Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

trustedboot docs #133

Merged
merged 15 commits into from
Feb 2, 2024
Merged

trustedboot docs #133

merged 15 commits into from
Feb 2, 2024

Conversation

mudler
Copy link
Member

@mudler mudler commented Jan 23, 2024

Copy link

netlify bot commented Jan 23, 2024

Deploy Preview for kairos-io ready!

Name Link
🔨 Latest commit 0a4afc2
🔍 Latest deploy log https://app.netlify.com/sites/kairos-io/deploys/65bd24142bbe8400085aca59
😎 Deploy Preview https://deploy-preview-133--kairos-io.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

content/en/docs/Architecture/trustedboot.md Outdated Show resolved Hide resolved

Trusted Boot in Kairos works by generating UKI images from container images. The UKI file is a single, fat binary that encompasses the OS and the needed bits in order to boot the full system with a single, verified file. This file can be used for upgraes and used as usual in the lifecycle of the Kairos node.

The UKI file is signed with the Secure Boot keys, and the user-data is encrypted with the PCR policies. The UKI file is then loaded by the firmware and booted directly, without any second stage or system pivoting. This is why the UKI file can grow large, and why it requires a specific firmware that supports booting large EFI files.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and more RAM?

content/en/docs/Architecture/trustedboot.md Outdated Show resolved Hide resolved

Kairos supports Trusted boot by generating specific installable medium. This feature is optional and works alongside how Kairos works.

## Requirements
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RAM requirements? Maybe expressed in relation to the ISO size?


In order to boot into UKI mode, you need to build a special ISO file with the UKI files. To build this medium you have to generate a set of keypairs first: one for the Secure boot and one for the PCR policies required to encrypt the user-data.

Any change, or upgrade of the node to a new version of the OS requires those assets to be regenerated with these keypairs, including the installer ISO, and the EFI files used for upgrading. The keys are used to *sign* and *verify* the EFI files, and the PCR policies are used to *encrypt* and *decrypt* the user-data, and thus are required to be the same for the whole lifecycle of the node.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"those assets" is a bit confusing there. Last thing we talked about was the keys, and it's not the assets we refer to (it's the ISO).

content/en/docs/Installation/trustedboot.md Outdated Show resolved Hide resolved

### Installation

The installation process is performed as usual and the [Installation instructions]({{< relref "../installation" >}}) can be followed, however the difference is that user-data will be automatically encrypted (both the OEM and the persistent partition) by using the TPM chip and the Trusted Boot mechanism.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to have a remote KMS in the UKI case? Should we mention that here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would not add it until we tackle it in kairos-io/kairos#2166

content/en/docs/Installation/trustedboot.md Outdated Show resolved Hide resolved
@mudler mudler changed the title wip: trustedboot docs trustedboot docs Feb 2, 2024
@mudler mudler marked this pull request as ready for review February 2, 2024 17:18
@mudler mudler merged commit 8dd36bd into main Feb 2, 2024
4 of 5 checks passed
@jimmykarily jimmykarily deleted the uki_docs branch February 6, 2024 08:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

4 participants