# FedoraBook

WIP

## Goals
- secure boot to the login screen
- ensured integrity to the login screen
- encrypted volatile data
- A/B boot switching for updates
- Flatpak
- basic desktop
- optional: bind encrypted data partition to TPM2
- optional: frequent reencryption of the data partition

## Non-Goals
- can't secure against someone writing anything to disk
- can't secure against someone scraping secret keys from the kernel

## TODO
- merge mkimage.sh and clonedisk
- update mechanism
- signing tools

## Create

```bash
$ sudo ./prepare-root.sh \
  --releasever 29 \
  --pkglist pkglist.txt \
  --excludelist excludelist.txt \
  --logo logo.bmp --name FEDORABOOK \
  --outdir <IMGDIR>
```

## QEMU disk image
```bash
$ sudo ./mkimage.sh <IMGDIR> image.raw 
```

## USB stick
```bash
$ sudo ./mkimage.sh <IMGDIR> /dev/disk/by-path/pci-…-usb…
```

## Install from USB stick

- Enter BIOS
  - turn on UEFI boot
  - turn on TPM2
- Enter BIOS boot menu
- Select USB stick
- Login (user: admin, pw: admin)
- Start gnome-terminal
- sudo
- ```clonedisk <usb stick device> <harddisk device>```
- reboot
- remove stick