Logo trust|me

Example: Using GuestOS debos

The GuestOS debos provides a basic integrity protected debian installer base image. This GuestOS type provides the ability to setup a confidential debian system inside a container. In order to achieve that, we use the setup mode for running a container instance of debos.

Prerequisites

You can verify that debos is installed by:

root@trustx-core:~# control list_guestos | grep debos
     name: "debos"

Creating container and installing debian

create a new container config skeleton file debian1.skel for the container e.g.:

name: "debian1"
guest_os: "debos"
color: 0
vnet_configs {
    if_name: "eth0"
    configure: true
}
image_sizes {
    image_name: "enc_root"
    image_size: 8192
}

The images_size argument overwrites the standard size of the encrypted writable data image which is mounted as rootfs in case of normal boot.

Create and start the container in setup mode:

control create debian1.skel
control start debian1 --key=trustme --setup

You can verify that the container has reached setup state by:

control state debian1

Now you can run commands inside the container to install a standard Linux system to /setup inside the container. The debos image contains a debootstrap util inside the container to setup a debian system. However, you could also try to run any other bootstrapping tool for another distribution, e.g., emerge. In that case, you have to download the bootstrapper first, loosing integrity protection of the installer. We proceed with debootstrap.

Remember that control run is somewhat experimental and not all characters, especially control characters like [Ctrl]+C, may work as expected.

control run debian1 /bin/bash

Now we are inside the container “debian1”.
You can check if the encrypted root is mounted on setup by calling mount

Install debian as follows:

export PATH=$PATH
debootstrap stretch /setup
printf '%s\n' '#!/bin/bash' '/sbin/cservice' 'exit 0' > /setup/etc/rc.local
chmod a+x /setup/etc/rc.local
exit

Now stop the container and start it normally:

control stop debian1
control start debian1 --key=trustme

Example: Using docker-convertos

Experimental, the converter may not work for every image on dockerhub!

Prerequisites

Creating converter container

Create a new container config skeleton file docker2.skel for the container e.g.:

name: "docker2"
guest_os: "docker-convertos"
color: 0
vnet_configs {
  if_name: "eth0"
  configure: true
}
image_sizes {
  image_name: "tmp"
  image_size: 8192
}
control run docker2 /bin/bash

Inside container:

export PATH=$PATH
/etc/init.d/lighttpd start
converter pull <dockerhub image> <tag>
/etc/init.d/lighttpd stop
exit

Creating instance of converted image

control list_guestos

Should show new GuestOS created from Dockerhub image with a name like “<image>_<tag>_<timestamp>

Create a new config skeleton /etc/templates/converted.skel for the image:

name: "converted3"
guest_os: "<image>_<tag>_<timestamp>"
color: 0
vnet_configs {
  if_name: "eth0"
  configure: true
}
control create converted.skel

Run it.

control start converted3 --key=trustme