Chapter 13. Configuring instance security
As a cloud administrator, you can configure the following security features for the instances that run on your cloud:
-
UEFI Secure boot: You can create a UEFI Secure Boot flavor with the property key
os:secure_boot
enabled. Cloud users can use this flavor to create instances that are protected with UEFI Secure Boot. For more information, see UEFI Secure Boot. - VNC console security: You can secure connections to the VNC console for an instance by configuring the allowed TLS ciphers and the minimum protocol version to enforce for incoming client connections to the VNC proxy service. For more information, see Securing connections to the VNC console of an instance.
- Emulated virtual Trusted Platform Module (vTPM): You can provide cloud users the ability to create instances that have emulated vTPM devices. For more information, see Configuring Compute nodes to provide emulated Trusted Platform Module (TPM) devices for instances.
- SEV: Use to enable your cloud users to create instances that use memory encryption. For more information, see Configuring AMD SEV Compute nodes to provide memory encryption for instances.
13.1. Securing connections to the VNC console of an instance
You can secure connections to the VNC console for an instance by configuring the allowed TLS ciphers and the minimum protocol version to enforce for incoming client connections to the VNC proxy service.
Procedure
-
Log in to the undercloud as the
stack
user. Source the
stackrc
file:[stack@director ~]$ source ~/stackrc
- Open your Compute environment file.
Configure the minimum protocol version to use for VNC console connections to instances:
parameter_defaults: ... NovaVNCProxySSLMinimumVersion: <version>
Replace
<version>
with the minimum allowed SSL/TLS protocol version. Set to one of the following valid values:-
default
: Uses the underlying system OpenSSL defaults. tlsv1_1
: Use if you have clients that do not support a later version.NoteTLS 1.0 and TLS 1.1 are deprecated in RHEL 8, and not supported in RHEL 9.
-
tlsv1_2
: Use if you want to configure the SSL/TLS ciphers to use for VNC console connections to instances. -
tlsv1_3
: Use if you want to use the standard cipher library for TLSv1.3. Configuration of theNovaVNCProxySSLCiphers
parameter is ignored.
-
If you set the minimum allowed SSL/TLS protocol version to
tlsv1_2
, then configure the SSL/TLS ciphers to use for VNC console connections to instances:parameter_defaults: NovaVNCProxySSLCiphers: <ciphers>
Replace
<ciphers>
with a colon-delimited list of the cipher suites to allow. Retrieve the list of available ciphers fromopenssl
.Add your Compute environment file to the stack with your other environment files and deploy the overcloud:
(undercloud)$ openstack overcloud deploy --templates \ -e [your environment files] \ -e /home/stack/templates/<compute_environment_file>.yaml
13.2. Configuring Compute nodes to provide emulated Trusted Platform Module (TPM) devices for instances
As a cloud administrator, you can provide cloud users the ability to create instances that have emulated virtual Trusted Platform Module (vTPM) devices.
To enable your cloud users to create instances that have vTPM devices, you must perform the following tasks:
- Enable support for instances with vTPM devices and deploy the overcloud.
- Create a flavor or image for launching instances with vTPM devices.
Prerequisites
- The Key Manager service (barbican) is included in your RHOSP deployment to store vTPM keys. For information on managing secrets with the Key Manager service, see Managing secrets with the Key Manager service.
Limitations of instances with vTPM devices
- You cannot live migrate or evacuate instances that have vTPM devices.
- You cannot rescue or shelve instances that have vTPM devices.
- The instance must have the Q35 machine type.
13.2.1. Enabling support for instances with vTPM devices
To enable your cloud users to create instances that have vTPM devices, you must configure the overcloud to enable vTPM devices for instances.
Procedure
- Open your Compute environment file.
Enable support for vTPM devices:
parameter_defaults: ComputeParameters: ... NovaEnableVTPM: True
- Save the updates to your Compute environment file.
Add your Compute environment file to the stack with your other environment files and deploy the overcloud:
(undercloud)$ openstack overcloud deploy --templates \ -e /home/stack/templates/overcloud-baremetal-deployed.yaml \ -e /home/stack/templates/node-info.yaml \ -e [your environment files] \ -e /home/stack/templates/<compute_environment_file>.yaml
13.2.2. Creating an image for vTPM devices
When the overcloud is enabled to create instances that have vTPM devices, you can create a vTPM device instance image that your cloud users can use to launch instances that have vTPM devices.
If both the flavor and the image specify a TPM device model and the two values do not match, scheduling fails.
Procedure
Create a new image for vTPM devices:
(overcloud)$ openstack image create ... \ --property hw_tpm_version=2.0 vtpm-image
NoteTPM version
1.2
is not supported.Optional: Specify the TPM model to use:
(overcloud)$ openstack image set \ --property hw_tpm_model=<tpm_model> \ vtpm-image
Replace
<tpm_model>
with the model of TPM device to use. Set to one of the following valid values:-
tpm-tis
: (Default) TPM Interface Specification. -
tpm-crb
: Command-Response Buffer.
-
NoteThe Compute service ignores the configuration of the
hw_tpm_model
property if thehw_tpm_version
property is not set.
Verification
Create an instance by using the vTPM image:
(overcloud)$ openstack server create --flavor m1.small \ --image vtpm-image vtpm-instance
- Log in to the instance as a cloud user.
To verify that the instance has access to a vTPM device, enter the following command from the instance:
$ dmesg | grep -i tpm
13.2.3. Creating a flavor for vTPM devices
When the overcloud is enabled to create instances that have vTPM devices, you can create one or more vTPM device flavors that your cloud users can use to launch instances that have vTPM devices.
A vTPM device flavor is necessary only when the hw_tpm_model
and hw_tpm_version
properties are not set on an image. If both the flavor and the image specify a TPM device model and the two values do not match, scheduling fails.
Procedure
Create a flavor for vTPM devices:
(overcloud)$ openstack flavor create --vcpus 1 --ram 512 --disk 2 \ --property hw:tpm_version=2.0 \ vtpm-flavor
NoteTPM version
1.2
is not supported.Optional: Specify the TPM model to use:
(overcloud)$ openstack flavor set \ --property hw:tpm_model=<tpm_model> \ vtpm-flavor
Replace
<tpm_model>
with the model of TPM device to use. Set to one of the following valid values:-
tpm-tis
: (Default) TPM Interface Specification. tpm-crb
: Command-Response Buffer. Compatible only with TPM version 2.0.NoteThe Compute service ignores the configuration of the
hw:tpm_model
property if thehw:tpm_version
property is not set.
-
Verification
Create an instance by using the vTPM flavor:
(overcloud)$ openstack server create --flavor vtpm-flavor \ --image rhel-image vtpm-instance
- Log in to the instance as a cloud user.
To verify that the instance has access to a vTPM device, enter the following command from the instance:
$ dmesg | grep -i tpm