UKI, composefs and remote attestation for Bootable Containers
Автор: All Systems Go!
Загружено: 2025-10-01
Просмотров: 399
https://media.ccc.de/v/all-systems-go...
With Bootable Containers (bootc), we can place the operating system files inside a standard OCI container. This lets users modify the content of the operating system using familiar container tools and the Containerfile pattern. They can then share those container images using container registries and sign them using cosign.
Using composefs and fs-verity, we can link a UKI to a complete read only filesystem tree, guaranteeing that every system file is verified on load. We integrate this in bootc by creating a reliable way to turn container images into composefs filesystem trees, and then including the UKI in the container image.
We will share the progress on the integration of UKI and composefs in bootc and how we are going to enable remote attestation for those systems using trustee, notably for Confidential Computing use cases.
https://github.com/containers/compose...
https://github.com/bootc-dev/bootc
https://github.com/confidential-conta...
Timothée Ravier, Pragyan, Vitaly Kuznetsov
https://cfp.all-systems-go.io/all-sys...
#asg2025
Licensed to the public under https://creativecommons.org/licenses/...
Доступные форматы для скачивания:
Скачать видео mp4
-
Информация по загрузке:
![Детектирование виртуальных машин: как оно работает и как его обходят [RU]](https://image.4k-video.ru/id-video/W-KGmGH_IZ4)
