From hbrock at redhat.com Mon Apr 9 21:17:41 2018 From: hbrock at redhat.com (Hugh Brock) Date: Mon, 09 Apr 2018 21:17:41 +0000 Subject: [Rh-moc-bare-metal] Further discussion on bare metal provisioning Message-ID: Folks, As you have probably seen, I have added you to a new mailing list for the purpose of following up on Friday's bare metal provisioning workshop. Please feel free to comment on the summary document Orran and I prepared, here: https://docs.google.com/document/d/1JNmhqCpoG1irj9mb4o46VpISPvN8E7DAICFiT7BwmVk/edit?usp=sharing Thanks for your interest. We'll have further updates forthcoming. Take care, --Hugh -- Hugh Brock, hbrock at redhat.com Director of Engineering, Boston University Research Initiatives --- "I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant." --Robert McCloskey -------------- next part -------------- An HTML attachment was scrubbed... URL: From Charles.Munson at ll.mit.edu Mon Apr 23 22:32:04 2018 From: Charles.Munson at ll.mit.edu (Munson, Charles - 0553 - MITLL) Date: Mon, 23 Apr 2018 22:32:04 +0000 Subject: [Rh-moc-bare-metal] Further discussion on bare metal provisioning In-Reply-To: References: Message-ID: <59FBE487-44E2-456C-986F-64EA3B2455DC@ll.mit.edu> Hello, We are definitely interested in working towards making Keylime a more easily supportable attestation infrastructure.? As per the notes from the roundtable discussion we had a few weeks ago, outlined are some goals for Keylime and attestation: Keylime and attestation. ? We believe Keylime could fill a very useful niche upstream, especially in that the only project that rivals it -- Intel's OpenCIT -- appears to be open-source in name only and probably not truly open to outside contributors. We should therefore as a group devote some effort to packaging Keylime, building a CI infrastructure around it, and generally making it reasonable to use in a production environment. We should also: o do the work necessary to integrate it with the Fedora early boot components; o consider whether it should find a home with an existing upstream project like Katello (part of Satellite) or FreeIPA (Red Hat identity management project); o Examine -- as a research project? -- how to integrate attestation via Keylime with the Ironic state machine We have released a new version of Keylime today (v2.3.3) that includes IPsec configuration + documentation, as well as some readme improvements: https://github.com/mit-ll/python-keylime.? There is also documentation available in the /doc/ directory as we pointed out earlier (including our ACSAC paper and presentation), and we would be happy to answer any questions you may have. We have also opened up an issue related to integrating Keylime with the Fedora early boot components for easier collaboration, especially if Ali chooses to work on this during the summer: https://github.com/mit-ll/python-keylime/issues/6 Additionally, as we discussed with Peter during the Roundtable, we have opened an issue to investigate adding TPM 2.0 support to Keylime (see https://github.com/mit-ll/python-keylime/issues/5) instead of relying only on the older TPM 1.2. We would like to discuss the future steps towards making Keylime more production-ready so we can complete the goals outlined above, and we are certainly open to supporting this effort from our side as well.? We can also set up a telecom if you are interested in discussing this further. Best regards, Charlie ---- Charles Munson, Ph.D. (x9331) Technical Staff charles.munson at ll.mit.edu Secure, Resilient Systems and Technology (5-53) MIT Lincoln Laboratory From: on behalf of Hugh Brock Date: Monday, April 9, 2018 at 5:19 PM To: "rh-moc-bare-metal at redhat.com" Subject: [Rh-moc-bare-metal] Further discussion on bare metal provisioning Folks, As you have probably seen, I have added you to a new mailing list for the purpose of following up on Friday's bare metal provisioning workshop. Please feel free to comment on the summary document Orran and I prepared, here: https://docs.google.com/document/d/1JNmhqCpoG1irj9mb4o46VpISPvN8E7DAICFiT7BwmVk/edit?usp=sharing Thanks for your interest. We'll have further updates forthcoming. Take care, --Hugh -- Hugh Brock, mailto:hbrock at redhat.com Director of Engineering, Boston University Research Initiatives --- "I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant." --Robert McCloskey -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5243 bytes Desc: not available URL: From hbrock at redhat.com Mon Apr 30 13:31:56 2018 From: hbrock at redhat.com (Hugh Brock) Date: Mon, 30 Apr 2018 13:31:56 +0000 Subject: [Rh-moc-bare-metal] Further discussion on bare metal provisioning In-Reply-To: <59FBE487-44E2-456C-986F-64EA3B2455DC@ll.mit.edu> References: <59FBE487-44E2-456C-986F-64EA3B2455DC@ll.mit.edu> Message-ID: Charlie, thanks, this is great. Orran and I are working on identifying an intern to carry this work forward this summer, Ali has chosen a different project. I'm sure we will be able to find someone however. We'll keep everyone on this list informed. Take care, --Hugh On Mon, Apr 23, 2018, 18:32 Munson, Charles - 0553 - MITLL < Charles.Munson at ll.mit.edu> wrote: > Hello, > > > > We are definitely interested in working towards making Keylime a more > easily supportable attestation infrastructure. As per the notes from the > roundtable discussion we had a few weeks ago, outlined are some goals for > Keylime and attestation: > > > > *Keylime and attestation.* > > *? We believe Keylime could fill a very useful niche upstream, especially > in that the only project that rivals it -- Intel's OpenCIT -- appears to be > open-source in name only and probably not truly open to outside > contributors. We should therefore as a group devote some effort to > packaging Keylime, building a CI infrastructure around it, and generally > making it reasonable to use in a production environment. We should also:* > > *o do the work necessary to integrate it with the Fedora early boot > components;* > > *o consider whether it should find a home with an existing upstream > project like Katello (part of Satellite) or FreeIPA (Red Hat identity > management project);* > > *o Examine -- as a research project? -- how to integrate attestation via > Keylime with the Ironic state machine* > > > > We have released a new version of Keylime today (v2.3.3) that includes > IPsec configuration + documentation, as well as some readme improvements: > https://github.com/mit-ll/python-keylime. There is also documentation > available in the /doc/ directory as we pointed out earlier (including our > ACSAC paper and presentation), and we would be happy to answer any > questions you may have. > > > > We have also opened up an issue related to integrating Keylime with the > Fedora early boot components for easier collaboration, especially if Ali > chooses to work on this during the summer: > https://github.com/mit-ll/python-keylime/issues/6 > > > > Additionally, as we discussed with Peter during the Roundtable, we have > opened an issue to investigate adding TPM 2.0 support to Keylime (see > https://github.com/mit-ll/python-keylime/issues/5) instead of relying > only on the older TPM 1.2. > > > > We would like to discuss the future steps towards making Keylime more > production-ready so we can complete the goals outlined above, and we are > certainly open to supporting this effort from our side as well. We can > also set up a telecom if you are interested in discussing this further. > > > > Best regards, > > Charlie > > > > ---- > > *Charles Munson, Ph.D.* (*x9331*) > > Technical Staff > > charles.munson at ll.mit.edu > > Secure, Resilient Systems and Technology (5-53) > > MIT Lincoln Laboratory > > > > > > > > From: on behalf of Hugh Brock < > hbrock at redhat.com> > > Date: Monday, April 9, 2018 at 5:19 PM > > To: "rh-moc-bare-metal at redhat.com" > > Subject: [Rh-moc-bare-metal] Further discussion on bare metal provisioning > > > > Folks, > > > > As you have probably seen, I have added you to a new mailing list for the > purpose of following up on Friday's bare metal provisioning workshop. > Please feel free to comment on the summary document Orran and I prepared, > here: > > > > > https://docs.google.com/document/d/1JNmhqCpoG1irj9mb4o46VpISPvN8E7DAICFiT7BwmVk/edit?usp=sharing > > > > Thanks for your interest. We'll have further updates forthcoming. > > > > Take care, > > --Hugh > > -- > > Hugh Brock, mailto:hbrock at redhat.com > > Director of Engineering, Boston University Research Initiatives > > --- > > "I know that you believe you understand what you think I said, but I'm not > sure you realize that what you heard is not what I meant." --Robert > McCloskey > -- Hugh Brock, hbrock at redhat.com Director of Engineering, Boston University Research Initiatives --- "I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant." --Robert McCloskey -------------- next part -------------- An HTML attachment was scrubbed... URL: