summaryrefslogtreecommitdiffstats
path: root/docs/opnfvsecguide/compute/trust.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/opnfvsecguide/compute/trust.rst')
-rw-r--r--docs/opnfvsecguide/compute/trust.rst124
1 files changed, 0 insertions, 124 deletions
diff --git a/docs/opnfvsecguide/compute/trust.rst b/docs/opnfvsecguide/compute/trust.rst
deleted file mode 100644
index 3022e59c0..000000000
--- a/docs/opnfvsecguide/compute/trust.rst
+++ /dev/null
@@ -1,124 +0,0 @@
-Trusted Compute
----------------
-
-Trusted compute is centered on insuring the complete lifecycle of a VM, and
-the VM's underlying infrastructure is of a 'trustful' state.
-
-**Trusted computing in a cloud environment**
-
-To ensure overall security in an OPNFV deployment, both the launch and the
-operation of virtualized resources need to be secure. To build a trusted
-computing in a cloud environment the following core features are essential:
-
-* boot integrity - the hardware platform can guarantee a trustworthy RoT for the overall cloud environment
-* secure management of VMs – to secure the launch and migration of VMs in the cloud environment
-
-In this section we will cover some aspects of what is considered compute
-security, such as secure/trusted boot, although of course these can be
-extended to other actors such as neutron networking nodes.
-
-Secure Boot
-###########
-
-Secure boot, a UEFI-based feature that has become controversial lately,
-ensures that nodes in an OPNFV deployment boot only software that is trusted
-by the admin or end user.
-
-In order to understand the secure boot procedure, we need to explain the related technology
-and specification.
-
-**Unified Extensible Firmware Interface (UEFI)**
-
-UEFI is a specification intended to be the replacement and improvement on the
-old BIOS (Basic Input/Output System).
-
-One UEFI-based feature that has become controversial lately is the secure boot feature.
-
-The UEFI specification is a standard that’s handled by a non-profit organization
-with representatives of Intel, AMD, Microsoft, Apple, Dell, HP, IBM and others,
-called the Unified EFI Forum.
-
-UEFI supports 32 and 64 bit processors and can be used with Itanium, x86,
-x64 and ARM processors.
-
-**Trusted Execution Environment (TEE) vs Trusted Platform Mobile (TPM)**
-
-Two main components of platform security:
-
-* Trusted Execution Environment
-* Trusted Platform Module
-
-These are not designed as a replacement of the other. TEE is the bulletproof
-safe, while TPM is the 128-digit combination lock for the safe. Both are
-needed to ensure the safe is protected.
-
-TPM is a dependency of TEE but not the other way around.
-
-The TPM is where TEE will store the measurements - hash of components - of the platform.
-
-If TEE is not supported by a platform but a TPM is still present you still have
-all these features:
-
-* Integrity measurement – securely measure the platform's components (hashes stored within the TPM)
-
-* Authenticated boot – a process by which a platform's state (the sum of its
- components) is reliably measured and stored
-
-* SRTM - Static Root of Trust for Measurements
-
-* Sealed Storage - encrypt data based on the current state of the platform
- or in other words, what has been measured (the PCR hash values stored in the
- TPM) - seal operation
-
-* Attestation - securely report to other parties the state of the platform
-
-
-Trusted Compute Pools
-#####################
-
-**Trusted Boot**
-
-Trusted boot (tboot) is an open source, pre- kernel/VMM module that uses
-Intel(R) Trusted Execution Technology (Intel(R) TXT) to perform a measured
-and verified launch of an OS kernel/VMM. The root of trust is in the hardware
-and a TPM is required. Compute nodes in an OPNFV deployment boot with Intel
-TXT technology enabled.
-
-Read more about `Trusted Boot <http://www.trustedcomputinggroup.org/resources/trusted_boot>`_ and
-`Trusted Computing. <http://www.trustedcomputinggroup.org/trusted_computing>`_
-
-**Trusted Execution Environments (TEE)**
-
-The Trusted Execution Environment is an isolated execution environment which
-provides higher level of security such as isolated execution, integrity of
-Trusted Applications along with confidentiality of their assets.
-
-**Goals of a Trusted Execution Environments:**
-
-* Isolated Execution
-* Secure Storage
-* Remote Attestation
-* Secure Provisioning
-* Trusted Path
-
-**TEE platforms/implementations**
-
-* Intel’s TXT (Trusted Execution Technology)
-* AMD Secure Execution Environment
-* ARM TrustZone
-
-All three of these TEE implementations provide a virtualized Execution
-Environment for the secure OS and applications.
-
-To switch between the secure world and the normal world, Intel provides SMX
-Instructions, while ARM uses SMC. Programmatically, they all achieve very
-similar results.
-
-Read more about Trusted Execution Environments `here. <http://www.openvirtualization.org/open-source-arm-trustzone.html>`_
-
-`NIST SP800-147 <http://csrc.nist.gov/publications/nistpubs/800-147/NIST-SP800-147-April2011.pdf>`_
-, is a guidelines for firmware security, to ensure that the firmware itself is secure.
-
-Read more about "Trusted compute pools", in the
-`OpenStack Security Guide. <http://docs.openstack.org/admin-guide-cloud/compute-security.html>`_
-