{"guid":"1c377bca-6794-5d78-aaf1-553fd2d42538","title":"The road to a trusted and measured boot chain in Bootable Containers","subtitle":null,"slug":"all-systems-go-2024-309-the-road-to-a-trusted-and-measured-boot-chain-in-bootable-containers","link":"https://cfp.all-systems-go.io/all-systems-go-2024/talk/HVEZQQ/","description":"Fedora image based variants (CoreOS, Atomic Desktops, IoT) are currently built using ostree and rpm-ostree. This enables an hybrid approach where the system is managed like an image but modifications are still possible using RPMs.\n\nBut this approach has limits:\n- It is difficult for users to customize their operating system and share those customizations.\n- The integrity of the boot chain is not guarenteed and it is costly to validate the system content at runtime.\n\nTo address those shortcomings, we are introducing the bootable containers (bootc) project. With bootable containers, the content of the operating system, including the kernel and initrd (or a UKI) is shipped in a container image alongside its corresponding base userspace root filesystem. This image can then be modified using container native tools and shared via a container registry.\n\nTo chain from platform Secure Boot to a verified root filesystem, the ostree project has integrated support for composefs. It combines multiple Linux kernel features (overlayfs, EROFS and fs-verity) to provide read-only mountable filesystem trees stacking on top of an underlying \"lower\" Linux filesystem.\n\nWe will detail how we are integrating composefs and UKI support in Bootable Containers to enable a trusted and measured boot chain while letting users customize and re-sign their images to fit their needs.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Timothée Ravier","JB Trystram"],"tags":["309","asg2024","Main Hall","2024","Day 1"],"view_count":170,"promoted":false,"date":"2024-09-25T11:55:00.000+02:00","release_date":"2024-09-25T00:00:00.000+02:00","updated_at":"2026-03-21T16:30:05.588+01:00","length":2435,"duration":2435,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2024/309-1c377bca-6794-5d78-aaf1-553fd2d42538.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2024/309-1c377bca-6794-5d78-aaf1-553fd2d42538_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2024/309-1c377bca-6794-5d78-aaf1-553fd2d42538.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2024/309-1c377bca-6794-5d78-aaf1-553fd2d42538.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2024-309-the-road-to-a-trusted-and-measured-boot-chain-in-bootable-containers","url":"https://api.media.ccc.de/public/events/1c377bca-6794-5d78-aaf1-553fd2d42538","conference_title":"All Systems Go! 2024","conference_url":"https://api.media.ccc.de/public/conferences/asg2024","related":[],"recordings":[{"size":219,"length":2435,"mime_type":"video/webm","language":"eng","filename":"asg2024-309-eng-The_road_to_a_trusted_and_measured_boot_chain_in_Bootable_Containers_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2024-09-25T15:49:03.115+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2024/webm-hd/asg2024-309-eng-The_road_to_a_trusted_and_measured_boot_chain_in_Bootable_Containers_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/80176","event_url":"https://api.media.ccc.de/public/events/1c377bca-6794-5d78-aaf1-553fd2d42538","conference_url":"https://api.media.ccc.de/public/conferences/asg2024"},{"size":96,"length":2435,"mime_type":"video/webm","language":"eng","filename":"asg2024-309-eng-The_road_to_a_trusted_and_measured_boot_chain_in_Bootable_Containers_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2024-09-25T15:43:56.807+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2024/webm-sd/asg2024-309-eng-The_road_to_a_trusted_and_measured_boot_chain_in_Bootable_Containers_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/80173","event_url":"https://api.media.ccc.de/public/events/1c377bca-6794-5d78-aaf1-553fd2d42538","conference_url":"https://api.media.ccc.de/public/conferences/asg2024"},{"size":77,"length":2435,"mime_type":"video/mp4","language":"eng","filename":"asg2024-309-eng-The_road_to_a_trusted_and_measured_boot_chain_in_Bootable_Containers_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2024-09-25T15:22:36.166+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2024/h264-sd/asg2024-309-eng-The_road_to_a_trusted_and_measured_boot_chain_in_Bootable_Containers_sd.mp4","url":"https://api.media.ccc.de/public/recordings/80164","event_url":"https://api.media.ccc.de/public/events/1c377bca-6794-5d78-aaf1-553fd2d42538","conference_url":"https://api.media.ccc.de/public/conferences/asg2024"},{"size":37,"length":2435,"mime_type":"audio/mpeg","language":"eng","filename":"asg2024-309-eng-The_road_to_a_trusted_and_measured_boot_chain_in_Bootable_Containers_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2024-09-25T15:20:50.556+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2024/mp3/asg2024-309-eng-The_road_to_a_trusted_and_measured_boot_chain_in_Bootable_Containers_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/80163","event_url":"https://api.media.ccc.de/public/events/1c377bca-6794-5d78-aaf1-553fd2d42538","conference_url":"https://api.media.ccc.de/public/conferences/asg2024"},{"size":25,"length":2435,"mime_type":"audio/opus","language":"eng","filename":"asg2024-309-eng-The_road_to_a_trusted_and_measured_boot_chain_in_Bootable_Containers_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2024-09-25T15:20:22.575+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2024/opus/asg2024-309-eng-The_road_to_a_trusted_and_measured_boot_chain_in_Bootable_Containers_opus.opus","url":"https://api.media.ccc.de/public/recordings/80162","event_url":"https://api.media.ccc.de/public/events/1c377bca-6794-5d78-aaf1-553fd2d42538","conference_url":"https://api.media.ccc.de/public/conferences/asg2024"},{"size":223,"length":2435,"mime_type":"video/mp4","language":"eng","filename":"asg2024-309-eng-The_road_to_a_trusted_and_measured_boot_chain_in_Bootable_Containers_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2024-09-25T15:20:06.469+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2024/h264-hd/asg2024-309-eng-The_road_to_a_trusted_and_measured_boot_chain_in_Bootable_Containers_hd.mp4","url":"https://api.media.ccc.de/public/recordings/80161","event_url":"https://api.media.ccc.de/public/events/1c377bca-6794-5d78-aaf1-553fd2d42538","conference_url":"https://api.media.ccc.de/public/conferences/asg2024"}]}