Difference between revisions of "Overview of Ubuntu Core"

From eLinux.org
Jump to: navigation, search
(Created page with "== Ubuntu Core is all snaps == <gallery widths=500px heights=500px> Ubuntu core architecture.png|OS architecture based on snaps </gallery> == Board bring-up: kernel and the g...")
 
 
Line 20: Line 20:
 
* All bootloader binaries are signed and verified before loading into memory for execution, all the way to the kernel/initramfs
 
* All bootloader binaries are signed and verified before loading into memory for execution, all the way to the kernel/initramfs
 
* This process is standard on X86/UEFI starting with Ubuntu Core 18
 
* This process is standard on X86/UEFI starting with Ubuntu Core 18
 +
 +
== Full disc encryption ==
 +
* The Ubuntu kernel provides disk encryption/decryption capabilities
 +
* In Ubuntu Core, the key to encrypt/decrypt the disk is securely stored
 +
* The key cannot be viewed or modified
 +
* For Hardware/BIOS root of trust (ARM/UEFI)the key is made securely available to initramfs
 +
* Initramfs contains kernel modules needed to set it up on first boot and to use it on normal boot
 +
 +
== Headless, no user needed ==
 +
* Ubuntu Core is designed to support headless operations
 +
* Ubuntu Core is also designed for userless operations
 +
* On Ubuntu Core, everything important runs as root
 +
* A System User can be added for ssh access as appropriate
 +
* Other users may be added, although generally not needed

Latest revision as of 11:21, 14 August 2020

Ubuntu Core is all snaps

Board bring-up: kernel and the gadget snaps

  • The kernel snap and the gadget snap enable particular hardware:
  • Gadget snap provides the bootloader, typically Grub for X86 and U-Boot for ARM.
  • Capabilities like full disc encryption and secure boot are enabled in the gadget snap.

Auto rollback for kernel and base snaps

  • When a kernel or a base (core18, core16) snap is installed, the system reboots
  • Boot logic evaluates kernel/base snap viability
  • If not viable, system boots with the previous kernel/base snap
  • This mechanism protects system operations from bad kernel/bases snap release

Secure boot

  • All boot executables are signed and verified
  • Verification is carried out through hardware/BIOS based root of trust
  • All bootloader binaries are signed and verified before loading into memory for execution, all the way to the kernel/initramfs
  • This process is standard on X86/UEFI starting with Ubuntu Core 18

Full disc encryption

  • The Ubuntu kernel provides disk encryption/decryption capabilities
  • In Ubuntu Core, the key to encrypt/decrypt the disk is securely stored
  • The key cannot be viewed or modified
  • For Hardware/BIOS root of trust (ARM/UEFI)the key is made securely available to initramfs
  • Initramfs contains kernel modules needed to set it up on first boot and to use it on normal boot

Headless, no user needed

  • Ubuntu Core is designed to support headless operations
  • Ubuntu Core is also designed for userless operations
  • On Ubuntu Core, everything important runs as root
  • A System User can be added for ssh access as appropriate
  • Other users may be added, although generally not needed