From 86a424b39e7f7b03bda7b7161b4733adfa12a2ba Mon Sep 17 00:00:00 2001 From: HaRoLd <303926+HarryR@users.noreply.github.com> Date: Mon, 13 Jul 2026 19:19:34 +0000 Subject: [PATCH] profile: drop the boot-chain ASCII diagram; /data is encrypted, not authenticated The three stage bullets already describe the chain, so the diagram was redundant. Also fix two stale "authenticated-encrypted" claims for stage2 /data: it is confidentiality-only dm-crypt (aes-xts-plain64) now, not authenticated encryption. Co-Authored-By: Claude Opus 4.8 --- profile/README.md | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/profile/README.md b/profile/README.md index 5e04794..cec36ab 100644 --- a/profile/README.md +++ b/profile/README.md @@ -6,16 +6,9 @@ Lock.Boot boots a machine through a short chain of independently-verified, indep ## The boot chain -``` -firmware (UEFI Secure Boot) - └─▶ stage0 db-signed UEFI netboot loader — the root of trust (measured into PCR 4) - └─▶ stage1 netboot UKI: Linux + a PID-1 bootloader (measured into PCR 14) - └─▶ stage2 your workload -``` - - **stage0** — a kernel-less UEFI application, the only Secure Boot `db`-signed link. Firmware measures it; it then downloads a UKI over plain HTTP, admits it by a pin/signature carried in cloud metadata, measures it into PCR 14, and chain-loads it. No disk image required. - **stage1** — the netboot **UKI** (a Unified Kernel Image: Linux kernel + minimal initramfs + the `stage1` bootloader running as PID 1). It fetches a stage2 payload, verifies + measures it, produces a TPM attestation, and `exec`s it. -- **stage2** — your application, run as PID 1 with an attestation document describing the whole chain. +- **stage2** — your workload, run as PID 1 with an attestation of the whole chain. The reference [**stage2**](https://github.com/lockboot/stage2) is a *payload-agnostic loader*: append any container image and it boots it as an immutable dm-verity root under an ephemeral overlay, with TPM-bound encrypted persistence — "run this Docker container under Lock.Boot." Every stage is independently verified, measured, and **replaceable** — swap in your own. ## Properties @@ -31,6 +24,7 @@ firmware (UEFI Secure Boot) |---|---| | [**stage0**](https://github.com/lockboot/stage0) | UEFI netboot loader — the Secure Boot root of trust | | [**stage1**](https://github.com/lockboot/stage1) | The netboot UKI (Linux `stage1` bootloader) + `mkuki` builder + example stage2 | +| [**stage2**](https://github.com/lockboot/stage2) | The reference stage2 **loader**: seals a container image into a measured, dm-verity + encrypted, TPM-bound bootable form (append your image, pivot onto it, `exec /init`) | | [**vaportpm**](https://github.com/lockboot/vaportpm) | From-scratch TPM 2.0 attestation library (`no_std`-capable), shared by stage0 and stage1 | | [**vaportpm-zk**](https://github.com/lockboot/vaportpm-zk) | Zero-knowledge attestation experiments over vaportpm | | [**workspace**](https://github.com/lockboot/workspace) | Reproducible multi-repo dev environment (shared toolchain + `lockboot:build`/`lockboot:harness` images) |