Overview of Ubuntu Core

From eLinux.org
Revision as of 11:21, 14 August 2020 by Galemk (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Ubuntu Core is all snaps

Board bring-up: kernel and the gadget snaps

  • The kernel snap and the gadget snap enable particular hardware:
  • Gadget snap provides the bootloader, typically Grub for X86 and U-Boot for ARM.
  • Capabilities like full disc encryption and secure boot are enabled in the gadget snap.

Auto rollback for kernel and base snaps

  • When a kernel or a base (core18, core16) snap is installed, the system reboots
  • Boot logic evaluates kernel/base snap viability
  • If not viable, system boots with the previous kernel/base snap
  • This mechanism protects system operations from bad kernel/bases snap release

Secure boot

  • All boot executables are signed and verified
  • Verification is carried out through hardware/BIOS based root of trust
  • All bootloader binaries are signed and verified before loading into memory for execution, all the way to the kernel/initramfs
  • This process is standard on X86/UEFI starting with Ubuntu Core 18

Full disc encryption

  • The Ubuntu kernel provides disk encryption/decryption capabilities
  • In Ubuntu Core, the key to encrypt/decrypt the disk is securely stored
  • The key cannot be viewed or modified
  • For Hardware/BIOS root of trust (ARM/UEFI)the key is made securely available to initramfs
  • Initramfs contains kernel modules needed to set it up on first boot and to use it on normal boot

Headless, no user needed

  • Ubuntu Core is designed to support headless operations
  • Ubuntu Core is also designed for userless operations
  • On Ubuntu Core, everything important runs as root
  • A System User can be added for ssh access as appropriate
  • Other users may be added, although generally not needed