You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+37-1Lines changed: 37 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,9 +12,10 @@ The consensus on environment configuration is coordinated through the Manifest d
12
12
13
13
The Quorum Key itself can be used by QuorumOS and enclave apps to encrypt and authenticate data.
14
14
15
-
16
15
QuorumOS ("QOS") is a minimal, immutable, and deterministic Linux unikernel targeting various Trusted Execution Environments for use cases that require high security and accountability.
17
16
17
+
For more information about how it's used within Turnkey, please refer to [The Turnkey Whitepaper](https://whitepaper.turnkey.com/), and more specifically: [Foundations](https://whitepaper.turnkey.com/foundations).
18
+
18
19
## Development
19
20
20
21
### Requirements
@@ -23,6 +24,41 @@ QuorumOS ("QOS") is a minimal, immutable, and deterministic Linux unikernel targ
23
24
- Docker 26+
24
25
- GNU Make
25
26
27
+
### Reproducing builds
28
+
29
+
QuorumOS is built with [StageX](https://codeberg.org/stagex/stagex), a new deterministic Linux distro. StageX provides reproducible builds and guarantees a 1-to-1, immutable relationship between the human-readable source code in this repo and the resulting machine-executable artifacts produced by the build system.
30
+
31
+
This repository produces deterministic OCI container images. QuorumOS, the operating system, is packaged for execution inside of a Nitro EIF (Enclave Image File). This packaging is deterministic and done as part of [`qos_enclave`](./src/qos_enclave). The associated [Containerfile](./src/images/qos_enclave/Containerfile) contains the set of instructions to build the `nitro.eif` file, as well as `nitro.pcrs`, which contains the PCR measurements.
32
+
33
+
To produce the `qos_enclave` OCI container image, run:
34
+
```
35
+
make out/qos_enclave/index.json
36
+
```
37
+
38
+
If you need to extract files from it, you can do so by using [docker](https://docs.docker.com/get-started/get-docker/) and [skopeo](https://github.com/containers/skopeo):
39
+
40
+
```sh
41
+
# Creates an archive called qos_enclave.tar, with a tag "qos-enclave:latest"
# Create the container without running it (outputs a container ID)
48
+
docker create qos-enclave:latest
49
+
50
+
# Copy files locally for inspection
51
+
docker cp CONTAINER_ID:/nitro.pcrs nitro.pcrs
52
+
53
+
# Look at the PCR values
54
+
cat nitro.pcrs
55
+
b26733f9... PCR0
56
+
b26733f9... PCR1
57
+
21b9efbc... PCR2
58
+
```
59
+
60
+
These PCR values can be referenced against the content of [AWS remote attestations](https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html#pcr012).
61
+
26
62
### Submitting a PR
27
63
28
64
Before a PR can be merged our linter and unit tests need to pass.
0 commit comments