Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

docs: Updates for transition CoreOS -> mkosi / Fedora

Browse Source
This commit is contained in:
Malte Poll 2022-10-12 14:19:21 +02:00 committed by Malte Poll
parent 835f7702a4
commit a901759725
3 changed files with 49 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
docs/docs/architecture/attestation.md
View File

@ -132,22 +132,25 @@ The following table lists all PCR values of the vTPM and the measured components
It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable.
The latter means that the value can be generated offline and compared to the one in the vTPM. The latter means that the value can be generated offline and compared to the one in the vTPM.
| PCR | Components | Measured by | Reproducible and verifiable | | PCR | Components | Measured by | Reproducible and verifiable |
|---------------|-------------------------------------|---------------------------------|-----------------------------| | ----------- | ---------------------------------------------------------------- | ------------------------------- | --------------------------- |
| 0 | Firmware | Azure | No | | 0 | Firmware | Azure | No |
| 1 | Firmware | Azure | No | | 1 | Firmware | Azure | No |
| 2 | Firmware | Azure | No | | 2 | Firmware | Azure | No |
| 3 | Firmware | Azure | No | | 3 | Firmware | Azure | No |
| 4 | Constellation Bootloader, GRUB | Azure, Constellation Bootloader | Yes | | 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | Azure, Constellation Bootloader | Yes |
| 5 | Reserved | Azure | No | | 5 | Reserved | Azure | No |
| 6 | VM Unique ID | Azure | No | | 6 | VM Unique ID | Azure | No |
| 7 | Secure Boot State | Azure, Constellation Bootloader | No | | 7 | Secure Boot State | Azure, Constellation Bootloader | No |
| 8 | Kernel command line, GRUB config | Constellation Bootloader | Yes | | 8 | Kernel command line | Constellation Bootloader | Yes |
| 9 | Kernel, initramfs | Constellation Bootloader | Yes | | 9 | initramfs | Linux Kernel | Yes |
| 10 | Reserved | - | No | | 10 | Reserved | - | No |
| 11 | Reserved | Constellation Bootstrapper | Yes | | 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes |
| 12 | ClusterID | Constellation Bootstrapper | Yes | | 12 | Reserved | (Constellation Bootloader) | Yes |
| 13–23 | Unused | - | - | | 13 | Reserved | (Constellation Bootloader) | Yes |
| 14 | Secure Boot State | Constellation Bootloader | No |
| 15 | ClusterID | Constellation Bootstrapper | Yes |
| 16–23 | Unused | - | - |
</tabItem> </tabItem>
<tabItem value="gcp" label="GCP"> <tabItem value="gcp" label="GCP">
@ -162,22 +165,25 @@ The following table lists all PCR values of the vTPM and the measured components
It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable.
The latter means that the value can be generated offline and compared to the one in the vTPM. The latter means that the value can be generated offline and compared to the one in the vTPM.
| PCR | Components | Measured by | Reproducible and verifiable | | PCR | Components | Measured by | Reproducible and verifiable |
|---------------|----------------------------------|-------------------------------|-----------------------------| | ----------- | ---------------------------------------------------------------- | ----------------------------- | --------------------------- |
| 0 | CVM constant string | GCP | No | | 0 | CVM constant string | GCP | No |
| 1 | Reserved | GCP | No | | 1 | Reserved | GCP | No |
| 2 | Reserved | GCP | No | | 2 | Reserved | GCP | No |
| 3 | Reserved | GCP | No | | 3 | Reserved | GCP | No |
| 4 | Constellation Bootloader, GRUB | GCP, Constellation Bootloader | Yes | | 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | GCP, Constellation Bootloader | Yes |
| 5 | Disk GUID partition table | GCP | No | | 5 | Disk GUID partition table | GCP | No |
| 6 | Disk GUID partition table | GCP | No | | 6 | Disk GUID partition table | GCP | No |
| 7 | GCP Secure Boot Policy | GCP, Constellation Bootloader | No | | 7 | GCP Secure Boot Policy | GCP, Constellation Bootloader | No |
| 8 | Kernel command line, GRUB config | Constellation Bootloader | Yes | | 8 | Kernel command line | Constellation Bootloader | Yes |
| 9 | Kernel, initramfs | Constellation Bootloader | Yes | | 9 | initramfs | Linux Kernel | Yes |
| 10 | Reserved | - | No | | 10 | Reserved | - | No |
| 11 | Reserved | Constellation Bootstrapper | Yes | | 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes |
| 12 | ClusterID | Constellation Bootstrapper | Yes | | 12 | Reserved | (Constellation Bootloader) | Yes |
| 13&ndash;23 | Unused |- | - | | 13 | Reserved | (Constellation Bootloader) | Yes |
| 14 | Secure Boot State | Constellation Bootloader | No |
| 15 | ClusterID | Constellation Bootstrapper | Yes |
| 16&ndash;23 | Unused | - | - |
</tabItem> </tabItem>
</tabs> </tabs>

4
docs/docs/architecture/components.md
View File

@ -17,8 +17,8 @@ flowchart LR
subgraph admin [Admin's machine] subgraph admin [Admin's machine]
A[Constellation CLI] A[Constellation CLI]
end end
subgraph img [CoreOS image] subgraph img [Constellation OS image]
B[CoreOS] B[Constellation OS]
C[Bootstrapper] C[Bootstrapper]
end end
subgraph Kubernetes subgraph Kubernetes

14
docs/docs/architecture/images.md
View File

@ -1,16 +1,20 @@
# Constellation images # Constellation images
Constellation uses [Fedora CoreOS](https://docs.fedoraproject.org/en-US/fedora-coreos/) as the operating system running inside confidential VMs. This Linux distribution is optimized for containers and is designed to have an immutable filesystem. Constellation uses a minimal version of Fedora as the operating system running inside confidential VMs. This Linux distribution is optimized for containers and designed to be stateless.
The Constellation images extend on that concept by leveraging measured boot and verification of the root filesystem. The Constellation images provide measured boot and an immutable filesystem.
## Measured boot ## Measured boot
```mermaid ```mermaid
flowchart LR flowchart LR
Firmware --> Bootloader Firmware --> Bootloader
Bootloader --> kernel Bootloader --> uki
Bootloader --> initramfs subgraph uki[Unified Kernel Image]
initramfs --> rootfs[root filesystem] Kernel[Kernel]
initramfs[Initramfs]
cmdline[Kernel Command Line]
end
uki --> rootfs[Root Filesystem]
``` ```
Measured boot uses a Trusted Platform Module (TPM) to measure every part of the boot process. This allows for verification of the integrity of a running system at any point in time. To ensure correct measurements of every stage, each stage is responsible to measure the next stage before transitioning. Measured boot uses a Trusted Platform Module (TPM) to measure every part of the boot process. This allows for verification of the integrity of a running system at any point in time. To ensure correct measurements of every stage, each stage is responsible to measure the next stage before transitioning.