Any proper way to measure/validate the TD guest VM rootfs?

[qzheng527]

What I have done.

1. Create a luks encrypted rootfs.
2. Do remote attestation in initrd and get the encrypted key from some KBS.

Above works fine but there is a "hole" in the boot up chain -- the rootfs is not measured/validated. My first thought is to use dm-verity for rootfs integrity checking. But to my understanding there may be some files writing to the disk when running for a while which may cause the hash changes, thus next time boot may fail. So I am wondering if there is a proper way to measure/validate the TD guest VM rootfs? Combine luks, dm-verity and overlayfs? Thanks for any idea or experience shared.

[syncronize-issues-to-jira[bot]]

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/PEK-770.

This message was autogenerated

[hector-cao]

Hello; that is something we have in mind but do not have time to think about that at the moment, closing