Glance Signed Image Validation
A new addition to the OpenStack Security Guide is Signed Image Validation in the Glance service. This will now allow boot-time assurance that an image has not been tampered with before it is booted. The steps for doing this are
- A signature of the image is created
- A Keystone service context is created
- The image signature is encoded and uploaded to Castellan
- The image is uploaded to the Glance service
verify_glance_signaturesis set to
A detailed list of the specific actions for each step is located at Adding Signed Images to Glance.
Once the configuration details above have been taken, when an image with a signature hash in its metadata is referenced as the boot image, the Nova service will securely copy the image from Glance, and compare a hash of the copied image against the signature in from the metadata. If this hash matches the image will boot, giving the user assurance it has not been tampered with.