rkt supports measuring container state and configuration into the Trusted Platform Module (TPM) event log. Enable this functionality by building rkt with the
--enable-tpm=yes option to
./configure. rkt accesses the TPM via the
tpmd executable available from the go-tspi project. This
tpmd is expected to listen on port 12041.
Events are logged to PCR 15, with event type
0x1000. Each event contains the following data:
This provides a cryptographically verifiable audit log of the containers executed on a node, including the configuration of each.