All Systems Go! 2025

UKI, composefs and remote attestation for Bootable Containers
2025-10-01 , Main

With Bootable Containers (bootc), we can place the operating system files inside a standard OCI container. This lets users modify the content of the operating system using familiar container tools and the Containerfile pattern. They can then share those container images using container registries and sign them using cosign.

Using composefs and fs-verity, we can link a UKI to a complete read only filesystem tree, guaranteeing that every system file is verified on load. We integrate this in bootc by creating a reliable way to turn container images into composefs filesystem trees, and then including the UKI in the container image.

We will share the progress on the integration of UKI and composefs in bootc and how we are going to enable remote attestation for those systems using trustee, notably for Confidential Computing use cases.


https://github.com/containers/composefs-rs
https://github.com/bootc-dev/bootc
https://github.com/confidential-containers/trustee

Timothée Ravier is a CoreOS engineer at Red Hat. He maintains the Fedora Atomic Desktops. He is a KDE developer and helps maintain KDE Applications as Flatpaks on Flathub.

This speaker also appears in: