Overview of Ubuntu Core

Board bring-up: kernel and the gadget snaps

 * The kernel snap and the gadget snap enable particular hardware:
 * Gadget snap provides the bootloader, typically Grub for X86 and U-Boot for ARM.
 * Capabilities like full disc encryption and secure boot are enabled in the gadget snap.

Auto rollback for kernel and base snaps

 * When a kernel or a base (core18, core16) snap is installed, the system reboots
 * Boot logic evaluates kernel/base snap viability
 * If not viable, system boots with the previous kernel/base snap
 * This mechanism protects system operations from bad kernel/bases snap release

Secure boot

 * All boot executables are signed and verified
 * Verification is carried out through hardware/BIOS based root of trust
 * All bootloader binaries are signed and verified before loading into memory for execution, all the way to the kernel/initramfs
 * This process is standard on X86/UEFI starting with Ubuntu Core 18

Full disc encryption

 * The Ubuntu kernel provides disk encryption/decryption capabilities
 * In Ubuntu Core, the key to encrypt/decrypt the disk is securely stored
 * The key cannot be viewed or modified
 * For Hardware/BIOS root of trust (ARM/UEFI)the key is made securely available to initramfs
 * Initramfs contains kernel modules needed to set it up on first boot and to use it on normal boot

Headless, no user needed

 * Ubuntu Core is designed to support headless operations
 * Ubuntu Core is also designed for userless operations
 * On Ubuntu Core, everything important runs as root
 * A System User can be added for ssh access as appropriate
 * Other users may be added, although generally not needed