JB Trystram

I work on Fedora CoreOS


Session

09-25
11:55
40min
The road to a trusted and measured boot chain in Bootable Containers
Timothée Ravier, JB Trystram

Fedora image based variants (CoreOS, Atomic Desktops, IoT) are currently built using ostree and rpm-ostree. This enables an hybrid approach where the system is managed like an image but modifications are still possible using RPMs.

But this approach has limits:
- It is difficult for users to customize their operating system and share those customizations.
- The integrity of the boot chain is not guarenteed and it is costly to validate the system content at runtime.

To address those shortcomings, we are introducing the bootable containers (bootc) project. With bootable containers, the content of the operating system, including the kernel and initrd (or a UKI) is shipped in a container image alongside its corresponding base userspace root filesystem. This image can then be modified using container native tools and shared via a container registry.

To chain from platform Secure Boot to a verified root filesystem, the ostree project has integrated support for composefs. It combines multiple Linux kernel features (overlayfs, EROFS and fs-verity) to provide read-only mountable filesystem trees stacking on top of an underlying "lower" Linux filesystem.

We will detail how we are integrating composefs and UKI support in Bootable Containers to enable a trusted and measured boot chain while letting users customize and re-sign their images to fit their needs.

Main Hall