A Shielded VM is a Hyper-V generation 2 VM that has a virtual TPM, is encrypted using BitLocker and can only run on healthy and approved hosts in the fabric. It is protected from inspection, tampering and theft from malicious fabric admins and host malware, guaranteeing the security of the virtual machines running in an OpenStack environment.
Shielded VMs in OpenStack
In order to create a Shielded VM, a signed template and a PDK file containing VM configuration information are required.
Check here how to create a signed template and generate a PDK file.
1) Provide a reference to a Barbican container containing the PDK file.
PDKUtil stores a PDK file to a Barbican container. Install PDKUtil:
|
1 |
pip install pdkutil |
PDKUtil uses Keystone for identity management. Credentials and endpoints must be provided via environment variables or command line parameters in the same way supported by most OpenStack command line interface (CLI) tools, e.g.:
|
1 2 3 4 |
export OS_AUTH_URL=http://example.com:5000/v2.0 export OS_USERNAME=admin export OS_PASSWORD=password export OS_TENANT_NAME=admin |
Store the specified PDK file into a Barbican container:
|
1 2 3 4 5 6 7 8 |
pdkutil store /home/ubuntu/shielded_pdk.pdk shielded_pdk_container +---------------------+--------------------------------------------------------------------+ | Field | Value | +---------------------+--------------------------------------------------------------------+ | PDK_file | /home/ubuntu/shielded_pdk.pdk | | container_name | shielded_pdk_container | | container_reference | http://IP:9311/v1/containers/34b0694c-a66c-4383-80aa-dd87448fd746 | +---------------------+--------------------------------------------------------------------+ |
The PDK container’s reference is mandatory to be passed as an image property or meta when booting a OpenStack VM.
2) Create a glance image from the signed template.
The signed template will be uploaded to Glance. The shielding data file (PDK file) will assure that the VM will be created in the way the tenant intended. For example, it can’t be used a different VHDX when creating the shielded OpenStack VM, because the shielding data file contains the signatures of the trusted disk that shielded VMs can be created from. Moreover, if shielded option is requested when creating the image, the PDK reference must be of a shielding data file having a security policy set to shielded.
In order to create a shielded OpenStack VM, the image must have the following properties:
os_shielded_vmsset torequired. For adding a vtpm with encryption option enabled, the image must have theos_vtpm_vmsproperty set torequired. A shielded vm implies encryption.hw_machine_typeset to hyperv-gen2 as vTPM can only be added for Generation 2 VMs.os_secure_bootoros:secure_bootflavor extra spec torequiredas secure boot must be enforced.img_pdk_referencecontaining a reference to a PDK Barbican container. (img_pdk_referencecan be passed via nova boot metadata option as well, overriding the image property)
|
1 2 3 4 5 6 |
glance image-create --disk-format vhd --container-format bare --name shielded_template \ --property hw_machine_type=hyperv-gen2 --property hypervisor_version_requires='>=10.0' \ --property os_type=windows --property os_secure_boot=required \ --property os_shielded_vm=required --property \ img_pdk_reference=" http://IP:9311/v1/containers/b31320ad-ea02-43d1-8a79-bcb509f59e63" \ --file img/unused_template.vhdx |
3) Boot a Shielded VM
An unattended file is used to specialize the shielded instance during the provisioning process. As unattended files are added when creating the shielding data files, they will be used on every VM created using that PDK file. In order not to hard code any VM-specific information into the unattended files, substitution strings can be used in the unattend file to handle specialization values that may change from VM to VM.
When using substitution strings, it is important to ensure that the strings will be populated during the VM provisioning process. The substitution strings corresponding values can be added as metadata boot options.
|
1 2 3 4 |
nova boot --image shielded_template --flavor m1.medium --meta \ img_pdk_reference='http://IP:9311/v1/containers/b31320ad-ea02-43d1-8a79-bcb509f59e63' \ --meta fsk:ComputerName='shieldedvm' --availability-zone nova:guarded \ --nic net-id="adde07f4-6e54-4f8d-b5c9-6955e40d51e0" shieldedvm |
That’s all, your shielded VM is getting deployed!
If you prefer to use the Horizon web interface instead of the command line, here’s also a video showing how to perform the same steps.
