BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.all-systems-go.io//all-systems-go-2025//9BRJGA
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-all-systems-go-2025-X3ZSXV@cfp.all-systems-go.io
DTSTART;TZID=CET:20250930T142000
DTEND;TZID=CET:20250930T144500
DESCRIPTION:All the big cloud providers provide your machines with a unique
  cryptographic identity that can be used to talk to their cloud services s
 ecurely without having to manage or rotate any cryptographic secrets yours
 elf.  For example GCP has Service accounts and AWS has IAM roles.  This ub
 iquity of cloud identity and the seamless integration with all the the ser
 vices of  these cloud providers is one of the reasons why they are so succ
 essful.\n\nSPIFFE (Secure Production Identity Framework For Everyone) trie
 s to unify these concepts of workload identity in a vendor neutral framewo
 rk. But how do we bootstrap our cryptographic identity securely when we ar
 e running things on our own hardware as opposed to on cloud? What is our b
 ottom turtle?\n\nIn this talk\, I will show how I use Nix in combination w
 ith the swiss-army knife of tools provided by systemd (ukify\, systemd-mea
 sure\,  systemd-repart\, systemd-veritysetup-generator) to create reproduc
 ible images for which we can predict TPM measurements.\n\nPaired with a cu
 stom attestation plugin for SPIRE (the reference CA server for SPIFFE) tha
 t uses TPM remote attestation I can give each of my servers a unique ident
 ity encoded in a TLS certificate if and only if they were booted up with t
 he software that I intended them to boot up with.\n\nThis then allows me t
 o have workloads talk to each other with mutual TLS without having to mana
 ge any keys or certificates myself.
DTSTAMP:20260315T023639Z
LOCATION:Galerie
SUMMARY:Look ma\, no secrets! - bootstrapping cryptographic trust in my hom
 elab using Nix\, UKIs\, TPMs and SPIFFE - Arian van Putten
URL:https://cfp.all-systems-go.io/all-systems-go-2025/talk/X3ZSXV/
END:VEVENT
END:VCALENDAR