Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-09-22 05:54:42 -04:00
Code Issues Projects Releases Packages Wiki Activity

docs: publish

Browse source
This commit is contained in:
Thomas Tendyck 2023-07-10 09:06:14 +02:00 committed by Thomas Tendyck
parent 0aaf58b710
commit 2c1da48437
15 changed files with 70 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

12
docs/versioned_docs/version-2.6/architecture/attestation.md
View file

@ -144,7 +144,7 @@ The latter means that the value can be generated offline and compared to the one
| 7 | Secure Boot State | Azure, Constellation Bootloader | No |
| 8 | - | - | - |
| 9 | initramfs | Linux Kernel | Yes |
| 10 | Reserved | - | No |
| 10 | User space | Linux IMA | No[^1] |
| 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes |
| 12 | Kernel command line | Constellation Bootloader | Yes |
| 13 | Reserved | (Constellation Bootloader) | Yes |
@ -177,7 +177,7 @@ The latter means that the value can be generated offline and compared to the one
| 7 | GCP Secure Boot Policy | GCP, Constellation Bootloader | No |
| 8 | - | - | - |
| 9 | initramfs | Linux Kernel | Yes |
| 10 | Reserved | - | No |
| 10 | User space | Linux IMA | No[^1] |
| 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes |
| 12 | Kernel command line | Constellation Bootloader | Yes |
| 13 | Reserved | (Constellation Bootloader) | Yes |
@ -209,7 +209,7 @@ The latter means that the value can be generated offline and compared to the one
| 7 | Secure Boot Policy | AWS, Constellation Bootloader | No |
| 8 | - | - | - |
| 9 | initramfs | Linux Kernel | Yes |
| 10 | Reserved | - | No |
| 10 | User space | Linux IMA | No[^1] |
| 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes |
| 12 | Kernel command line | Constellation Bootloader | Yes |
| 13 | Reserved | (Constellation Bootloader) | Yes |
@ -267,3 +267,9 @@ flowchart LR
D["Public key"]-- "verifies" -->E["Runtime measurements"]
E["Runtime measurements"]-- "verify" -->F["Constellation cluster"]
```
## References
[^1]: Linux IMA produces runtime measurements of user-space binaries.
However, these measurements aren't deterministic and thus, PCR\[10] can't be compared to a constant value.
Instead, a policy engine must be used to verify the TPM event log against a policy.

2
docs/versioned_docs/version-2.6/architecture/versions.md
View file

@ -7,7 +7,7 @@ Additional `PATCH` releases may be created on demand, to fix security issues or
New releases are published on [GitHub](https://github.com/edgelesssys/constellation/releases).
### Kubernetes support policy
## Kubernetes support policy
Constellation is aligned to the [version support policy of Kubernetes](https://kubernetes.io/releases/version-skew-policy/#supported-versions), and therefore usually supports the most recent three minor versions.
When a new minor version of Kubernetes is released, support is added to the next Constellation release, and that version then supports four Kubernetes versions.