Find a file
2018-09-13 10:58:48 +02:00
10verity use single image for squashfs and dmverity 2018-09-11 16:49:44 +02:00
quirks quirks/nss.sh: don't create /home/admin 2018-09-12 16:39:52 +02:00
69-yubikey.rules add yubikey udev rules 2018-09-11 16:49:18 +02:00
clonedisk.sh clonedisk.sh: fixed dd typo 2018-09-13 10:58:48 +02:00
excludelist.txt update 2018-09-07 17:02:36 +02:00
logo.bmp initial commit 2018-09-05 11:49:57 +02:00
mkimage.sh use single image for squashfs and dmverity 2018-09-11 16:49:44 +02:00
mkrelease.sh mkrelease.sh: add --notar 2018-09-13 10:58:26 +02:00
pkglist-min.txt initial commit 2018-09-05 11:49:57 +02:00
pkglist-sssd.txt initial commit 2018-09-05 11:49:57 +02:00
pkglist.txt pkglist.txt: update and sort 2018-09-13 10:12:17 +02:00
pre-pivot.sh pre-pivot.sh: udevadm settle 2018-09-12 16:40:53 +02:00
prepare-root.sh prepare-root.sh: ensure home dir exists 2018-09-12 17:09:34 +02:00
README.md update 2018-09-07 17:02:36 +02:00
squashfs-size.sh use single image for squashfs and dmverity 2018-09-11 16:49:44 +02:00
systemd-udev-settle-dri.service update 2018-09-06 15:57:20 +02:00
update.sh update.sh: be more careful searching for the correct disk 2018-09-12 16:37:15 +02:00

FedoraBook

Let's put all the fancy features together, we developed in the last years:

  • Combined kernel+initramfs EFI binaries
  • Secure Boot
  • clevis with TPM2
  • LUKS2
  • dm-verity + squashfs root
  • Flatpak
  • flickerless boot

and build a Chromebook like Fedorabook, where you can install all software via Flatpak.

This is WIP. Please test and report issues, comments or missing components on https://pagure.io/Fedorabook/issues

Goals

  • secure boot to the login screen
  • immutable /usr and maybe /etc
  • ensured integrity to the login screen
  • encrypted volatile data
  • A/B boot switching for updates
  • Flatpak
  • basic desktop
  • optional: bind encrypted data partition to TPM2
  • optional: frequent reencryption of the data partition

Non-Goals

  • can't secure against someone writing anything to disk
  • can't secure against someone scraping secret keys from the kernel

TODO

  • merge mkimage.sh and clonedisk
  • move all quirks from prepare-root.sh to quirks directory
  • source all quirks depending on package installation on command line options
  • change partition UUIDs for /data
    • UUID for TPM LUKS
    • UUID for LUKS
    • UUID for unencrypted xfs
  • ensure /data to be on same disk as root
  • add "load=" to kernel command line via efi stub
  • update mechanism
  • add proper EFI boot manager entries for A and B
  • extend efi stub for recovery boot in the old image
  • signing tools
  • add admin LUKS key via public key
  • sssd
  • support more clevis pins and mixed pins
  • firmware update
  • option to always clean data disk on boot
  • selinux?

Complete / What works already?

  • boot from single efi binary
  • dm_verity + squashfs immutable, integrity checked root
  • passwd + shadow + group + gshadow decoupled from system in /var
  • bind LUKS2 with tpm2 to machine
  • swap on LUKS2 with tpm2 (no password for resume from disk??)
  • /home and /var on single data partition

Known Failures

  • no kernel command line on DELL ( you need a newer systemd https://github.com/systemd/systemd/pull/10001 ) cp linuxx64.efi.stub to this git repo dir from a compiled upstream systemd
  • gnome-software: can't update firmware repo
  • systemd: failed to umount /var

Create

$ sudo ./prepare-root.sh \
  --releasever 29 \
  --pkglist pkglist.txt \
  --excludelist excludelist.txt \
  --logo logo.bmp --name FEDORABOOK \
  --outdir <IMGDIR>

or download a prebuilt image, unpack and use this as <IMGDIR>.

QEMU disk image

$ sudo ./mkimage.sh <IMGDIR> image.raw 

USB stick

$ sudo ./mkimage.sh <IMGDIR> /dev/disk/by-path/pci-…-usb…

Install from USB stick

Warning: This will wipe the entire target disk

  • Enter BIOS
    • turn on UEFI boot
    • turn on TPM2
  • Enter BIOS boot menu
  • Select USB stick
  • Login (user: admin, pw: admin)
  • Start gnome-terminal
  • $ sudo clonedisk <usb stick device> <harddisk device>
  • reboot
  • remove stick

The first boot takes longer as the system tries to bind the LUKS to the TPM2 on the machine. It also populates /var with the missing directories.

You can always clear the data partition via:

# wipefs --all --force /dev/<disk partition 7>

and then either make a xfs

# mkfs.xfs -L data /dev/<disk partition 7>

or luks

# echo -n "zero key" | cryptsetup luksFormat --type luks2 /dev/<disk partition 7> /dev/stdin

On the media created with mkimage.sh, this is partition number 4.

Post Boot

Persistent journal

$ sudo mkdir /var/log/journal

LUKS

Set a new luks password. Initial password is 'zero key'