Glance Signed Image Validation

A new addition to the OpenStack Security Guide is Signed Image Validation in the Glance service. This will now allow boot-time assurance that an image has not been tampered with before it is booted. The steps for doing this are

  1. A signature of the image is created
  2. A Keystone service context is created
  3. The image signature is encoded and uploaded to Castellan
  4. The image is uploaded to the Glance service
  5. The verify_glance_signatures is set to True in the /etc/nova/nova.conf file

A detailed list of the specific actions for each step is located at Adding Signed Images to Glance.

Once the configuration details above have been taken, when an image with a signature hash in its metadata is referenced as the boot image, the Nova service will securely copy the image from Glance, and compare a hash of the copied image against the signature in from the metadata. If this hash matches the image will boot, giving the user assurance it has not been tampered with.