Continuum AI is now public. Try out the most secure GenAI service!
Blog
Malte Poll
The latest version 2.2.0 of Constellation, our Confidential Kubernetes Engine, has exciting new features. Let's have a look at how mkosi helps to reduce the trusted computing base (TCB), simplify the measured boot chain and harden the user space all while delivering the latest Linux kernel optimized for containerized workloads.
All of those features (and more) are used in Constellation starting with v2.2.0:
Previously, Constellation was built on top of Fedora CoreOS, a specialized version of Fedora designed for containers. It's a great base for Kubernetes and uses OSTree for transactional updates --- making the underlying filesystem almost immutable. This made it straightforward for us to add in extra features required for measured boot, most importantly dm-verity for protection of the root file system.
Looking at the boot chain used by Fedora CoreOS, we identified potential optimizations:
GRUB is a great bootloader for complex setups. It supports legacy boot, dual boot, has a sophisticated configuration format, and much more. Only a tiny subset of this functionality is needed for Constellation.
CoreOS is already smaller than general-purpose Linux as it is tailored for containers. Still, it ships ~400 packages by default and we only need a fraction of those. Reducing the amount of code in our images is a great way to shrink the trusted computing base and improve the overall security of Constellation.
This is where mkosi comes in. mkosi (short for "Make Operating System Image") takes a declarative configuration and builds an OS image from it. It supports all of the popular Linux distributions including Fedora and has excellent support for immutable images and measured boot.
How does all of this work? At the core, mkosi uses the bootstrapping mechanisms provided by the distribution's package manager. For Debian-based distributions, this can be achieved using Debootstrap, on Fedora it uses dnf --installroot. Constellation uses a minimal set of required packages, reducing the image size and potential for vulnerable components.
But it gets better. Instead of GRUB and individual kernel, initramfs, and command line, Constellation now uses the much smaller systemd-boot as the bootloader and a unified kernel image (UKI), combining the kernel, initramfs, and command line into one component that is loaded and measured together.
mkosi can also protect the root filesystem with dm-verity by itself without customized tooling required. Lastly, mkosi can sign every component of the boot chain for Secure Boot, out of the box.
🤫 One more thing: we are working on generating SBOMs for Constellation OS images and have more to announce soon.
We are excited to see what you can do with Constellation! Read the docs for more information or say hi on discord.
Author: Malte Poll