A measured, verifiable secure-boot chain for cloud VMs — using the TPM (and AWS Nitro, where available) to prove exactly what booted, from firmware to your workload.
Lock.Boot boots a machine through a short chain of independently-verified, independently-measured stages. Each stage fetches the next over the network, admits it by a pinned sha256 or an ed25519 signature, extends a TPM PCR with what it loaded, and hands off — so the final TPM attestation is a cryptographic transcript of the entire boot.
- stage0 — a kernel-less UEFI application, the only Secure Boot
db-signed link. Firmware measures it; it then downloads a UKI over plain HTTP, admits it by a pin/signature carried in cloud metadata, measures it into PCR 14, and chain-loads it. No disk image required. - stage1 — the netboot UKI (a Unified Kernel Image: Linux kernel + minimal initramfs + the
stage1bootloader running as PID 1). It fetches a stage2 payload, verifies + measures it, produces a TPM attestation, andexecs it. - stage2 — your workload, run as PID 1 with an attestation of the whole chain. The reference stage2 is a payload-agnostic loader: append any container image and it boots it as an immutable dm-verity root under an ephemeral overlay, with TPM-bound encrypted persistence — "run this Docker container under Lock.Boot." Every stage is independently verified, measured, and replaceable — swap in your own.
- Multi-cloud — configuration from AWS/GCP/Azure instance metadata (IMDSv2); no baked-in secrets.
- Verified boot — every hop is content-addressed (
sha256) or signed (ed25519); nothing runs unverified. - Measured boot + attestation — each stage extends a TPM PCR, yielding a pre-execution attestation for remote verification.
- Reproducible — deterministic
SOURCE_DATE_EPOCH=0builds: identical inputs produce byte-identical, identically-measured artifacts. - Multi-architecture — x86_64 and aarch64.
| Repo | What it is |
|---|---|
| stage0 | UEFI netboot loader — the Secure Boot root of trust |
| stage1 | The netboot UKI (Linux stage1 bootloader) + mkuki builder + example stage2 |
| stage2 | The reference stage2 loader: seals a container image into a measured, dm-verity + encrypted, TPM-bound bootable form (append your image, pivot onto it, exec /init) |
| vaportpm | From-scratch TPM 2.0 attestation library (no_std-capable), shared by stage0 and stage1 |
| vaportpm-zk | Zero-knowledge attestation experiments over vaportpm |
| workspace | Reproducible multi-repo dev environment (shared toolchain + lockboot:build/lockboot:harness images) |
Each repo builds and tests standalone (inside the shared lockboot:build image) — see its README.