VerityBook/README.md

# FedoraBook

Let's put all the fancy features together, we developed in the last years:

- Combined kernel+initramfs EFI binaries
- Secure Boot
- clevis with TPM2
- LUKS2
- dm-verity + squashfs root
- Flatpak
- flickerless boot

and build a Chromebook like Fedorabook, where you can install all software via Flatpak.

This is WIP. Please test and report issues, comments or missing components on https://pagure.io/Fedorabook/issues

## Goals
- secure boot to the login screen
- immutable /usr and maybe /etc
- ensured integrity to the login screen
- encrypted volatile data
- A/B boot switching for updates
- Flatpak
- basic desktop
- optional: bind encrypted data partition to TPM2
- optional: frequent reencryption of the data partition

## Non-Goals
- can't secure against someone writing anything to disk
- can't secure against someone scraping secret keys from the kernel

## TODO
- merge mkimage.sh and clonedisk
- change partition UUIDs for /data
   * UUID for TPM LUKS
   * UUID for LUKS
   * UUID for unencrypted xfs
- ensure /data to be on same disk as root
- add "load=<efipath>" to kernel command line via efi stub
- update mechanism
- add proper EFI boot manager entries for A and B
- extend efi stub for recovery boot in the old image
- signing tools
- firmware update
- selinux?

## Known Failures
- gnome-software: can't update firmware repo
- systemd: failed to umount /var

## Create

```bash
$ sudo ./prepare-root.sh \
  --releasever 29 \
  --pkglist pkglist.txt \
  --excludelist excludelist.txt \
  --logo logo.bmp --name FEDORABOOK \
  --outdir <IMGDIR>
```

## QEMU disk image
```bash
$ sudo ./mkimage.sh <IMGDIR> image.raw 
```

## USB stick
```bash
$ sudo ./mkimage.sh <IMGDIR> /dev/disk/by-path/pci-…-usb…
```

## Install from USB stick

- Enter BIOS
   * turn on UEFI boot
   * turn on TPM2
- Enter BIOS boot menu
- Select USB stick
- Login (user: admin, pw: admin)
- Start gnome-terminal
- sudo
- ```clonedisk <usb stick device> <harddisk device>```
- reboot
- remove stick

## Post Boot

### Persistent journal
```bash
$ sudo mkdir /var/log/journal
```
initial commit 2018-08-28 09:25:03 +02:00			`# FedoraBook`

update README.md 2018-09-05 12:55:22 +02:00			`Let's put all the fancy features together, we developed in the last years:`
update README.md 2018-09-05 12:56:52 +02:00
update README.md 2018-09-05 12:55:22 +02:00			`- Combined kernel+initramfs EFI binaries`
			`- Secure Boot`
			`- clevis with TPM2`
			`- LUKS2`
			`- dm-verity + squashfs root`
			`- Flatpak`
			`- flickerless boot`
update README.md 2018-09-05 12:56:52 +02:00
update README.md 2018-09-05 12:55:22 +02:00			`and build a Chromebook like Fedorabook, where you can install all software via Flatpak.`

README.md: update 2018-09-05 13:14:58 +02:00			`This is WIP. Please test and report issues, comments or missing components on https://pagure.io/Fedorabook/issues`
initial commit 2018-08-28 09:25:03 +02:00
README.md: update 2018-09-05 12:37:00 +02:00			`## Goals`
			`- secure boot to the login screen`
update README.md 2018-09-05 12:55:22 +02:00			`- immutable /usr and maybe /etc`
README.md: update 2018-09-05 12:37:00 +02:00			`- ensured integrity to the login screen`
			`- encrypted volatile data`
			`- A/B boot switching for updates`
			`- Flatpak`
			`- basic desktop`
			`- optional: bind encrypted data partition to TPM2`
			`- optional: frequent reencryption of the data partition`

			`## Non-Goals`
			`- can't secure against someone writing anything to disk`
			`- can't secure against someone scraping secret keys from the kernel`

			`## TODO`
			`- merge mkimage.sh and clonedisk`
update README.md 2018-09-05 12:55:22 +02:00			`- change partition UUIDs for /data`
update README.md 2018-09-05 12:56:52 +02:00			`* UUID for TPM LUKS`
			`* UUID for LUKS`
			`* UUID for unencrypted xfs`
README.md: update 2018-09-05 13:14:58 +02:00			`- ensure /data to be on same disk as root`
			`- add "load=<efipath>" to kernel command line via efi stub`
README.md: update 2018-09-05 12:37:00 +02:00			`- update mechanism`
update README.md 2018-09-05 12:55:22 +02:00			`- add proper EFI boot manager entries for A and B`
			`- extend efi stub for recovery boot in the old image`
README.md: update 2018-09-05 12:37:00 +02:00			`- signing tools`
update README.md 2018-09-05 12:55:22 +02:00			`- firmware update`
			`- selinux?`

			`## Known Failures`
			`- gnome-software: can't update firmware repo`
README.md: update 2018-09-05 13:16:05 +02:00			`- systemd: failed to umount /var`
README.md: update 2018-09-05 12:37:00 +02:00
initial commit 2018-08-28 09:25:03 +02:00			`## Create`

			```bash
			`$ sudo ./prepare-root.sh \`
README.md: add --releasever 2018-09-05 12:30:39 +02:00			`--releasever 29 \`
initial commit 2018-08-28 09:25:03 +02:00			`--pkglist pkglist.txt \`
			`--excludelist excludelist.txt \`
			`--logo logo.bmp --name FEDORABOOK \`
			`--outdir <IMGDIR>`
			```

			`## QEMU disk image`
			```bash
README.md: update 2018-09-05 12:37:00 +02:00			`$ sudo ./mkimage.sh <IMGDIR> image.raw`
initial commit 2018-08-28 09:25:03 +02:00			```

			`## USB stick`
			```bash
README.md: update 2018-09-05 12:37:00 +02:00			`$ sudo ./mkimage.sh <IMGDIR> /dev/disk/by-path/pci-…-usb…`
initial commit 2018-08-28 09:25:03 +02:00			```

			`## Install from USB stick`

			`- Enter BIOS`
update README.md 2018-09-05 12:57:41 +02:00			`* turn on UEFI boot`
			`* turn on TPM2`
initial commit 2018-08-28 09:25:03 +02:00			`- Enter BIOS boot menu`
			`- Select USB stick`
			`- Login (user: admin, pw: admin)`
			`- Start gnome-terminal`
			`- sudo`
			- ```clonedisk <usb stick device> <harddisk device>```
			`- reboot`
			`- remove stick`
update README.md 2018-09-05 12:55:22 +02:00
			`## Post Boot`

			`### Persistent journal`
			```bash
			`$ sudo mkdir /var/log/journal`
			```