-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
trustedboot docs #133
trustedboot docs #133
Conversation
✅ Deploy Preview for kairos-io ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Co-authored-by: Mauro Morales <[email protected]>
Co-authored-by: Itxaka <[email protected]>
|
||
Trusted Boot in Kairos works by generating UKI images from container images. The UKI file is a single, fat binary that encompasses the OS and the needed bits in order to boot the full system with a single, verified file. This file can be used for upgraes and used as usual in the lifecycle of the Kairos node. | ||
|
||
The UKI file is signed with the Secure Boot keys, and the user-data is encrypted with the PCR policies. The UKI file is then loaded by the firmware and booted directly, without any second stage or system pivoting. This is why the UKI file can grow large, and why it requires a specific firmware that supports booting large EFI files. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and more RAM?
|
||
Kairos supports Trusted boot by generating specific installable medium. This feature is optional and works alongside how Kairos works. | ||
|
||
## Requirements |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RAM requirements? Maybe expressed in relation to the ISO size?
|
||
In order to boot into UKI mode, you need to build a special ISO file with the UKI files. To build this medium you have to generate a set of keypairs first: one for the Secure boot and one for the PCR policies required to encrypt the user-data. | ||
|
||
Any change, or upgrade of the node to a new version of the OS requires those assets to be regenerated with these keypairs, including the installer ISO, and the EFI files used for upgrading. The keys are used to *sign* and *verify* the EFI files, and the PCR policies are used to *encrypt* and *decrypt* the user-data, and thus are required to be the same for the whole lifecycle of the node. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"those assets" is a bit confusing there. Last thing we talked about was the keys, and it's not the assets we refer to (it's the ISO).
|
||
### Installation | ||
|
||
The installation process is performed as usual and the [Installation instructions]({{< relref "../installation" >}}) can be followed, however the difference is that user-data will be automatically encrypted (both the OEM and the persistent partition) by using the TPM chip and the Trusted Boot mechanism. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a way to have a remote KMS in the UKI case? Should we mention that here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would not add it until we tackle it in kairos-io/kairos#2166
Co-authored-by: Dimitris Karakasilis <[email protected]>
Co-authored-by: Dimitris Karakasilis <[email protected]>
Co-authored-by: Itxaka <[email protected]>
Co-authored-by: Dimitris Karakasilis <[email protected]>
Co-authored-by: Dimitris Karakasilis <[email protected]>
Co-authored-by: Dimitris Karakasilis <[email protected]>
relates to kairos-io/kairos#2175