Hi,
I have been asked to research and recommend a method to securely license
guests on RHEL/KVM 6.2+ hosts. The guests will be running CentOS or RHEL
(5.X or 6.2+).
The primary driver to license the software is that we will be selling
Telecommunications software in countries where it is common to pirate
software. As such, we are worried about the software being purchased one
time and then multiple instances of the software being used.
We plan to use a USB security dongle (I hate that word!) of some kind. If
we were running without virtualization, the solution is pretty straight
forward. We would install the security dongle on the server and compile
the licensing library which accessed the dongle into our code. We
understand that this could be circumvented by a dedicated foe, but it would
be reasonably secure.
However, as soon as the licensed code is running in a guest, things get a
lot more complicated. My first thought was that we could use PCI
passthrough to map the USB controller to one guest. Unfortunately, they
want to have multiple guests access the same security dongle concurrently.
I could see using a bridge that is only on the host to allow the guests to
communicate with the host which proxies the requests to the security
device. However, it would be pretty easy to connect a network tunnel to
the bridge which could allow guests at remote sites to access the security
dongle and this would allow the licensed software to be replicated.
Can anyone recommend a solution or partial solution to this issue?
Any thoughts are welcome,
David