trustedboot docs #133
Merged
trustedboot docs #133
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for kairos-io ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
jimmykarily
reviewed
Jan 25, 2024
Itxaka
reviewed
Jan 25, 2024
This was referenced Jan 29, 2024
Co-authored-by: Mauro Morales <mauro.morales@spectrocloud.com>
Itxaka
reviewed
Jan 29, 2024
Itxaka
reviewed
Jan 29, 2024
Itxaka
reviewed
Jan 29, 2024
Co-authored-by: Itxaka <itxaka.garcia@spectrocloud.com>
jimmykarily
reviewed
Jan 31, 2024
jimmykarily
reviewed
Jan 31, 2024
jimmykarily
reviewed
Jan 31, 2024
|
|
||
| Trusted Boot in Kairos works by generating UKI images from container images. The UKI file is a single, fat binary that encompasses the OS and the needed bits in order to boot the full system with a single, verified file. This file can be used for upgraes and used as usual in the lifecycle of the Kairos node. | ||
|
|
||
| The UKI file is signed with the Secure Boot keys, and the user-data is encrypted with the PCR policies. The UKI file is then loaded by the firmware and booted directly, without any second stage or system pivoting. This is why the UKI file can grow large, and why it requires a specific firmware that supports booting large EFI files. |
|
|
||
| Kairos supports Trusted boot by generating specific installable medium. This feature is optional and works alongside how Kairos works. | ||
|
|
||
| ## Requirements |
There was a problem hiding this comment.
RAM requirements? Maybe expressed in relation to the ISO size?
|
|
||
| In order to boot into UKI mode, you need to build a special ISO file with the UKI files. To build this medium you have to generate a set of keypairs first: one for the Secure boot and one for the PCR policies required to encrypt the user-data. | ||
|
|
||
| Any change, or upgrade of the node to a new version of the OS requires those assets to be regenerated with these keypairs, including the installer ISO, and the EFI files used for upgrading. The keys are used to *sign* and *verify* the EFI files, and the PCR policies are used to *encrypt* and *decrypt* the user-data, and thus are required to be the same for the whole lifecycle of the node. |
There was a problem hiding this comment.
"those assets" is a bit confusing there. Last thing we talked about was the keys, and it's not the assets we refer to (it's the ISO).
|
|
||
| ### Installation | ||
|
|
||
| The installation process is performed as usual and the [Installation instructions]({{< relref "../installation" >}}) can be followed, however the difference is that user-data will be automatically encrypted (both the OEM and the persistent partition) by using the TPM chip and the Trusted Boot mechanism. |
There was a problem hiding this comment.
Is there a way to have a remote KMS in the UKI case? Should we mention that here?
There was a problem hiding this comment.
I would not add it until we tackle it in kairos-io/kairos#2166
Co-authored-by: Dimitris Karakasilis <dimitris@karakasilis.me>
Co-authored-by: Dimitris Karakasilis <dimitris@karakasilis.me>
Co-authored-by: Itxaka <itxaka.garcia@spectrocloud.com>
Co-authored-by: Dimitris Karakasilis <dimitris@karakasilis.me>
Co-authored-by: Dimitris Karakasilis <dimitris@karakasilis.me>
Co-authored-by: Dimitris Karakasilis <dimitris@karakasilis.me>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
relates to kairos-io/kairos#2175