LGTM. Without snakeoil and trust, is the published bootkit layer still functional? IIUC, users would still need to get trust themselves and generate their own keys (which they should do anyhow), right?

Well there are no published bootkit layers right now :) But yes, this just got me far enough that I could do a 'make' and get an interesting initrd, but things are not actually usable.

I have a patch I haven't posted for 'mos' to accept a BOOTKIT_URL to let me pass an oci: url for the bootkit layer that 'trust keyset add' fetches. So then I can build bootkit and create keysets using that, and then I can build a bootable image from that. But it's not entirely useful.

I've been trying to think of the best path forward. Clearly for apic the whole pcr signdata route is still necessary. Me right now I just want to go more of a hybrid route between this and the systemd ukify route. I want to use a remote soci url for the rootfs, but using the systemd way of using pcr7 and pcr11 (which doesn't require any signdata). I could just go whole-hog into using mkosi to generate images, and that would work. But I'd prefer for initrd to use atomfs from a zot server to mount the rfs. I'm not sure where to best draw the lines there.

I don't know how much this interests you (or @mikemccracken ) - if it does, I'd love to chat on Monday about the details.

BTW regarding published images, and ignoring my own desired use case, yes even 6 months ago I was convinced we wanted to stop pushing and pulling anything to/from zothub.io, and just have everything build locally in sequence using each other's artifacts.

The "fleet of securely booted IOT devices running docker://myzot/myapp:1.0.0 using three simple steps" required some use of zothub.io for bootstrapping, but I don't think we're pushing for that any more. (or are we?)

LGTM. Without snakeoil and trust, is the published bootkit layer still
functional? IIUC, users would still need to get trust themselves and
generate their own keys (which they should do anyhow), right?

Well there are no published bootkit layers right now :) But yes, this just
got me far enough that I could do a 'make' and get an interesting initrd,
but things are not actually usable.

OK

I have a patch I haven't posted for 'mos' to accept a BOOTKIT_URL to let me
pass an oci: url for the bootkit layer that 'trust keyset add' fetches. So
then I can build bootkit and create keysets using that, and then I can build
a bootable image from that. But it's not entirely useful.

Right

I've been trying to think of the best path forward. Clearly for apic the
whole pcr signdata route is still necessary. Me right now I just want to go
more of a hybrid route between this and the systemd ukify route. I want to
use a remote soci url for the rootfs, but using the systemd way of using
pcr7 and pcr11 (which doesn't require any signdata). I could just go
whole-hog into using mkosi to generate images, and that would work. But I'd
prefer for initrd to use atomfs from a zot server to mount the rfs. I'm not
sure where to best draw the lines there.

I don't know how much this interests you (or @mikemccracken ) - if it does,
I'd love to chat on Monday about the details.

I'm definitely interested. I'd like to dig deeper into the systemd/mkosi path
to leverage the upstream work being done here; in particular

• pcr checkpoint values for things other than PCR7
• UKI build and menu systems
• Experience using, deploying, upgrading and fixing systems using UKIS.

With that in hand, I'd like to see about patching and possibly upstreaming
support for the APIC use-case around PCR7 and cmdline accept/reject like we
have with stubby vs the systemd signed commandline blobs.

I'm hoping that we could also extend distro standard initrd to do atomfs
mounts as well with the goal of having a smaller/thinner initrd where we don't
need to stuff a 50MB go binary.

BTW regarding published images, and ignoring my own desired use case, yes
even 6 months ago I was convinced we wanted to stop pushing and pulling
anything to/from zothub.io, and just have everything build locally in
sequence using each other's artifacts.

The "fleet of securely booted IOT devices running docker://myzot/myapp:1.0.0
using three simple steps" required some use of zothub.io for bootstrapping,
but I don't think we're pushing for that any more. (or are we?)

I do think that model is useful; but I think we need to sort out things on the
mos side of house to handle provisioning of VMs/hardware, config mgmt, etc.