General purpose operating systems have to solve many problems, and that means they make compromises. You need to be able to install, upgrade and configure individual components, which means having a large surface area vulnerable to attack. More specialised products (such as phones and Chromebooks) benefit from being able to reduce that surface area. Can we do the same with containers?
Security technologies can be overly restrictive in general purpose operating systems. This presentation covers a range of technologies that can be used unobtrusively and effectively in container-focused designs. It will describe how features like dm-verity can provide filesystem-level assurance that binaries are unmodified, how the kernel keyring can be used to provide immutable trusted key stores, how secure boot can root all of this trust in firmware and how container introspection can stop attacks.