Add README with initial goals and development usage

This commit is contained in:
Lance Vick 2022-09-07 14:44:43 -07:00
parent ab1b3fdcb2
commit ef537e8d1f
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
1 changed files with 72 additions and 0 deletions

72
README.md Normal file
View File

@ -0,0 +1,72 @@
# AppOS #
<https://github.com/distrust-foundation/appos>
## About ##
A minimal, immutable, and deterministic Linux unikernel build system targeting
various Trusted Execution Environments for use cases that require high security
and accountability.
This is intended as a reference repository which could serve as a boilerplate
to build your own hardened and immutable operating system images for high
security applications.
## Platforms ##
| Platform | Target | Status | Verified boot Method |
|----------------------------|:-------:|:--------:|:--------------------:|
| Generic/Qemu | generic | working | Safeboot or Heads |
| AWS Nitro Enclaves | aws | building | HOTP via Nitrokey |
| GCP Confidential Compute | gcp | research | vTPM 2.0 attestation |
| Azure Confidential VMs | azure | research | vTPM 2.0 attestation |
## Features ##
* Immutability
* Root filesystem is a CPIO filesystem extracted to a RamFS at boot
* Minimalism
* < 5MB footprint
* Nothing is included but a kernel and your target binary by default
* Sample "hello world" included as a default reference
* Debug builds include busybox init shim and drop to a shell
* Determinism
* Multiple people can build artifacts and get identical hashes
* Allows one to prove distributed artifacts correspond to published sources
* Hardening
* No TCP/IP network support
* Favor using a virtual socket or physical interface to a gateway system
* Most unessesary kernel features are disabled at compile time
* Follow [Kernel Self Protection Project](kspp) recommendations
[ kspp]: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
## Development ##
### Requirements ###
* 10GB+ free RAM
* Docker 20+
* GNU Make
### Examples ###
### Build given target
```
make TARGET=generic
```
### Boot generic image in Qemu
```
make run
```
### Enter shell in toolchain environment
```
make toolchain-shell
```
### Update toolchain depedendency pins
```
make toolchain-update
```