rkt supports measuring container state and configuration into the Trusted Platform Module (TPM) event log. Enable this functionality by building rkt with the --enable-tpm=yes
option to ./configure
. rkt accesses the TPM via the tpmd
executable available from the go-tspi project. This tpmd
is expected to listen on port 12041.
Events are logged to PCR 15, with event type 0x1000
. Each event contains the following data:
stage1
This provides a cryptographically verifiable audit log of the containers executed on a node, including the configuration of each.