Talos Linux - TrustedBoot for a minimal Immutable OS
Noel Georgi (he/him/they/them)
The Talos Linux distribution is built from scratch with the goal of providing a secure, verified, and minimal-footprint operating system for running Kubernetes clusters. Talos is designed to be immutable, minimal, and secure. Talos includes only the bare minimum required to run Kubernetes.
This talk will cover how Talos uses Unified Kernel Images (UKIs) to provide immutable, verified, and secure booting. We will also cover how Talos partially conforms to the Linux Userspace API Group specification (UAPI) to implement some of the best practices with regards to fully verifiable TrustedBoot extending to the userspace.
With the upcoming Talos 1.5 release, Talos ships with custom ISO and metal images that are UKI compliant. This means that the kernel, initramfs, and the root filesystem are all signed and verified by the bootloader. This allows Talos to provide a fully verified boot process from the bootloader to the userspace attested by TPM.
This talk will cover the following topics:
- Building UKI (ukify.py implementation in Go)
- Issues with reproducibility
- sd-boot
- sd-stub
- Upgrades/Rollbacks
- systemd-measure and systemd-cryptenroll partial implementation in Go
Future work:
- IMA attestations for userspace runtime binaries (etcd, kubelet, containerd, etc)
- Talos system extensions as sd-stub compatible sysexts
- Kexec with Secureboot (how can we verify the TPM PCR values are populated correctly with values from new UKI)