Adolfo V Aguayo of Intel announced the version 2.2 release of OpenCIT.
New Features in 2.2:
– TPM 2.0 support.
+ Added support for platform and asset tag attestation of Linux and Windows hosts with TPM 2.0.
+ Support attestation of either SHA1 or SHA256 PCR banks on TPM 2.0.
+ Ubuntu 16.04 and RHEL 7.2, 7.3 (SHA1 and SHA256), Windows Server 2012 and Hyper-V Server 2012 (SHA1) are supported with TPM 2.0
– All the certificates and hashing algorithms used in CIT are upgraded to use SHA256. SHA1 has been deprecated and will no longer be used.
– CIT Attestation Service UI has been updated to allow the user to select either the SHA1 or SHA256 PCR bank for Attestation of TPM 2.0 hosts.
+ The CIT Attestation Service will automatically choose the strongest available algorithm for attestation (SHA1 for TPM 1.2, and SHA256 for TPM 2.0)
– CIT Attestation Service UI Whitelist tab no longer requires the user to select PCRs when whitelisting, and will automatically choose the PCRs to use based on the host OS and TPM version. This is done to reduce confusion due to differing behaviors between TPM 1.2 and TPM 2.0 PCR usages.
– Additional changes made to support TPM 2.0:
+ Linux hosts with TPM 2.0 will now utilize TPM2.0-TSS (TPM 2.0 Software Stack) and TPM2.0-tools instead of the legacy trousers and tpm-tools packages. The new TSS2 and TPM2.0-tools are packaged with the CIT Trust Agent installer.
+ TPM 2.0 Windows hosts use TSS.MSR (The TPM Software Stack from Microsoft Research) PCPTool.
+ TPM 1.2 hosts will continue to use the legacy TSS stack (trousers) and tpm-tools components.
For more information, see the full announcement on the firstname.lastname@example.org mailing list.
Adolfo V Aguayo of Intel announced the 2.0.7 release of OpenCIT (Open Cloud Integrity Technology) library. The first time I’ve heard of OpenCIT, and they’re already at a 2.x release. 😦 Excerpted announcement:
Open CIT is the next generation attestation solution. Open CIT provides features and capabilities in its entirety, as was made available in the Premium version, including support for ESX and Citrix-Xen, in addition to KVM on Ubuntu and RHEL. Open CIT provides ‘Trust’ visibility of the cloud infrastructure and enables compliance in cloud datacenters. The solution leverages Intel processors with Intel® Trusted Execution Technology (Intel® TXT) to establish HW root of trust and builds the chain of trust across hardware, OS, hypervisor and including asset tagging for Location and boundary control. The Platform trust and asset tag attestation information is used by Orchestrators and/or Policy Compliance management to ensure workloads are launched on trusted and location/boundary compliant platforms, and they provide the needed visibility and Auditability of your infrastructure in both public and private cloud environments.
We are proud to announce the release of Open CIT. Open CIT provides features and capabilities in its entirety, as was made available in the Premium version, including support for ESX and Citrix-Xen, in addition to KVM on Ubuntu and RHEL. OpenCIT provides ‘Trust’ visibility of the cloud infrastructure and enables compliance in cloud datacenters. Below are the key features for Open CIT:
– Establish chain of trust of BIOS, firmware, OS kernel & hypervisor by verifying against configured good known values (Whitelists)
– Ability to tag/verify hosts with custom attributes (Asset Tags) stored in TPM. Ex: Location attributes
– Open Stack integration to utilize Platform Trust and asset tags for advanced VM management
– Mutual SSL authentication supported across all the communication channels.
– RESTful API interface for easier 3rd party integration
– Audit logging for all changes including tracking of the host trust status changes
– Self-extracting installers for ease of setup & Reference UI portal
– User defined TLS policy management for host’s connections.
Distributions currently supported and the Open Stack version used for our extensions:
– Linux distributions: Ubuntu 12.04 LTS, 14.04 LTS, RHEL 6.5 and 7.x, on KVM
– OS platforms that are supported for remote attestation: Citrix XenServer 6.2, VMWare ESXi 5.5, 6, Ubuntu 12.04 LTS, 14.04 LTS, RHEL 6.5 and 7.x,
– Open Stack extensions supported: Kilo & Liberty.
For more information, see the OAT-devel post: