rename fedorabook veritybook
This commit is contained in:
parent
24075408b5
commit
3c4c62fbe8
38
README.md
38
README.md
|
@ -1,4 +1,4 @@
|
|||
# FedoraBook
|
||||
# VerityBook
|
||||
|
||||
Let's put all the fancy features together, we developed in the last years:
|
||||
|
||||
|
@ -80,56 +80,56 @@ All configurable files have been whitelisted and moved to /cfg.
|
|||
### Prepare the Image
|
||||
|
||||
For reproducible squashfs builds use https://github.com/squashfskit/squashfskit. Clone it in the
|
||||
main FedoraBook directory and build it.
|
||||
main VerityBook directory and build it.
|
||||
|
||||
```bash
|
||||
$ sudo ./prepare-root.sh \
|
||||
--pkglist pkglist.txt \
|
||||
--excludelist excludelist.txt \
|
||||
--name FedoraBook \
|
||||
--name VerityBook \
|
||||
--logo logo.bmp \
|
||||
--reposd <REPOSDIR> \
|
||||
--releasever 29
|
||||
```
|
||||
|
||||
This will create the following files and directories:
|
||||
- ```FedoraBook``` - keep this directory around for updates
|
||||
- ```VerityBook``` - keep this directory around for updates
|
||||
(includes needed passwd/group history and rpmdb)
|
||||
- ```FedoraBook-29.<datetime>``` - the resulting <IMGDIR>
|
||||
- ```FedoraBook-latest.json``` - a metadata file for the update server
|
||||
- ```VerityBook-29.<datetime>``` - the resulting <IMGDIR>
|
||||
- ```VerityBook-latest.json``` - a metadata file for the update server
|
||||
|
||||
or download a prebuilt [image](https://harald.fedorapeople.org/downloads/fedorabook.tgz),
|
||||
or download a prebuilt [image](https://harald.fedorapeople.org/downloads/veritybook.tgz),
|
||||
unpack and use this as ```<IMGDIR>```.
|
||||
|
||||
## Sign the release
|
||||
|
||||
Get [efitools](https://github.com/haraldh/efitools.git). Compile and create your keys.
|
||||
Copy ```LockDown.efi``` ```DB.key``` ```DB.crt``` from efitools to the fedorabook directory.
|
||||
Copy ```LockDown.efi``` ```DB.key``` ```DB.crt``` from efitools to the veritybook directory.
|
||||
|
||||
Rename ```DB.key``` ```DB.crt``` to ```FedoraBook.key``` and ```FedoraBook.crt```
|
||||
Rename ```DB.key``` ```DB.crt``` to ```VerityBook.key``` and ```VerityBook.crt```
|
||||
|
||||
Optionally copy ```Shell.efi``` (might be ```/usr/share/edk2/ovmf/Shell.efi```) to the fedorabook directory.
|
||||
Optionally copy ```Shell.efi``` (might be ```/usr/share/edk2/ovmf/Shell.efi```) to the veritybook directory.
|
||||
|
||||
|
||||
```bash
|
||||
$ sudo ./mkrelease.sh FedoraBook-latest.json
|
||||
$ sudo ./mkrelease.sh VerityBook-latest.json
|
||||
```
|
||||
|
||||
then upload to your update server:
|
||||
```bash
|
||||
$ TARBALL="$(jq -r '.name' FedoraBook-latest.json)-$(jq -r '.version' FedoraBook-latest.json)".tgz
|
||||
$ scp "$TARBALL" FedoraBook-latest.json <DESTINATION>
|
||||
$ TARBALL="$(jq -r '.name' VerityBook-latest.json)-$(jq -r '.version' VerityBook-latest.json)".tgz
|
||||
$ scp "$TARBALL" VerityBook-latest.json <DESTINATION>
|
||||
```
|
||||
|
||||
|
||||
## QEMU disk image
|
||||
```bash
|
||||
$ sudo ./mkimage.sh <IMGDIR> image.raw
|
||||
$ sudo ./mkimage.sh <IMGDIR> image.raw
|
||||
```
|
||||
|
||||
or with the json file:
|
||||
```bash
|
||||
$ sudo ./mkimage.sh FedoraBook-latest.json image.raw
|
||||
$ sudo ./mkimage.sh VerityBook-latest.json image.raw
|
||||
```
|
||||
|
||||
## USB stick
|
||||
|
@ -139,7 +139,7 @@ $ sudo ./mkimage.sh <IMGDIR> /dev/disk/by-path/pci-…-usb…
|
|||
|
||||
or with the json file:
|
||||
```bash
|
||||
$ sudo ./mkimage.sh FedoraBook-latest.json /dev/disk/by-path/pci-…-usb…
|
||||
$ sudo ./mkimage.sh VerityBook-latest.json /dev/disk/by-path/pci-…-usb…
|
||||
```
|
||||
|
||||
## Install from USB stick
|
||||
|
@ -167,7 +167,7 @@ If you cannot:
|
|||
- use the option ```--crypt``` otherwise
|
||||
|
||||
```bash
|
||||
$ sudo fedorabook-clonedisk <options> <usb stick device> <harddisk device>
|
||||
$ sudo veritybook-clonedisk <options> <usb stick device> <harddisk device>
|
||||
```
|
||||
|
||||
### Post
|
||||
|
@ -208,7 +208,7 @@ The initial password is ```zero key```.
|
|||
## Updating
|
||||
|
||||
```bash
|
||||
# systemd-inhibit fedorabook-update <UPDATE-URL>
|
||||
# systemd-inhibit veritybook-update <UPDATE-URL>
|
||||
```
|
||||
|
||||
## Secure Boot
|
||||
|
@ -222,4 +222,4 @@ Make sure the BIOS contains an option to restore the default keys.
|
|||
- Boot from stick with Shell.efi and LockDown.efi
|
||||
- Execute LockDown.efi
|
||||
- reset
|
||||
- Secure Boot into signed FedoraBook release
|
||||
- Secure Boot into signed VerityBook release
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
module FedoraBook 1.0;
|
||||
module VerityBook 1.0;
|
||||
|
||||
require {
|
||||
type policykit_auth_t;
|
|
@ -14,7 +14,7 @@ Creates a directory with a readonly root on squashfs, a dm_verity file and an EF
|
|||
--releasever NUM Used Fedora release version NUM (default: $VERSION_ID)
|
||||
--outname JSON Creates \$JSON.json symlinked to that release (default: NAME-NUM-DATE)
|
||||
--baseoutdir DIR Parent directory of --outdir
|
||||
--name NAME The NAME of the product (default: FedoraBook)
|
||||
--name NAME The NAME of the product (default: VerityBook)
|
||||
--logo FILE Uses the .bmp FILE to display as a splash screen (default: logo.bmp)
|
||||
--quirks LIST Source the list of quirks from the quikrs directory
|
||||
--gpgkey FILE Use FILE as the signing gpg key
|
||||
|
@ -143,7 +143,7 @@ while true; do
|
|||
esac
|
||||
done
|
||||
|
||||
NAME=${NAME:-"FedoraBook"}
|
||||
NAME=${NAME:-"VerityBook"}
|
||||
RELEASEVER=${RELEASEVER:-$VERSION_ID}
|
||||
BASEOUTDIR=$(realpath ${BASEOUTDIR:-"$CURDIR"})
|
||||
CRT=${CRT:-${NAME}.crt}
|
||||
|
@ -359,7 +359,7 @@ cp "${BASEDIR}/${CRT}" "$sysroot"/etc/pki/${NAME}/crt
|
|||
|
||||
rpm --root "$sysroot" -qa | sort > "$sysroot"/usr/rpm-list.txt
|
||||
|
||||
cp -avr "${BASEDIR}"/{10verity,20fedorabook} "$sysroot"/usr/lib/dracut/modules.d/
|
||||
cp -avr "${BASEDIR}"/{10verity,20veritybook} "$sysroot"/usr/lib/dracut/modules.d/
|
||||
|
||||
KVER=$(cd "$sysroot"/lib/modules/; ls -1d ??* | tail -1)
|
||||
|
||||
|
@ -378,7 +378,7 @@ chroot "$sysroot" \
|
|||
dracut -N --kver $KVER --force \
|
||||
--filesystems "squashfs vfat xfs" \
|
||||
-m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block" \
|
||||
-m "udev-rules dracut-systemd base fs-lib shutdown terminfo resume verity fedorabook" \
|
||||
-m "udev-rules dracut-systemd base fs-lib shutdown terminfo resume verity veritybook" \
|
||||
--reproducible \
|
||||
/lib/modules/$KVER/initrd
|
||||
|
||||
|
|
Loading…
Reference in a new issue