2018-08-28 09:25:03 +02:00
|
|
|
# FedoraBook
|
|
|
|
|
|
|
|
WIP
|
|
|
|
|
2018-09-05 12:37:00 +02:00
|
|
|
## Goals
|
|
|
|
- secure boot to the login screen
|
|
|
|
- ensured integrity to the login screen
|
|
|
|
- encrypted volatile data
|
|
|
|
- A/B boot switching for updates
|
|
|
|
- Flatpak
|
|
|
|
- basic desktop
|
|
|
|
- optional: bind encrypted data partition to TPM2
|
|
|
|
- optional: frequent reencryption of the data partition
|
|
|
|
|
|
|
|
## Non-Goals
|
|
|
|
- can't secure against someone writing anything to disk
|
|
|
|
- can't secure against someone scraping secret keys from the kernel
|
|
|
|
|
|
|
|
## TODO
|
|
|
|
- merge mkimage.sh and clonedisk
|
|
|
|
- update mechanism
|
|
|
|
- signing tools
|
|
|
|
|
2018-08-28 09:25:03 +02:00
|
|
|
## Create
|
|
|
|
|
|
|
|
```bash
|
|
|
|
$ sudo ./prepare-root.sh \
|
2018-09-05 12:30:39 +02:00
|
|
|
--releasever 29 \
|
2018-08-28 09:25:03 +02:00
|
|
|
--pkglist pkglist.txt \
|
|
|
|
--excludelist excludelist.txt \
|
|
|
|
--logo logo.bmp --name FEDORABOOK \
|
|
|
|
--outdir <IMGDIR>
|
|
|
|
```
|
|
|
|
|
|
|
|
## QEMU disk image
|
|
|
|
```bash
|
2018-09-05 12:37:00 +02:00
|
|
|
$ sudo ./mkimage.sh <IMGDIR> image.raw
|
2018-08-28 09:25:03 +02:00
|
|
|
```
|
|
|
|
|
|
|
|
## USB stick
|
|
|
|
```bash
|
2018-09-05 12:37:00 +02:00
|
|
|
$ sudo ./mkimage.sh <IMGDIR> /dev/disk/by-path/pci-…-usb…
|
2018-08-28 09:25:03 +02:00
|
|
|
```
|
|
|
|
|
|
|
|
## Install from USB stick
|
|
|
|
|
|
|
|
- Enter BIOS
|
|
|
|
- turn on UEFI boot
|
|
|
|
- turn on TPM2
|
|
|
|
- Enter BIOS boot menu
|
|
|
|
- Select USB stick
|
|
|
|
- Login (user: admin, pw: admin)
|
|
|
|
- Start gnome-terminal
|
|
|
|
- sudo
|
|
|
|
- ```clonedisk <usb stick device> <harddisk device>```
|
|
|
|
- reboot
|
|
|
|
- remove stick
|