Kairos adopts an immutable layout and derivatives created with its toolkit, inherit the same immutability attributes. An immutable OS is a carefully engineered system which boots in a restricted, permissionless mode, where certain paths of the system are not writable. For instance, after installation it’s not possible to add additional packages to the system, and any configuration change is discarded after reboot. A running Linux-based OS system will have the following paths:| Kairos
Boot Assessment in Kairos: Introduction and Extensions Kairos provides a robust mechanism for assessing the success or failure of boot entries through integration with systemd-boot. This document is divided into two parts: Kairos Default Boot Assessment Strategy: Explains how boot assessment is managed in a standard Kairos installation. Extending the Default Boot Assessment: Shows how to customize and extend Kairos boot assessment by integrating additional systemd services and adding automati...| Kairos
Trusted boot is a combination of technologies that allows us to enhance the security posture of a running system. It is composed by FDE, Secure Boot and Measured Boot. Trusted boot is an architectural requirement of SENA (Secure Edge Native Architecture) and is a key component of Kairos. You can read more about Trusted Boot in https://0pointer.de/blog/brave-new-trusted-boot-world.html and about SENA here: https://kairos.io/blog/2023/04/18/kairos-is-now-part-of-the-secure-edge-native-architect...| kairos.io
Note This guide focuses on customizing Kairos images. For a complete guide on creating custom cloud images from scratch, including when and how to apply these customizations, see Creating Custom Cloud Images. Kairos is an open source, container-based operating system. To modify Kairos and add a package, you’ll need to build a container image from the Kairos images. Here’s an example with Docker which adds figlet: FROM quay.io/kairos/@flavor:@flavorRelease-standard-amd64-generic-master-k3s...| Advanced on Kairos
Warning This feature is in preview state and only available in Kairos v3.4.x releases and alphas. Please check the section “Known issues” at the bottom for more information. Signing keys for system extensions under Trusted Boot Sysexts need to be signed with the same key/cert as the ones used to sign the EFI files. As those are part of the system and available in the EFI firmware, we can extract the public part and verify the sysexts locally.| kairos.io
Learn about how Kairos is now part of SENA, the Secure Edge-Native Architecture announced by Spectro Cloud and developed in collaboration with Intel, enabling organizations to securely deploy, provision, operate and manage at scale edge locations. Discover the benefits of SENA and what's coming up in the future roadmap of Kairos' secure edge computing solutions.| kairos.io
Unified Kernel Image (UKI) # A Unified Kernel Image (UKI) is a combination of an UEFI boot stub program, a Linux kernel image, an initrd, and further resources in a single UEFI PE file. This file can either be directly invoked by the UEFI firmware (which is useful in particular in some cloud/Confidential Computing environments) or through a boot loader (which is generally useful to allow multiple kernel versions with interactive or automatic selection of version to boot into).| uapi-group.org