Red Hat Bugzilla – Bug 978631
[Docs] [RFE] Give more in depth details on Trusted Compute Pools feature based on OpenAttestation
Last modified: 2017-05-11 07:49:53 EDT
Will need to append vm parameters and example.
+++ This bug was initially created as a clone of Bug #977165 +++
+++ This bug was initially created as a clone of Bug #929057 +++
Information about "Trusted Compute Pools" should be included in the RHEV Docs Suite.
Please include the Trusted Compute Pools feature once it get upstreamed into oVirt.
- the link to the patch(es) in gerrit
- the oVirt wiki page link
- QA issue
Intel will QA this feature, once it is available in downstream RHEV.
The material on the oVirt wiki is here:
Much of the information there will be used in the docs. This is a major addition to the docs suite.
From what I can tell, the relevant bit is here:
Create a trusted cluster via restful API, curl command may like this.
curl -v -u "admin@internal:abc123" -H "Content-type: application/xml" -d '<cluster><name>my_trust_cluster</name><data_center><name>"Default"</name></data_center> <version minor="2" major="3"/> <cpu id="Intel SandyBridge Family"/><trusted_service>true</trusted_service></cluster>' 'http://engine.***.com:80/api/clusters'
Key relevant modification includes api.xsd and ClusterMapper.java.
I have changed this bug to 3.4 and made it into a feature bug.
The material in Comment 2 above should go into the REST API or Developer Guide (both of which are now in the 3.4 Technical Guide). Attention aburden.
There is also a lot of content in the link on the oVirt Wiki that should be in the Administration Guide, and I will begin performing the work on that now.
Created the following topic:
Creating a Trusted Cluster 
Created the following topic:
Adding a Trusted Host 
I have added the two topics above to the 3.4 Administration Guide.
Tasks that remain:
1. Add the curl command for creating a trusted cluster to the REST
API portion of the Technical Guide. (probably a job for aburden)
2. Write some overview material about OAT (OpenAttestation) and its
relationship to Intel TXT (Trusted Execution Technology).
3. Explain that trusted hosts behave like untrusted hosts once they have
made contact with the OAT servers.
*** Bug 977165 has been marked as a duplicate of this bug. ***
Tim Hildred, from BZ#977165:
From email conversations about this bug with Doron:
"The integration with OAT requires using the config utility in order
to update the relevant information, the same way we do with the
manage-domains. So the user should be using engine-config instead
of manually updating the DB. What we need to document is the relevant
~3-4 keys and what they mean, as well as the meaning of the checkbox
we have in the UI. What we can do, is possibly add a tooltip with
a question mark in the UI which will indicate that this requires
Here are the values that have to be added to the table of rhevm-config values:
SecureConnectionWithOATServers default value: true
PollUri default value: "AttestationService/resources/PollHosts" Comment: this is determined by the OAT installation.
AttestationTruststore default value: TrustStore.jks.
AttestationPort default value: 8443
AttestationServer default value: "".
Adding missing entries;
AttestationTruststorePass: "The password used to access trust store" (Value Type: String) default value: "password".
AttestationFirstStageSize: "Attestation size for first stage" (Value Type: Integer) default value: 10. Comment: used for quick initialization. Do not change unless you know why.
Re: Comment 6: "Explain that trusted hosts behave like untrusted hosts once they have made contact with the OAT servers." means that once the host has been verified by the OAT server, it can be manipulated in RHEVM the same way that untrusted hosts are manipulated. It does not mean that they behave like untrusted hosts in that they are not trusted.
this is an automated message. oVirt 3.6.0 RC3 has been released and GA is targeted to next week, Nov 4th 2015.
Please review this bug and if not a blocker, please postpone to a later release.
All bugs not postponed on GA release will be automatically re-targeted to
- 3.6.1 if severity >= high
- 4.0 if severity < high
Assigning to Tahlia for review.
Tahlia, it looks like this feature is partially documented in the Administration Guide and the REST API Guide. It appears we are missing a procedure for integrating OAT with RHEV using engine-config (parameters explained in Comment 8), and that we need to check the outstanding tasks from Comment 6.
Now available at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/sect-Trusted_Compute_Pools.html
Content will also be included in the next 4.0 publication.