# FedoraBook Let's put all the fancy features together, we developed in the last years: - Combined kernel+initramfs EFI binaries - Secure Boot - clevis with TPM2 - LUKS2 - dm-verity + squashfs root - Flatpak - flickerless boot and build a Chromebook like Fedorabook, where you can install all software via Flatpak. This is WIP. Please test and report issues, comments or missing components on https://pagure.io/Fedorabook/issues ## Goals - secure boot to the login screen - immutable /usr and maybe /etc - ensured integrity to the login screen - encrypted volatile data - A/B boot switching for updates - Flatpak - basic desktop - optional: bind encrypted data partition to TPM2 - optional: frequent reencryption of the data partition ## Non-Goals - can't secure against someone writing anything to disk - can't secure against someone scraping secret keys from the kernel ## TODO - merge mkimage.sh and clonedisk - change partition UUIDs for /data * UUID for TPM LUKS * UUID for LUKS * UUID for unencrypted xfs - ensure /data to be on same disk as root - add "load=" to kernel command line via efi stub - update mechanism - add proper EFI boot manager entries for A and B - extend efi stub for recovery boot in the old image - signing tools - firmware update - selinux? ## Known Failures - gnome-software: can't update firmware repo ## Create ```bash $ sudo ./prepare-root.sh \ --releasever 29 \ --pkglist pkglist.txt \ --excludelist excludelist.txt \ --logo logo.bmp --name FEDORABOOK \ --outdir ``` ## QEMU disk image ```bash $ sudo ./mkimage.sh image.raw ``` ## USB stick ```bash $ sudo ./mkimage.sh /dev/disk/by-path/pci-…-usb… ``` ## Install from USB stick - Enter BIOS * turn on UEFI boot * turn on TPM2 - Enter BIOS boot menu - Select USB stick - Login (user: admin, pw: admin) - Start gnome-terminal - sudo - ```clonedisk ``` - reboot - remove stick ## Post Boot ### Persistent journal ```bash $ sudo mkdir /var/log/journal ```