Reproducible and Immutable OS Images with NixOS
09-25, 09:30–10:10 (Europe/Berlin), Main Hall

Many consider NixOS a great tool for declarative definition of their OS, but only few know about its capabilities for Image-based Linux. NixOS offers the tools to combine modern technologies such as discoverable disk images (DDIs), unified kernel images (UKIs), and TPM-based measured boot for transforming declarative configurations into security-focused and immutable OS images for both the server and the desktop.

This talk showcases how we build such reproducible and immutable DDIs with NixOS, and how ukify, systemd-repart, dm-verity and measured boot are involved in that process. We will also briefly cover the support of SecureBoot in NixOS through the Lanzaboote project, and what else is yet to come for image-based NixOS.

Moritz is a security software engineer at Edgeless Systems, where he works on confidential computing in cloud environments. He works on reproducible NixOS images that are used to provide immutable and attestable trustworthy systems, backed by confidential computing and TPMs.

Besides that, as a hobbyist, he also works on NixOS and the nixpkgs repository.

To reach out, contact msanft via github.com.