CoreOS Brings Distributed Trusted Computing to Containers

VIDEO: Alex Polvi, CEO of CoreOS, discusses how a new Tectonic offering will enforce security from bare metal all the way up to the virtualized application.

NEW YORK--Few areas of technologies are as hot today as that of containers and security. Today at the Tectonic Summit at the Times Center in New York City, CoreOS is announcing a new approach called Distributed Trusted Computing that deeply integrates security into containers at every layer of the technology stack, from bare metal on up.

Tectonic is CoreOS' commercial platform that includes the CoreOS Linux operating system the rkt (rocket) container technology and the Kubernetes container cluster management system. CoreOS first announced Tectonic in April of this year, alongside a $12 million round of funding.

In kicking off its container conference with a security announcement, CoreOS is matching its container ecosystem rival Docker Inc., which used the Dockercon EU event in November to launch new security efforts as well.

In a video interview with eWEEK at the Tectonic Summit, Alex Polvi, CEO of CoreOS, explained what Distributed Trusted Computing is all about and how it's core to his vision for a new, secure paradigm for the Internet. What Trusted Computing ensures is that only specific signed and approved software can run on hardware, he said.

"All server structure infrastructure software is running untrusted right now. You just kind of hope that what the server is running is what you expect it to be," Polvi said.

Distributed Trusted Computing relies on a number of core elements of technology, including Unified Extensible Firmware Interface (UEFI) Secure Boot and Trusted Platform Module (TPM) for security. Polvi explained that at each layer of the application stack, there is a security verification check. As such, the UEFI firmware validates the system bootloader; the bootloader in turn validates the operating system.

The CoreOS Linux operating system itself comes up in a completely immutable state and then the rocket (rkt) container runtime carries the chain of trust into the container as well as registering the data into the TPM. Then the control plane for the distributed cluster uses the full attestation to understand if a server can be allowed to connect into the cluster.

"We believe that this style of infrastructure unlocks the possibility to dramatically improve the security of the Internet overall," Polvi said. "The combination of containers, distributed systems and now trusted computing we think represents a big change for server infrastructure."

Watch the full video interview with Alex Polvi below:

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.