rename fedorabook veritybook

This commit is contained in:
Harald Hoyer 2020-02-11 10:50:54 +01:00
parent 24075408b5
commit 3c4c62fbe8
6 changed files with 24 additions and 24 deletions

View file

@ -1,4 +1,4 @@
# FedoraBook
# VerityBook
Let's put all the fancy features together, we developed in the last years:
@ -80,56 +80,56 @@ All configurable files have been whitelisted and moved to /cfg.
### Prepare the Image
For reproducible squashfs builds use https://github.com/squashfskit/squashfskit. Clone it in the
main FedoraBook directory and build it.
main VerityBook directory and build it.
```bash
$ sudo ./prepare-root.sh \
--pkglist pkglist.txt \
--excludelist excludelist.txt \
--name FedoraBook \
--name VerityBook \
--logo logo.bmp \
--reposd <REPOSDIR> \
--releasever 29
```
This will create the following files and directories:
- ```FedoraBook``` - keep this directory around for updates
- ```VerityBook``` - keep this directory around for updates
(includes needed passwd/group history and rpmdb)
- ```FedoraBook-29.<datetime>``` - the resulting <IMGDIR>
- ```FedoraBook-latest.json``` - a metadata file for the update server
- ```VerityBook-29.<datetime>``` - the resulting <IMGDIR>
- ```VerityBook-latest.json``` - a metadata file for the update server
or download a prebuilt [image](https://harald.fedorapeople.org/downloads/fedorabook.tgz),
or download a prebuilt [image](https://harald.fedorapeople.org/downloads/veritybook.tgz),
unpack and use this as ```<IMGDIR>```.
## Sign the release
Get [efitools](https://github.com/haraldh/efitools.git). Compile and create your keys.
Copy ```LockDown.efi``` ```DB.key``` ```DB.crt``` from efitools to the fedorabook directory.
Copy ```LockDown.efi``` ```DB.key``` ```DB.crt``` from efitools to the veritybook directory.
Rename ```DB.key``` ```DB.crt``` to ```FedoraBook.key``` and ```FedoraBook.crt```
Rename ```DB.key``` ```DB.crt``` to ```VerityBook.key``` and ```VerityBook.crt```
Optionally copy ```Shell.efi``` (might be ```/usr/share/edk2/ovmf/Shell.efi```) to the fedorabook directory.
Optionally copy ```Shell.efi``` (might be ```/usr/share/edk2/ovmf/Shell.efi```) to the veritybook directory.
```bash
$ sudo ./mkrelease.sh FedoraBook-latest.json
$ sudo ./mkrelease.sh VerityBook-latest.json
```
then upload to your update server:
```bash
$ TARBALL="$(jq -r '.name' FedoraBook-latest.json)-$(jq -r '.version' FedoraBook-latest.json)".tgz
$ scp "$TARBALL" FedoraBook-latest.json <DESTINATION>
$ TARBALL="$(jq -r '.name' VerityBook-latest.json)-$(jq -r '.version' VerityBook-latest.json)".tgz
$ scp "$TARBALL" VerityBook-latest.json <DESTINATION>
```
## QEMU disk image
```bash
$ sudo ./mkimage.sh <IMGDIR> image.raw
$ sudo ./mkimage.sh <IMGDIR> image.raw
```
or with the json file:
```bash
$ sudo ./mkimage.sh FedoraBook-latest.json image.raw
$ sudo ./mkimage.sh VerityBook-latest.json image.raw
```
## USB stick
@ -139,7 +139,7 @@ $ sudo ./mkimage.sh <IMGDIR> /dev/disk/by-path/pci-…-usb…
or with the json file:
```bash
$ sudo ./mkimage.sh FedoraBook-latest.json /dev/disk/by-path/pci-…-usb…
$ sudo ./mkimage.sh VerityBook-latest.json /dev/disk/by-path/pci-…-usb…
```
## Install from USB stick
@ -167,7 +167,7 @@ If you cannot:
- use the option ```--crypt``` otherwise
```bash
$ sudo fedorabook-clonedisk <options> <usb stick device> <harddisk device>
$ sudo veritybook-clonedisk <options> <usb stick device> <harddisk device>
```
### Post
@ -208,7 +208,7 @@ The initial password is ```zero key```.
## Updating
```bash
# systemd-inhibit fedorabook-update <UPDATE-URL>
# systemd-inhibit veritybook-update <UPDATE-URL>
```
## Secure Boot
@ -222,4 +222,4 @@ Make sure the BIOS contains an option to restore the default keys.
- Boot from stick with Shell.efi and LockDown.efi
- Execute LockDown.efi
- reset
- Secure Boot into signed FedoraBook release
- Secure Boot into signed VerityBook release

View file

@ -1,4 +1,4 @@
module FedoraBook 1.0;
module VerityBook 1.0;
require {
type policykit_auth_t;

View file

@ -14,7 +14,7 @@ Creates a directory with a readonly root on squashfs, a dm_verity file and an EF
--releasever NUM Used Fedora release version NUM (default: $VERSION_ID)
--outname JSON Creates \$JSON.json symlinked to that release (default: NAME-NUM-DATE)
--baseoutdir DIR Parent directory of --outdir
--name NAME The NAME of the product (default: FedoraBook)
--name NAME The NAME of the product (default: VerityBook)
--logo FILE Uses the .bmp FILE to display as a splash screen (default: logo.bmp)
--quirks LIST Source the list of quirks from the quikrs directory
--gpgkey FILE Use FILE as the signing gpg key
@ -143,7 +143,7 @@ while true; do
esac
done
NAME=${NAME:-"FedoraBook"}
NAME=${NAME:-"VerityBook"}
RELEASEVER=${RELEASEVER:-$VERSION_ID}
BASEOUTDIR=$(realpath ${BASEOUTDIR:-"$CURDIR"})
CRT=${CRT:-${NAME}.crt}
@ -359,7 +359,7 @@ cp "${BASEDIR}/${CRT}" "$sysroot"/etc/pki/${NAME}/crt
rpm --root "$sysroot" -qa | sort > "$sysroot"/usr/rpm-list.txt
cp -avr "${BASEDIR}"/{10verity,20fedorabook} "$sysroot"/usr/lib/dracut/modules.d/
cp -avr "${BASEDIR}"/{10verity,20veritybook} "$sysroot"/usr/lib/dracut/modules.d/
KVER=$(cd "$sysroot"/lib/modules/; ls -1d ??* | tail -1)
@ -378,7 +378,7 @@ chroot "$sysroot" \
dracut -N --kver $KVER --force \
--filesystems "squashfs vfat xfs" \
-m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block" \
-m "udev-rules dracut-systemd base fs-lib shutdown terminfo resume verity fedorabook" \
-m "udev-rules dracut-systemd base fs-lib shutdown terminfo resume verity veritybook" \
--reproducible \
/lib/modules/$KVER/initrd