docker-edk2-uefi: Docker container for Tianocore EDK2 dev

Container to build Tianocore EDK2 MdeModules and OVMF and run in OVMF with qemu using X over ssh

UEFI EDKII Development Environment

This docker container can be used to build projects based on the Tiano EDKII UEFI project. It is possible to selected the branch of the EDKII project to be used and compiled at container creation as well as the target architecture. Build Tools are compiled on first ssh login triggered in bashrc. qemu can be run with X over ssh. Scripts are included to build MdeModulePkg and OVMF. Script included to create base for OVMF qemu environment and start qemu (script only for x86/64 right now).[…]

Somewhat related, I also found these UEFI/Docker options:

PS: Wondering what he’s been messing with UEFI on:


Docker: LinuxKit (and Cilium)







Secure Linux containers with Intel SGX

Diogo Mónica, Security Lead at Docker, posts this:
We looked at Haven earlier this year, which demonstrated how Intel’s SGX could be used to shield an application from an untrusted cloud provider. Today’s paper choice, SCONE, looks at how to employ similar ideas in the context of containers.[…] What’s the best way to adapt a container to run within an enclave, accommodating all of the restrictions that come with that? Can it be done in a way that doesn’t break compatibility with existing container platforms (e.g., Docker)? Will the end result pay too high a performance overhead to be usable in practice? […]

SCONE: Secure Linux containers with Intel SGX

Hardening Linux containers

Aaron Grattafiori of NCC Group has just published research on Linux containers and security hardening.

[…] Our recently-posted whitepaper starts off exploring the various motivations behind Linux containers and how they contrast with more traditional hardware virtualization on modern general purpose CPUs. The whitepaper then explores Linux namespaces, cgroups, and capabilities in depth, listing example use and illustrating potential risks. Next is an in-depth discussion of the various threats to any container deployment, either container to host attacks, cross-container attacks,and other potential threats to any container deployment, regardless of size. To counter these threats and add future defense in depth, this whitepaper also includes an exploration of key security features such as user namespaces, seccomp-bpf and Mandatory Access Control. While these features are often discussed as they relate to containers, the protections can be applied to any Linux application, regardless of container deployment. After exploring container basics, threats, and security features, an overview of Docker, LXC and CoreOS Rkt is included. This overview covers the container solution background, key components and includes a brief security analysis of each platform. This section ends by contrasting different container defaults, before enumerating various security recommendations to counter weaknesses (both in general for any container platform, and specifically for LXC, Docker and CoreOS Rkt). These configuration tweaks, security actions, strategies and recommendations help establish hardened Linux containers and adding defense in depth to any application deployment. To conclude, a number of future related technologies are briefly explored such as unikernels, microservices and other container platforms, this also includes a discussion of hybrid container/hardware virtualization using minimal hypervisors. […]

Full paper:

Docker acquires MirageOS

Docker buys Unikernel Systems

Docker has purchased the Unikernel Systems, a Cambridge, U.K. start-up specializing in unikernel development, Docker announced Thursday. The purchase will help Docker expand the range of virtualization technologies if offers the enterprise can use, in effect turning Docker into a platform for running a wide range of workloads, not just container-based workloads. […]

Full story:

Intel Clear Linux announces Clear Containers for Docker

Today Dimitri John Ledkov of Intel’s Linux team announced the availability of Clear Containers for Docker Engine for multiple OSes. This enables executing existing Docker applications in the secure and fast Clear Containers environment. The experimental source code is based on the Docker 1.8.1 upstream release. The primary host platform is Clear Linux Project for Intel Architecture, version 4000 or better, and binaries for multiple OSes, including: CentOS, Scientific Linux, Fedora, openSUSE, Debian, and Ubuntu.

The Clear Linux Project for Intel Architecture is a distribution built for various cloud use cases in order to showcase the best of Intel Architecture technology, from low-level kernel features to complex applications that span across the entire OS stack. We’re putting emphasis on power and performance optimizations throughout the operating system as a whole. Clear Containers leverage the isolation of virtual-machine technology along with the deployment benefits of containers. The security of containers is improved by using Intel Virtualization Technology (Intel VT). The optimization of key components results in slimmer, simpler, safer and substantially speedier virtualization.

For more information, see the full announcement on the archives of the dev list.