cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Devdeep Singh <>
Subject RE: [DISCUSS]Support for intel TXT technology
Date Mon, 13 May 2013 06:29:00 GMT
Hi Manasa,

My comments are inline.


> -----Original Message-----
> From: Manasa Veloori (3P) []
> Sent: Wednesday, May 08, 2013 5:16 PM
> To:
> Subject: [DISCUSS]Support for intel TXT technology
> Hi All,
> Just as a continuation on the discuss regarding the support of Intel TXT  for
> cloud stack....I have few questions
> 1.      Suppose we have the xenserver6.0 host running the trust agent and it is
> registered with attestation server  and now if we want to  upgrade it to
> XenServer does attestation server handle this situation....?
[Devdeep]  If a hypervisor is upgraded, the host will have to be re-registered with the attestation

> 2.      Suppose I have a host which is not registered with attestation server and
> as a admin I have changed the tag of the host to 'Trusted-host'(default tag for
> trusted host).Now when I am trying to register the host how will the
> attestation server handle.
[Devdeep] Tags are a cloudstack concept and the attestation server isn't aware of it. Even
if a host is tagged, when cloudstack connects to a host it checks with the attestation server
if the host is trusted or not. If the host is found to be untrusted any 'Trusted-host' tag
(or any other tag if the default has been updated) is removed from the host. If the host is
found to be trusted it is tagged appropriately.
> 3.      If trust agent is not running in the host and we added that host to the
> registered zone........will it throw any exception.
[Devdeep] If a trust agent isn't running on the host the trust assertions can be established
for the host and the host will not be tagged as trusted host.

> 4.      Do we have to explicitly register the host with attestation server prior to
> adding it to cloud stack or will it automatically gets registered when we add
> host to CloudStack.
[Devdeep] The host will not be automatically registered with the attestation server. It have
will have registered with the registerHostWithAttestionServer api after it has added to cloudstack.

> 5.      How CloudStack handles the situation when attestation server goes down
> i.e., CloudStack already have some trusted hosts and  now the user wants to
> deploy an instance in trusted host but the attestation server is down.
[Devdeep] CloudStack checks with the attestation server whether a host is trusted or not only
when it connects with the host. If a host is trusted it is tagged accordingly. When a deploy
vm request is handled, cloudstack doesn't check again with the attestation server. The tags
on the host are used for servicing the deploy vm on trusted host request.
> Thanks,
> Manasa

View raw message