​CoreOS brings end-to-end trusted computing to containers

The bane of containers is securing them, but CoreOS has a soup-to-nuts answer for this worry: Tectonic with Distributed Trusted Computing.

Everyone in IT loves containers. They enable you to run four to six times the number of server application instances as a virtual machine (VM) on the same server. Now, if only you could just easily secure the darn things.

container-door-lock.jpg
CoreOS's Tectonic with Distributed Trusted Computing locks down containers from the boot all the way to execution.

That's where CoreOS, the Linux and container company, comes in with its new program, Tectonic with Distributed Trusted Computing.

Tectonic uses Google Kubernetes, the proven technology that enables you to orchestrate and manage clusters of containers and virtual machines (VM)s on clouds. Every Google application, even search, runs on Kubernetes-managed containers.

CoreOS has brought Kubernetes to the enterprise data center and cloud. In this latest release with Distributed Trusted Computing, everything -- from the distributed application layer, to the container, down to the node and operating system -- is protected hardware-driven cryptographic verification. The company claims, with reason, that this new addition to Tectonic makes it "the most trusted and secure place to build, run and manage containers."

"Security is central to our mission here at CoreOS," said Alex Polvi, CoreOS's CEO in a statement. "It is rare to be able to introduce a completely new class of computing to the market, and we are proud today to do just that with Distributed Trusted Computing (DTC). This is a step further in the security capabilities of enterprises, for the first time giving cryptographically guaranteed end-to-end integrity and control of their environment."

DTC allows enterprises to have cryptographic guarantees about the configuration of their entire environment, from the distributed application layer to the hardware. This enables administrators to:

  • Validate and trust individual node and cluster integrity, even in potentially compromised or hostile data center conditions
  • Verify system state before distributing app containers, data or secrets
  • Prevent attacks that involve modifying firmware, boot-loader, the OS itself, or the deployment pipeline
  • Cryptographically verify, with an audit log, what containers have executed on the system

DTC works by using "Secure Boot, which provides a verified system platform, and DTC itself, which harnesses both hardware and software to isolate and cryptographically verify and audit containers executing on clusters of Secure Booted nodes."

According to CoreOS, Tectronic with DTS starts securing containers from the boot process on:

The CoreOS boot process from power-on through user login is modified so that every stage is ... subjected to cryptographic validation, and can only execute if proven to validate with a public key, held in firmware, and used to sign the component during a controlled initialization. After power is applied, the boot-loader, a small executable responsible for reading the operating system kernel from disk and setting it up its initial state in memory, is the first item validated. The boot-loader stage is executed only if the signature is valid, proving no out of band modification has occurred. Before exiting, the loader validates the next link in the chain, which is usually a second-stage boot-loader, or the operating system kernel itself. Once again the preceding stage cryptographically validates the next unit of code to be executed, and a decision is made about whether or not to proceed.

TDC then extends Secure Boot's principles to the cluster's container execution environment. This relies on a "motherboard component called a Trusted Platform Module (TPM). Specified by the industry Trusted Computing Group (TCG), the TPM is a cryptographic processor with special operating rules designed to integrate encryption keys directly into hardware."

Finally, DTC uses the TPM to test containers before allowing them to join a Tectonic DTC cluster. It can do that because rkt's App Container Image (ACI) format includes a cryptographic signature for image verification. This way, the entire system -- its operating system, containers, and their applications within -- are thoroughly checked for potential security problems.

A complete Tectonic with DTC soluition consists of:

  • Cluster
    • Kubernetes - Only machines that are Secure Booted are allowed into the cluster. Secure materials, such as SSL private keys, are distributed only once the machine is verified to be in a trusted state.
  • Container Runtime
    • rkt - The operating system verifies that rkt is configured in a secure manner. Only containers signed with trusted keys are allowed to run on the cluster, extending the chain of trust into the container execution environment. Additionally, rkt utilizes the TPM to create a cryptographically verifiable, hardware-protected audit log of the containers executed across a cluster.
  • Operating System
    • CoreOS Linux - The operating system is verified before boot to ensure it has not been modified, including the hardware provider or cloud provider. If modified, the machine will not boot.
  • Hardware Enablement
    • Firmware - The customer's key is embedded in the firmware, giving control to the user to run whatever software they choose, and validate that it is exactly that software they deploy.
    • Trusted Platform Module (TPM) - Provides a tamper-proof audit log of everything that has booted.

If this sounds familiar, it's because this is the same hardware and firmware that was used in Unified Extensible Firmware Interface (UEFI). Thanks to Microsoft's proprietary Secure Boot take, UEFI was seen as a threat to Linux and other alternative desktop operating systems. Even then some Linux experts saw UEFI and Secure Boot as a way forward towards truly secure computing. In the meantime, Matthew Garrett created a way to run Linux on Windows 8 systems with Microsoft's take on Secure Boot activated. It's no coincidence that Garrett is now CoreOS's Principal Security Engineer.

Besides providing a cryptographic chain of trust, Tectonic with DTC is not locked in to CoreOS. The program enables customers to put their own cryptographic keys into the firmware of their servers. This means the servers can run only the software explicitly authorized by the enterprise, and nothing else. Tectonic with DTS gives customers advanced security assurance, without vendor lock-in.

"Trusted Computing, Secure Boot and the TPM bring immensely powerful security functionality to users," said Garrett, "These technologies are often thought of as restrictive DRM (digital rights management). But rather than taking away freedom or flexibility, our implementation builds on top of customer-controlled keys embedded in their server firmware, empowering operations teams to specify and verify exactly what software their systems run. They can trust their systems without giving up control."

This is a big deal. For all the hype about Docker, Tectonic Enterprise with Distributed Trusted Computing may well advance CoreOS into being business's container system of choice

Related Stories: