update

clonedisk.sh

@@ -37,6 +37,7 @@ while true; do
             shift 1; continue
             ;;
         '--crypttpm2')
+	    USE_CRYPT="y"
 	    USE_TPM="y"
             shift 1; continue
             ;;
@@ -139,7 +140,9 @@ for i in 1 2 3; do
 done
 
 if ! [[ $UPDATE ]]; then
-    swapoff ${OUT}6 || :
+    swapoff -a :
+
+    if [[ $USE_CRYPT ]]; then
            # ------------------------------------------------------------------------------
         # swap
         echo -n "zero key" \
@@ -149,4 +152,18 @@ if ! [[ $UPDATE ]]; then
         # data
         echo -n "zero key" \
             | cryptsetup luksFormat --type luks2 ${OUT}7 /dev/stdin
+    else
+        mkswap ${OUT}6
+        mkfs.xfs -L data ${OUT}7
+    fi
+fi
+
+efibootmgr -C -b FED1 -d ${OUT_DEV} -p 1 -L "FedoraBook 1" -l '\efi\fedorabook\1.efi'
+efibootmgr -C -b FED2 -d ${OUT_DEV} -p 1 -L "FedoraBook 2" -l '\efi\fedorabook\2.efi'
+efibootmgr -C -b FED3 -d ${OUT_DEV} -p 1 -L "FedoraBook Old 1" -l '\efi\fedorabook\_1.efi'
+efibootmgr -C -b FED4 -d ${OUT_DEV} -p 1 -L "FedoraBook Old 2" -l '\efi\fedorabook\_2.efi'
+
+BOOT_ORDER=$(efibootmgr | grep BootOrder: | { read _ a; echo "$a"; })
+if ! [[ $BOOT_ORDER == *FED1* ]]; then
+    efibootmgr -o "FED1,FED2,FED3,FED4,$BOOT_ORDER"
 fi

pkglist.txt

@@ -77,3 +77,4 @@ libvirt-daemon-kvm
 squashfs-tools
 mc
 veritysetup
+rsync

prepare-root.sh

@@ -163,6 +163,7 @@ for i in passwd shadow group gshadow subuid subgid; do
 done
 
 chown -R +0.+0 "$sysroot"
+chmod 0000 "$sysroot"/etc/{shadow,gshadow}
 
 mkdir -p "$sysroot"/{dev,proc,sys,run}
 mount --bind /proc "$sysroot/proc"
@@ -235,6 +236,8 @@ find "$sysroot" -name '*.rpmnew' -print0 | xargs -0 rm -fv
 mkdir -p ${BASEDIR}/${NAME}
 for i in passwd shadow group gshadow subuid subgid; do
     cp "$sysroot"/etc/"$i" ${BASEDIR}/${NAME}
+    chown "$USER" "${BASEDIR}/${NAME}/$i"
+    chmod u+r "${BASEDIR}/${NAME}/$i"
 done
 
 cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/clonedisk

quirks/nss.sh

@@ -1,9 +1,10 @@
+chroot "$sysroot" bash -c 'useradd -G wheel admin' 
+
 sed -i -e 's#^\(passwd:.*\) files#\1 files db altfile#g;s#^\(shadow:.*\) files#\1 files altfiles db#g;s#^\(group:.*\) files#\1 files altfiles db#g' \
     "$sysroot"/etc/nsswitch.conf
 mkdir -p "$sysroot"/usr/db
 sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib64/libnss_db-2*.so "$sysroot"/var/db/Makefile
 
-chroot "$sysroot" bash -c 'useradd -G wheel admin'
 egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin
 egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin
 
@@ -16,12 +17,16 @@ chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /
 
 mv "$sysroot"/etc/group.admin "$sysroot"/etc/group
 mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow
+chmod 0000 "$sysroot"/etc/gshadow
+
 chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
 chroot "$sysroot" bash -c 'passwd -e admin'
 
 mkdir -p "$sysroot"/usr/share/factory/var
 mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var
 
+rm -f "$sysroot"/etc/shadow- "$sysroot"/etc/gshadow-
+
 sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
 
 for i in passwd shadow group gshadow .pwd.lock subuid subgid; do 

update.sh

@@ -79,9 +79,5 @@ sfdisk --part-uuid ${ROOT_DEV} ${ROOT_PARTNO} ${ROOT_UUID}
 mkdir -p /efi/EFI/${NAME}
 cp bootx64.efi /efi/EFI/${NAME}/${NEW_ROOT_NUM}.efi
 
-# better swap prio with efibootmgr
 mv /efi/EFI/${NAME}/${OLD_ROOT_NUM}.efi /efi/EFI/${NAME}/_${OLD_ROOT_NUM}.efi
-
-## unless proper boot entries set, just force copy to default boot loader
-cp bootx64.efi /efi/EFI/Boot/new_bootx64.efi
-mv --backup=simple /efi/EFI/Boot/new_bootx64.efi /efi/EFI/Boot/bootx64.efi
+rm /efi/EFI/${NAME}/_${NEW_ROOT_NUM}.efi