OpenStack Summit May 2015 Vancouver has ended
Back To Schedule
Monday, May 18 • 2:00pm - 2:40pm
Using TPMs for the benefit of the entire cloud

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Many cloud deployments include hardware with a Trusted Platform Module (or TPM), but in most cases this is entirely unused. Support for using the TPM to provide remote attestation has been merged into OpenStack in the form of Trusted Compute Pools, allowing admins to configure clouds to detect systems that have booted untrusted code and block guests from being scheduled on them.

But, while important, protecting against the initial booting of untrusted code isn't the only thing TPMs can be used for - or, perhaps, not even the most interesting. Clouds need a good source of random numbers. Clouds need to be able to store secrets securely. And clouds need to provide guarantees that having someone wander off with one disk from a RAID array isn't obtaining sensitive customer data in the process.

This presentation will cover mechanisms for using a TPM to provide additional security for the whole cloud. It will describe integration of TPMs with disk encryption, allowing for improved security of user data. It will explain integration of TPMs with Barbican, allowing for Hardware Security Module-like functionality without additional hardware cost. And it will discuss how TPMs can be used as either the primary source of entropy for clouds or as a mechanism for reducing the impact of a trusted but backdoored random number generator. 


Matthew Garrett

Principal Security Software Engineer, CoreOS
Matthew Garrett is a security developer at CoreOS, specialising in the areas where software starts knowing a little more about hardware than you'd like. He implemented much of Linux's support for UEFI Secure Boot, does things with TPMs and has found more bugs in system firmware than... Read More →

Monday May 18, 2015 2:00pm - 2:40pm PDT
Room 211

Attendees (0)