• Contents
  • 1.0 Introduction
  • 1.1 Overview
  • 1.2 The Chain of Trust
  • 2.0 Intel® Cloud Integrity Technology Architecture
  • 3.0 Intel® Cloud Integrity Technology Components
  • 3.1 Attestation Server
  • 3.2 Key Broker Service
  • 3.3 Key Broker Proxy
  • 3.4 Trust Director
  • 3.5 Trust Agent
  • 3.6 OpenStack Plugins
  • 3.7 Attestation Reporting Hub
  • 4.0 Intel® Cloud Integrity Technology Setup
  • 4.1 Installing the Attestation Server
  • 4.1.1 Installation Prerequisites
  • 4.1.2 Package Dependencies
  • 4.1.3 Installation
  • 4.2 Installing the OpenStack Controller Extensions
  • 4.2.1 Prerequisites
  • 4.2.2 Minimum Requirements
  • 4.2.3 Extension Dependencies
  • 4.2.4 Installation
  • 4.3 Installing the Key Broker Service
  • 4.3.1 Prerequisites
  • 4.3.2 Minimum Requirements
  • 4.3.3 Package Dependencies
  • 4.3.4 Installation
  • 4.4 Installing the Key Broker Proxy (KMS Proxy)
  • 4.4.1 Prerequisites
  • 4.4.2 Minimum Requirements
  • 4.4.3 Package Dependencies
  • 4.4.4 Installation
  • 4.5 Installing the Trust Director
  • 4.5.1 Prerequisites
  • 4.5.2 Minimum Requirements
  • 4.5.3 Recommended Hardware
  • 4.5.4 Package Dependencies
  • 4.5.5 Installation
  • 4.6 Installing the Trust Agent - Linux
  • 4.6.1 Package Dependencies
  • 4.6.2 Supported Operating Systems
  • 4.6.3 Prerequisites
  • 4.6.4 Installation
  • 4.7 Installing the Trust Agent - Windows
  • 4.7.1 Package Dependencies
  • 4.7.2 Supported Operating Systems
  • 4.7.3 Prerequisites
  • 4.7.4 Installation
  • 5.0 Host Attestation
  • 5.1 Overview
  • 5.2 Extending Host Attestation
  • 5.3 Required Components
  • 5.4 Importing Whitelist Values
  • 5.5 Host Registration
  • 5.5.1 Registering Multiple Hosts Using a Flat File
  • 5.5.2 Registering a Host Individually
  • 5.6 Host Attestation
  • 5.6.1 Remediation of Untrusted Attestations
  • 6.0 Image Integrity (VM and Docker)
  • 6.1 Required Components
  • 6.2 Creating the Image Trust Policy (VM and Docker container)
  • 6.3 Hash Only
  • 6.4 Hash and Enforce
  • 6.5 VM Migrations
  • 6.6 VM Snapshots
  • 6.7 Shared Storage
  • 6.8 VM and Docker Attestation
  • 6.9 Workflow Example #1 – VM images
  • 6.10 Workflow Example #2 – Docker container images (Uploaded Images to Trust Director or Downloaded from Docker hub)
  • 7.0 Image Privacy
  • 7.1 Required Components
  • 7.2 VM Migrations
  • 7.3 VM Snapshots
  • 7.4 Shared Storage
  • 7.5 Encrypting an Image
  • 7.6 Launching an Instance of an Encrypted Image
  • 7.6.1 VM Encryption for Microsoft Windows Compute Nodes
  • 7.7 Workflow Example for a Virtual Machine
  • 8.0 PCR Definitions
  • 8.1 TPM 1.2
  • 8.2 TPM 2.0
  • 8.3 MLE Administration
  • 8.4 TLS Policy Overview
  • 8.4.1 TLS Policy Types
  • 8.4.2 Policy Scope
  • 8.4.3 Default Policy Selection
  • 8.4.4 Legacy Behavior
  • 8.5 Asset Tags
  • 8.5.1 Prerequisites
  • 8.5.2 Asset Tag Provisioning Workflow
  • 8.5.3 Asset Tag Provisioning Modes
  • 8.5.4 Tags and Selections
  • 8.5.5 Asset Tag Provisioning
  • 8.5.5.1 Push Provisioning
  • 8.5.5.2 Pull Provisioning
  • 8.5.5.3 Creating an XML file for Asset Tag Provisioning
  • 8.5.5.4 Encrypting the Asset Tag XML
  • 8.5.5.5 Decrypting and Verifying the Selection XML File
  • 8.5.5.6 Provisioning Usage
  • 8.6 Database Configuration for Remote Database Servers
  • 8.7 Password Guidelines
  • 8.7.1 Changing the Database Password
  • 8.8 Trust Policies
  • 8.8.1 Choosing Files for Measurement
  • 8.8.2 Creating a Trust Policy
  • 8.8.2.1 Creating a Trust Policy for a Virtual Machine Image
  • 8.8.2.2 Creating a Trust Policy for a Docker container Images
  • 8.8.3 Downloading a Docker image from Docker Hub using Trust Director
  • 8.8.4 Uploading a Docker image to Trust Director – Manual Upload
  • 8.8.5 Uploading Image to Trust Director – Remote File Upload
  • 8.8.6 Creating a Trust Policy for a Non-Virtualized Server
  • 9.0 Whitelisting Guidelines
  • 9.1 For BIOS MLEs:
  • 9.2 For VMM/OS MLEs:
  • 9.3 Encrypted Images
  • 10 OpenStack Controller Changes
  • 10.1 Horizon Changes
  • 10.1.1 Library and Configuration Changes
  • 10.1.2 Instance View Changes
  • 10.1.3 Images Dashboard Changes
  • 10.1.4 Attestation Service
  • 10.1.5 Trust Agent
  • 10.1.6 Trust Director
  • 10.1.7 Attestation Reporting Hub
  • 10.1.8 Key Management Service
  • 10.1.8.1 Check Server Version
  • 10.1.8.2 Check Server Status
  • 10.1.8.3 Start and Stop the Server
  • 10.1.8.4 Add, edit, or Remove User Permissions
  • 10.1.8.5 List Users
  • 10.1.8.6 Execute All Setup Tasks
  • 10.1.8.7 Execute Specific Setup Tasks
  • 10.1.8.8 Validate a Setup Task Without Executing It
  • 10.1.8.9 Force Execution of a Setup Task Even if It is Already Validated
  • 10.1.8.10 Continue Executing Subsequent Setup Tasks Even if One Fails
  • 10.1.8.11 Setup Task Reference
  • 10.1.8.12 Uninstall
  • 10.1.8.13 Help
  • 10.1.9 KMS Proxy
  • 10.1.9.1 Check Server Version
  • 10.1.9.2 Check Server Status
  • 10.1.9.3 Start and Stop the Server
  • 10.1.9.4 Execute All Setup Tasks
  • 10.1.9.5 Execute Specific Setup Tasks
  • 10.1.9.6 Validate a Setup Task Without Executing It
  • 10.1.9.7 Force Execution of a Setup Task Even if It is Already Validated
  • 10.1.9.8 Continue Executing Subsequent Setup Tasks Even if One Fails
  • 10.1.9.9 Setup Task Reference
  • 10.1.9.10 Uninstall
  • 10.1.9.11 Help
  • 10.1.10 Attestation Service
  • 10.1.10.1 Check Server Version
  • 10.1.10.2 Check Server Status
  • 10.1.10.3 Start and Stop the Server
  • 10.1.10.4 Change the Database Password and Update Configuration Files
  • 10.1.10.5 Output Attestation Service SSH Key and SAML Certificate Fingerprints
  • 10.1.10.6 Detect and Output Currently-Installed Version of and Installation Location Java
  • 10.1.10.7 Detect and Output Currently-Installed Version and Installation Location of MySQL
  • 10.1.10.8 Create a New MySQL SSL Certificate Authority
  • 10.1.10.9 Detect and Output Currently Installed Version and installation location of Tomcat
  • 10.1.10.10 Generate a New Tomcat SSL Certificate
  • 10.1.10.11 Check the Status of the Tomcat Web Server
  • 10.1.10.12 Backup and Restore All Keys, Certificates, and Secrets Used by the Attestation Service
  • 10.1.10.13 Execute All Setup Tasks
  • 10.1.10.14 Execute Specific Setup Tasks
  • 10.1.10.15 Validate a Setup Task Without Executing It
  • 10.1.10.16 Force Execution of a Setup Task Even if It is Already Validated
  • 10.1.10.17 Continue Executing Subsequent Setup Tasks Even if One Fails
  • 10.1.10.18 Uninstall
  • 10.1.10.19 Help
  • 10.1.11 Trust Agent
  • 10.1.11.1 Start
  • 10.1.11.2 Stop
  • 10.1.11.3 Restart
  • 10.1.11.4 Status
  • 10.1.11.5 Version
  • 10.1.11.6 Authorize
  • 10.1.11.7 Setup
  • 10.1.11.8 Uninstall
  • 10.1.11.9 Help
  • 10.1.12 Trust Director
  • 10.1.12.1 Start
  • 10.1.12.2 Stop
  • 10.1.12.3 Restart
  • 10.1.12.4 password-vault
  • 10.1.12.5 director-envelope-key
  • 10.1.12.6 director-envelope-key-registrationStart
  • 10.1.12.7 Uninstall
  • 10.1.12.8 Help
  • 10.1.13 Attestation Reporting Hub
  • 10.1.13.1 Start
  • 10.1.13.2 Stop
  • 10.1.13.3 Restart
  • 10.1.13.4 password-vault
  • 10.1.13.5 Uninstall
  • 10.2 Installation and Configuration Options
  • 10.2.1 Attestation Service
  • 10.2.1.1 Installation Options
  • 10.2.1.2 Configuration Options
  • 10.2.1.3 Security Configuration
  • 10.2.1.4 Encrypting Configuration Files
  • 10.2.1.5 Changing the Database Password
  • 10.2.2 Trust Agent
  • 10.2.2.1 Trust Agent without OpenStack
  • 10.2.2.2 Trust Agent for OpenStack Compute Node
  • 10.2.2.3 OpenStack Compute Changes
  • 10.2.2.4 Command-Line Options
  • 10.2.3 Key Management Service
  • 10.2.3.1 Installation Options
  • 10.2.5.2 Configuration
  • 10.2.3.3 Configuring the KMS to use an External Barbican or KMIP-Compliant Key Vault
  • 10.2.3.4 Command-Line Options
  • 10.2.4 KMS Proxy
  • 10.2.4.1 Configuration
  • 10.2.4.2 Command-Line Options
  • 10.2.5 Trust Director
  • 10.2.5.1 Setup
  • 10.2.5.2 Configuration
  • 10.2.6 OpenStack Controller
  • 10.2.6.1 Setup
  • 10.2.6.2 Configuration
  • 10.2.7 Attestation Reporting Hub
  • 10.3 High Availability Guidelines
  • 10.3.1 Attestation Service
  • 10.3.1.1 Prerequisites
  • 10.3.1.2 Deployment Instructions
  • 10.3.1.3 Failover
  • 10.3.2 Key Management Service
  • 10.3.3 Key Management Proxy
  • 10.4 Nova Changes
  • 10.4.1 Filter Code
  • 10.5 OpenStack Compute Node Changes
  • 11.0 Configuration
  • 11.1 Directory Layout
  • 11.1.1 Key Broker Service
  • 11.1.1.1 Linux Directory Layout
  • 11.1.1.2 Home Directory Layout
  • 11.1.1.3 Custom Directory Layout
  • 11.1.2 KMS Proxy
  • 11.1.2.1 Linux Directory Layout
  • 11.1.2.2 Home Directory Layout
  • 11.1.2.3 Custom Directory Layout
  • 12.0 Uninstallation
  • 12.1 Attestation Service
  • 12.2 Trust Agent
  • 12.3 Trust Director
  • 12.4 Key Broker Service
  • 12.5 KMS Proxy
  • 12.6 OpenStack Patches
  • 12.7 Attestation Reporting Hub
  • 13.0 Troubleshooting
  • 13.1 Attestation Service
  • 13.2 Key Management Service
  • 13.3 KMS Proxy
  • 13.4 Trust Agent
  • 13.5 OpenStack Controller Extensions
  • 13.6 Attestation Reporting Hub
  • 14.0 Building OpenCIT from Source
  • 14.1 Preparing the Build Environment
  • 14.1.1 Minimum Requirements
  • 14.1.2 Installing the Required Packages
  • 14.1.3 Installing the Java Development Kit (JDK) for Ubuntu and RHEL
  • 14.1.4 Installing Apache Maven for Ubuntu and RHEL
  • 14.1.5 Editing settings.xml
  • 14.1.6 Modifying Environment Files
  • 14.2 Intel® CIT Source Code
  • 14.2.1 Downloading the Source Code
  • 14.2.2 Building the Source Code
  • VERY IMPORTANT:Signing the tboot driver:
  • 14.3.3 Binary Locations
  • 15.0 TXT/TPM Prerequisites and Activation
  • 15.1 Trusted Boot Provisioning
  • 16.0 Frequently Asked Questions
  • 17.0 Sample Use Cases
  • 17.1 Attesting Open vSwitch (OVS)
  • 17.1.1 Required Components
  • 17.1.2 Configuration Steps
  • 18.0 Known Issues and Errata