A "More Immutable" Approach

[coolwanglu]

Hello!

I'd like to share an idea about bootc based VMs.

bootc is immutable, but not 100%: self-update is still allowed. A malicious remote actor with root privilege can inject any code to the next ostree deploy. Secure boot should be able to prevent this from happening, but too much hassle to set up in my opinion.

On the other hand, I'm thinking of:

• Always use QEMU temporary snapshot, --snapshot. This means QEMU always uses the original disk image after a cold start (but not after rebooting)
• Prevent reboot using the --no-reboot flag. QEMU will shutdown when the guest attempts to reboot
• Disable automatic bootc update.

Notes:

• I might put /var into a separate disk image if I care about the state.
• I have a separate pipeline the regularly builds new disk images, and the VMs are regularly shut down for backup. This is a perfect moment to update/swap the disk images. This workflow is particularly helpful with the VM does not have access to any network.
• How about simply loading the disk image readonly to QEMU, it might not work though.

What do you think about this approach?

• Does it make any sense?
• Is it already a standard workflow?

[cgwalters]

A malicious remote actor with root privilege can inject any code to the next ostree deploy.

See #1190 for our tracker for this.