Confidential Computing: Verifiable and Sealed OS Images

Image based Linux OSes have become increasingly popular. From GnomeOS to Bazzite there are a lot of ways to build and maintain your images. This workshop will walk you through how to improve a standard transactional deployment to be hardened, sealed, and verifiable including hardware-rooted attesation by utilizing Unified Kernel Images (UKI), bootc, and composefs.

We will walk through the entire lifecycle of an OCI-native operating system:

  1. Defining the image: Customizing a container image tailored for your needs.
  2. Leveraging Composefs: Understanding how bootc ingests OCI containers and materializes them into a secure, verifiable, read-only filesystem.
  3. Sealing the OS: Bundling your configuration into a Unified Kernel Image (UKI) to establish strict lifecycle and update guarantees rooted in hardware security.
  4. Booting and Verification: Deploying your newly minted image and validating its tamper-resistance and deployment integrity.

By the end of this lab, you will walk away with a fully functional, self-generated sealed image template and the practical confidence to implement container-like immutability across your infrastructure.

Prerequisites for Attendees:

  • Familiarity with Podman and basic Linux command-line navigation.
  • A Linux machine capable of running a virtual machine (KVM/QEMU, qemu-img, virtiofsd, openssh-clients)
The speaker's profile picture
Sean Thrailkill

Sean is a Software Engineer with 15 years of experience who has a passion for Virtualization in all its forms. When Sean is not working he is a host on the Hybrid Cloud Show, working on his homelab, or scuba diving. Ask him about why you absolutely need a homelab!