Bug 978631 - [Docs] [RFE] Give more in depth details on Trusted Compute Pools feature based on OpenAttestation
[Docs] [RFE] Give more in depth details on Trusted Compute Pools feature base...
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: Documentation (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ovirt-3.6.8
: ---
Assigned To: Tahlia Richardson
Megan Lewis
: FutureFeature
: 977165 (view as bug list)
Depends On: 929057 977165
Blocks: 978623 978629 978630 978632
  Show dependency treegraph
Reported: 2013-06-26 21:30 EDT by Andrew Burden
Modified: 2017-05-11 07:49 EDT (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 977165
Last Closed: 2016-07-27 20:03:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Docs
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Andrew Burden 2013-06-26 21:30:27 EDT
Will need to append vm parameters and example.

+++ This bug was initially created as a clone of Bug #977165 +++

+++ This bug was initially created as a clone of Bug #929057 +++

Information about "Trusted Compute Pools" should be included in the RHEV Docs Suite.

Please include the Trusted Compute Pools feature once it get upstreamed into oVirt.

- the link to the patch(es) in gerrit

- the oVirt wiki page link

- QA issue
Intel will QA this feature, once it is available in downstream RHEV.
Comment 1 Zac Dover 2013-08-18 00:28:33 EDT
The material on the oVirt wiki is here:

Much of the information there will be used in the docs. This is a major addition to the docs suite.
Comment 2 Tim Hildred 2013-10-09 00:14:37 EDT
From what I can tell, the relevant bit is here:

Restful API
Create a trusted cluster via restful API, curl command may like this.

curl -v -u "admin@internal:abc123" -H "Content-type: application/xml" -d '<cluster><name>my_trust_cluster</name><data_center><name>"Default"</name></data_center> <version minor="2" major="3"/> <cpu id="Intel SandyBridge Family"/><trusted_service>true</trusted_service></cluster>' 'http://engine.***.com:80/api/clusters'

Key relevant modification includes api.xsd and ClusterMapper.java.
Comment 3 Zac Dover 2014-04-04 02:02:32 EDT
I have changed this bug to 3.4 and made it into a feature bug.

The material in Comment 2 above should go into the REST API or Developer Guide (both of which are now in the 3.4 Technical Guide). Attention aburden.

There is also a lot of content in the link on the oVirt Wiki that should be in the Administration Guide, and I will begin performing the work on that now.
Comment 4 Zac Dover 2014-04-04 03:56:42 EDT
Created the following topic:
Creating a Trusted Cluster [30328]
Comment 5 Zac Dover 2014-04-04 12:44:43 EDT
Created the following topic:
Adding a Trusted Host [30334]
Comment 6 Zac Dover 2014-04-04 13:05:55 EDT
I have added the two topics above to the 3.4 Administration Guide.

Tasks that remain:

  1. Add the curl command for creating a trusted cluster to the REST
     API portion of the Technical Guide. (probably a job for aburden)

  2. Write some overview material about OAT (OpenAttestation) and its 
     relationship to Intel TXT (Trusted Execution Technology).

  3. Explain that trusted hosts behave like untrusted hosts once they have
     made contact with the OAT servers.
Comment 7 Zac Dover 2014-04-04 13:21:10 EDT
*** Bug 977165 has been marked as a duplicate of this bug. ***
Comment 8 Zac Dover 2014-04-04 13:35:35 EDT
Tim Hildred, from BZ#977165:

From email conversations about this bug with Doron:

"The integration with OAT requires using the config utility in order
to update the relevant information, the same way we do with the
manage-domains. So the user should be using engine-config instead
of manually updating the DB. What we need to document is the relevant
~3-4 keys and what they mean, as well as the meaning of the checkbox
we have in the UI. What we can do, is possibly add a tooltip with
a question mark in the UI which will indicate that this requires
OAT setup."

Here are the values that have to be added to the table of rhevm-config values:

SecureConnectionWithOATServers default value: true
PollUri default value: "AttestationService/resources/PollHosts" Comment: this is determined by the OAT installation.
AttestationTruststore default value: TrustStore.jks.
AttestationPort default value: 8443
AttestationServer default value: "".

Adding missing entries;

AttestationTruststorePass: "The password used to access trust store" (Value Type: String) default value: "password".

AttestationFirstStageSize: "Attestation size for first stage"  (Value Type: Integer) default value: 10. Comment: used for quick initialization. Do not change unless you know why.
Comment 9 Zac Dover 2014-04-05 02:12:13 EDT
Re: Comment 6: "Explain that trusted hosts behave like untrusted hosts once they have made contact with the OAT servers." means that once the host has been verified by the OAT server, it can be manipulated in RHEVM the same way that untrusted hosts are manipulated. It does not mean that they behave like untrusted hosts in that they are not trusted.
Comment 11 Sandro Bonazzola 2015-10-26 08:33:52 EDT
this is an automated message. oVirt 3.6.0 RC3 has been released and GA is targeted to next week, Nov 4th 2015.
Please review this bug and if not a blocker, please postpone to a later release.
All bugs not postponed on GA release will be automatically re-targeted to

- 3.6.1 if severity >= high
- 4.0 if severity < high
Comment 15 Lucy Bopf 2016-05-11 02:53:46 EDT
Assigning to Tahlia for review.

Tahlia, it looks like this feature is partially documented in the Administration Guide and the REST API Guide. It appears we are missing a procedure for integrating OAT with RHEV using engine-config (parameters explained in Comment 8), and that we need to check the outstanding tasks from Comment 6.
Comment 25 Tahlia Richardson 2016-07-27 20:03:12 EDT
Now available at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/sect-Trusted_Compute_Pools.html
Content will also be included in the next 4.0 publication.

Note You need to log in before you can comment on or make changes to this bug.