Hi,
I have been asked to research and recommend a method to securely license guests on RHEL/KVM 6.2+ hosts. The guests will be running CentOS or RHEL (5.X or 6.2+).
The primary driver to license the software is that we will be selling Telecommunications software in countries where it is common to pirate software. As such, we are worried about the software being purchased one time and then multiple instances of the software being used.
We plan to use a USB security dongle (I hate that word!) of some kind. If we were running without virtualization, the solution is pretty straight forward. We would install the security dongle on the server and compile the licensing library which accessed the dongle into our code. We understand that this could be circumvented by a dedicated foe, but it would be reasonably secure.
However, as soon as the licensed code is running in a guest, things get a lot more complicated. My first thought was that we could use PCI passthrough to map the USB controller to one guest. Unfortunately, they want to have multiple guests access the same security dongle concurrently.
I could see using a bridge that is only on the host to allow the guests to communicate with the host which proxies the requests to the security device. However, it would be pretty easy to connect a network tunnel to the bridge which could allow guests at remote sites to access the security dongle and this would allow the licensed software to be replicated.
Can anyone recommend a solution or partial solution to this issue?
Any thoughts are welcome,
David