harald/VerityBook
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
16 commits 2 branches 0 tags 220 KiB
Shell 100%
Find a file
Harald Hoyer 0c410bad77 README.md
2018-09-05 13:33:02 +02:00
quirks quirks/nss_db.sh: fixed libc quirk 2018-09-05 12:30:55 +02:00
clonedisk.sh initial commit 2018-09-05 11:49:57 +02:00
excludelist.txt initial commit 2018-09-05 11:49:57 +02:00
logo.bmp initial commit 2018-09-05 11:49:57 +02:00
mkimage.sh mkimage.sh: make xfs data partition 2018-09-05 13:14:24 +02:00
pkglist-min.txt initial commit 2018-09-05 11:49:57 +02:00
pkglist-sssd.txt initial commit 2018-09-05 11:49:57 +02:00
pkglist.txt pkglist.txt: add nss-mdns 2018-09-05 13:14:05 +02:00
pre-pivot.sh pre-pivot.sh: don't wait for root device 2018-09-05 13:18:06 +02:00
prepare-root.sh initial commit 2018-09-05 11:49:57 +02:00
README.md README.md 2018-09-05 13:33:02 +02:00

README.md

FedoraBook

Let's put all the fancy features together, we developed in the last years:

  • Combined kernel+initramfs EFI binaries
  • Secure Boot
  • clevis with TPM2
  • LUKS2
  • dm-verity + squashfs root
  • Flatpak
  • flickerless boot

and build a Chromebook like Fedorabook, where you can install all software via Flatpak.

This is WIP. Please test and report issues, comments or missing components on https://pagure.io/Fedorabook/issues

Goals

  • secure boot to the login screen
  • immutable /usr and maybe /etc
  • ensured integrity to the login screen
  • encrypted volatile data
  • A/B boot switching for updates
  • Flatpak
  • basic desktop
  • optional: bind encrypted data partition to TPM2
  • optional: frequent reencryption of the data partition

Non-Goals

  • can't secure against someone writing anything to disk
  • can't secure against someone scraping secret keys from the kernel

TODO

  • merge mkimage.sh and clonedisk
  • change partition UUIDs for /data
    • UUID for TPM LUKS
    • UUID for LUKS
    • UUID for unencrypted xfs
  • ensure /data to be on same disk as root
  • add "load=" to kernel command line via efi stub
  • update mechanism
  • add proper EFI boot manager entries for A and B
  • extend efi stub for recovery boot in the old image
  • signing tools
  • firmware update
  • selinux?

Complete / What works already?

  • boot from single efi binary
  • dm_verity + squashfs immutable, integrity checked root
  • passwd + shadow + group + gshadow decoupled from system in /var
  • bind LUKS2 with tpm2 to machine
  • /home and /var on single data partition

Known Failures

  • gnome-software: can't update firmware repo
  • systemd: failed to umount /var

Create

$ sudo ./prepare-root.sh \
  --releasever 29 \
  --pkglist pkglist.txt \
  --excludelist excludelist.txt \
  --logo logo.bmp --name FEDORABOOK \
  --outdir <IMGDIR>

or download a prebuilt image, unpack and use this as <IMGDIR>.

QEMU disk image

$ sudo ./mkimage.sh <IMGDIR> image.raw

USB stick

$ sudo ./mkimage.sh <IMGDIR> /dev/disk/by-path/pci-…-usb…

Install from USB stick

  • Enter BIOS
    • turn on UEFI boot
    • turn on TPM2
  • Enter BIOS boot menu
  • Select USB stick
  • Login (user: admin, pw: admin)
  • Start gnome-terminal
  • sudo
  • clonedisk <usb stick device> <harddisk device>
  • reboot
  • remove stick

Post Boot

Persistent journal

$ sudo mkdir /var/log/journal