Verifiable End-to-End Secure OCI Native Machines

Explore a comprehensive conference talk on "project machine" - an end-to-end secure toolchain for container images, machine images, and machines using signed OCI images. Learn how this innovative approach combines existing tools like cosign, dmverity, stacker, and zot with new tools and concepts to provide robust security guarantees for running hosts. Discover how the system ensures that boot will not proceed if any component of the firmware, shim, kernel, host or container filesystems, or host configuration has been modified. Understand the mechanisms that prevent firmware or UKI tampering from leaking LUKS keys and provisioned private keys. Gain insights into the verification process for confirming that a host has booted the exact software stack you signed. While the complete open-source implementation is still in development, this talk offers valuable information on the internal use of these security measures and encourages community feedback to shape its future development.

Verifiable End To End Secure OCI Native Machines - Serge Hallyn & Joy Latten, Cisco