tomcat Truststore ISV specific Auth_blob included in all request headers • ISV to implement verification hook per access control requirement 15
  • 16. Attestation Flow in OpenAttestation – HostAgent to Server Attesting Hosts Appraiser Request appraisal * Create random nonce and get PCR_SELECT mask Load AIK Send Nonce and requested PCRs TPM Quote = Sign(Requested PCR, Nonce)AIKpriv HostName, Quote * Retrieve AIK Certificate base HostName Verify AIK Certificate base on PrivacyCA.cert Verify Quote signature thru * AIK – Attestation Identity Key AIK Cert Verify HostName and nonce Validate PCR 16
  • 17. Agenda Trusted Pools • Concept • Implementation & Usage Trusted Launch with Trusted Boot (Tboot) Remote Attestation with OpenAttestation (OAT) More on Trusted Pools • Patches • Deployment & Configuration Summary 17
  • 18. commit 14c01e09b68b367d708c6ddd6f3d4e440687727c Author: Don Dugger <donald.d.dugger@intel.com> TrustedFilter Date: Tue May 8 18:30:57 2012 -0600 Add scheduler filter for trustedness of a host Implements blueprint trusted-computing-pools TrustedFilter • Select current host as a candidate if – trusted_host property not exist – Or trusted_host property have a same value as trust level of current host got via AttestationService AttestationService • Provide access wrapper to attestation server to get integrity report. 18
  • 19. commit 8644584eb6daf4d2870cee9bba5b849bc37e36d0 Author: Yunhong, Jiang <yunhong.jiang@intel.com> Set Flavor Extra Specs Date: Wed Jul 18 14:32:36 2012 +0800 Enhance nova-manage to set flavor extra specs blueprint update-flavor-key-value TrustedFilter requires a ‘trusted_host’ property in flavor extra spec 4 ways to set flavor extra specs: • Access database directly – mysql -u$MYSQL_USER -p$MYSQL_PASSWORD nova -e 'insert into instance_type_extra_specs (`deleted`,`instance_type_id`,`key`,`value`) values (0,6,"trusted_host",“trusted");‘ • Enhance nova-manage to set flavor extra specs – nova-manage instance_type add_key m1.trusted trusted_host trusted • Enhance nova-client to set flavor extra specs • Enhance Dashboard(Horizon) to set flavor extra specs 19
  • 20. Trusted Pools Deployment & Configuration Steps: • Deploy normal Nova controller & compute nodes • Deploy OAT based attestation service • Enable TPM & TXT in BIOS on compute nodes • Install Host Agent on compute nodes • Install tboot and enable trusted launch on compute nodes • Configure attestation service and provision White List • Configure Nova controller for Trusted Pools 20
  • 21. Deploy OAT Based Attestation Service Future approach: Install package(s) shipped with Linux distributions Current approach: Build and install from source code. • Build: https://github.com/OpenAttestation/OpenAttestation/raw/master/docs/Build.pdf – Build system could be Ubuntu/SuSE/Fedora/RHEL – Download & install required tools/libraries – Build package with scripts • Install: https://github.com/OpenAttestation/OpenAttestation/raw/master/docs/Installation.pdf – Support Ubuntu/SuSE/Fedora/RHEL – Install required modules – Install the package generated in previous step – Verify with accessing http://localhost/OAT/ in browser 21
  • 22. Install Host Agent System must have TPM 1.2 compliant device with driver installed, and TPM/TXT enabled in BIOS. Steps: https://github.com/OpenAttestation/OpenAttestation/raw/master/docs/Installation.pdf • Install dependent packages • Download Client Installation Package from OAT server: – http://<server.domain>/ClientInstaller.html • Unzip & run general-install.sh to install package • Verify the Host Agent is registered into OAT service – http://<server.domain>/OAT/reports.php • There are hints for how to setup two way SSL/TLS auth 22
  • 23. Install Tboot and Enable Trusted Launch Install with tboot package in Linux distributions • For ubuntu1204, apt-get install tboot • For Fedora17/RHEL6.3/SLES11sp2, yum install tboot, then manually change grub.conf or.cfg. Install from source • Get source code from either upstream repo or released src package on sourceforge • Install trousers/trousers-devel/libtsp package • Make & make install with root priviledge • Change grub.conf or .cfg Refer to README of tboot project for more information 23
  • 24. Configure Attestation Service & Provision White List Service Configuration: https://github.com/OpenAttestation/OpenAttestation/raw/master/docs/Installation.pdf • in /usr/lib/apache-tomcat-6.0.29/webapps/ HisWebServices/WEB-INF/classes/OAT.properties – PCR_SELECT=FFFFFF --- Include pcr 0~23 in integrity reports – ALERT_MASK_CSV=0,17,18 --- Verify PCR0, 17, 18 to report trust level White List provisioning: • Get desired PCR value for PCRs specified in ALERT_MASK_CSV • Create White List entry – With Admin Console https://<server.domain>:8443/OpenAttestationAdminConsole/PCRManifest.jsp – Or via invoking White List API through app or tools like curl 24
  • 25. Configure Nova Controller /etc/nova/nova.conf [default] compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler scheduler_default_filters=TrustedFilter [trusted_computing] server=aa.bb.com --- attestation server http server_ca_file=/a/b/c.cer --- attestation server Cert file for Identity verification port=8443 --- attestation server port api_url=/OpenAttestationWebServices/V1.0 --- attestation web API URL auth_blob=xxxx --- attestation authorization blob - optional 25
  • 26. Agenda Trusted Pools • Concept • Implementation & Usage Trusted Launch with Trusted Boot (Tboot) Remote Attestation with OpenAttestation (OAT) More on Trusted Pools • Patches • Deployment & Configuration Summary 26
  • 27. Summay Trusted Pools feature in OpenStack was implemented and pushed into Nova for next Folsom release. The implementation is based on the Query API of attestation services deployed using SDK provided by OpenAttestation (OAT) project. It is strongly recommended to enable Trusted Boot (tboot) for each compute node to take advantage of Intel TXT technology to involve OS/VMM integrity into the host trust level judgment. Call for Action: • Try Trusted Pools Capability, seeking chances to do optimization. 27
  • 28. Notices and Disclaimers INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL® PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. INTEL PRODUCTS ARE NOT INTENDED FOR USE IN MEDICAL, LIFE SAVING, OR LIFE SUSTAINING APPLICATIONS. Intel may make changes to specifications and product descriptions at any time, without notice. All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice. Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request. Intel, and Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others. Copyright © 2012 Intel Corporation. All rights are protected. 28