Skip to content
@lockboot

lockboot

🔒🌩️ Lock.Boot

A measured, verifiable secure-boot chain for cloud VMs — using the TPM (and AWS Nitro, where available) to prove exactly what booted, from firmware to your workload.

Lock.Boot boots a machine through a short chain of independently-verified, independently-measured stages. Each stage fetches the next over the network, admits it by a pinned sha256 or an ed25519 signature, extends a TPM PCR with what it loaded, and hands off — so the final TPM attestation is a cryptographic transcript of the entire boot.

The boot chain

firmware  (UEFI Secure Boot)
   └─▶ stage0   db-signed UEFI netboot loader — the root of trust   (measured into PCR 4)
          └─▶ stage1   netboot UKI: Linux + a PID-1 bootloader       (measured into PCR 14)
                 └─▶ stage2   your workload
  • stage0 — a kernel-less UEFI application, the only Secure Boot db-signed link. Firmware measures it; it then downloads a UKI over plain HTTP, admits it by a pin/signature carried in cloud metadata, measures it into PCR 14, and chain-loads it. No disk image required.
  • stage1 — the netboot UKI (a Unified Kernel Image: Linux kernel + minimal initramfs + the stage1 bootloader running as PID 1). It fetches a stage2 payload, verifies + measures it, produces a TPM attestation, and execs it.
  • stage2 — your application, run as PID 1 with an attestation document describing the whole chain.

Properties

  • Multi-cloud — configuration from AWS/GCP/Azure instance metadata (IMDSv2); no baked-in secrets.
  • Verified boot — every hop is content-addressed (sha256) or signed (ed25519); nothing runs unverified.
  • Measured boot + attestation — each stage extends a TPM PCR, yielding a pre-execution attestation for remote verification.
  • Reproducible — deterministic SOURCE_DATE_EPOCH=0 builds: identical inputs produce byte-identical, identically-measured artifacts.
  • Multi-architecture — x86_64 and aarch64.

Repositories

Repo What it is
stage0 UEFI netboot loader — the Secure Boot root of trust
stage1 The netboot UKI (Linux stage1 bootloader) + mkuki builder + example stage2
vaportpm From-scratch TPM 2.0 attestation library (no_std-capable), shared by stage0 and stage1
vaportpm-zk Zero-knowledge attestation experiments over vaportpm
workspace Reproducible multi-repo dev environment (shared toolchain + lockboot:build/lockboot:harness images)

Each repo builds and tests standalone (inside the shared lockboot:build image) — see its README.

Popular repositories Loading

  1. stage1 stage1 Public

    Secure two-stage bootloader with AWS Nitro & GCP vTPM attestation. Multi-architecture (x86_64/ARM64) UEFI boot system with verified execution and PCR measurements

    Rust 2 1

  2. os402 os402 Public

    Rust 1

  3. vaportpm vaportpm Public

    Rust library for cloud instance attestation. Verify workloads are running on genuine AWS Nitro or GCP Confidential VMs via provider-signed trust chains. Zero C dependencies.

    Rust

  4. vaportpm-zk vaportpm-zk Public

    Make ZK-proofs of vaporTPM attestations

    Rust

  5. .github .github Public

  6. stage0 stage0 Public

    Rust

Repositories

Showing 7 of 7 repositories

People

This organization has no public members. You must be a member to see who’s a part of this organization.

Top languages

Loading…

Most used topics

Loading…