harald/VerityBook
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
VerityBook/README.md
Harald Hoyer 93ea5e8ace README.md: update
2018-10-24 14:43:45 +02:00

226 lines
6.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# FedoraBook
Let's put all the fancy features together, we developed in the last years:
- Combined kernel+initramfs EFI binaries
- Secure Boot
- clevis with TPM2
- LUKS2
- dm-verity + squashfs root
- Flatpak
- flickerless boot
and build a Chromebook like Fedorabook, where you can install all software via Flatpak.
This is WIP. Please test and report issues, comments or missing components on https://pagure.io/Fedorabook/issues
## Goals
- secure boot to the login screen
- immutable base OS
- ensured integrity to the login screen
- encrypted volatile data
- A/B boot switching for updates
- Flatpak
- basic desktop
- optional: bind encrypted data partition to TPM2
- optional: frequent reencryption of the data partition
## Non-Goals
- can't secure against a remote attacker writing anything to disk
- can't secure against a remote attacker scraping secret keys from the kernel
## FAQ
### Isn't encrypting everything enough?
If a remote attacker modifies your binaries in /usr/bin, you cannot be sure of a secure boot
to the login screen anymore.
### Why readonly /etc?
A remote attacker modifying /etc can completely change your boot sequence and you cannot be sure of a
secure boot to the login screen anymore.
All configurable files have been whitelisted and moved to /cfg.
## TODO
- merge mkimage.sh and clonedisk
- move all quirks from prepare-root.sh to quirks directory
- source all quirks depending on package installation on command line options
- change partition UUIDs for /data
* UUID for TPM LUKS
* UUID for LUKS
* UUID for unencrypted xfs
- ensure /data to be on same disk as root
- add "load=<efipath>" to kernel command line via efi stub
- add admin LUKS key via [public key](https://blog.g3rt.nl/luks-smartcard-or-token.html)
- sssd
- support more clevis pins and mixed pins
- option to always clean data disk on boot
## Complete / What works already?
- boot from single efi binary
- dm_verity + squashfs immutable, integrity checked root
- passwd + shadow + group + gshadow decoupled from system in /var
- bind LUKS2 with tpm2 to machine
- swap on LUKS2 with tpm2 (no password for resume from disk??)
- /home /cfg and /var on single data partition
- Secure Boot
- selinux
- firmware update (works, but needs a secure boot signed fwup*.efi)
## Known Failures
- no kernel command line on DELL ( you need a newer systemd https://github.com/systemd/systemd/pull/10001 )
cp linuxx64.efi.stub to this git repo dir from a compiled upstream systemd
- gnome-software: can't update firmware repo
- systemd: failed to umount /var
- needs a ´´´restorecond -FmvR /cfg /var /home´´´ after first boot, because systemd-tmpfiles does not seem
to restore all context
- vga switcheroo is not accessible for lockdown=1, because the kernel does not allow access to /sys/kernel/debug
## Create
### Prepare the Image
For reproducible squashfs builds use https://github.com/squashfskit/squashfskit. Clone it in the
main FedoraBook directory and build it.
```bash
$ sudo ./prepare-root.sh \
--pkglist pkglist.txt \
--excludelist excludelist.txt \
--name FedoraBook \
--logo logo.bmp \
--reposd <REPOSDIR> \
--releasever 29
```
This will create the following files and directories:
- ```FedoraBook``` - keep this directory around for updates
(includes needed passwd/group history and rpmdb)
- ```FedoraBook-29.<datetime>``` - the resulting <IMGDIR>
- ```FedoraBook-latest.json``` - a metadata file for the update server
or download a prebuilt [image](https://harald.fedorapeople.org/downloads/fedorabook.tgz),
unpack and use this as ```<IMGDIR>```.
## Sign the release
Get [efitools](https://github.com/haraldh/efitools.git). Compile and create your keys.
Copy ```LockDown.efi``` ```DB.key``` ```DB.crt``` from efitools to the fedorabook directory.
Rename ```DB.key``` ```DB.crt``` to ```FedoraBook.key``` and ```FedoraBook.crt```
Optionally copy ```Shell.efi``` (might be ```/usr/share/edk2/ovmf/Shell.efi```) to the fedorabook directory.
```bash
$ sudo ./mkrelease.sh FedoraBook-latest.json
```
then upload to your update server:
```bash
$ TARBALL="$(jq -r '.name' FedoraBook-latest.json)-$(jq -r '.version' FedoraBook-latest.json)".tgz
$ scp "$TARBALL" FedoraBook-latest.json <DESTINATION>
```
## QEMU disk image
```bash
$ sudo ./mkimage.sh <IMGDIR> image.raw
```
or with the json file:
```bash
$ sudo ./mkimage.sh FedoraBook-latest.json image.raw
```
## USB stick
```bash
$ sudo ./mkimage.sh <IMGDIR> /dev/disk/by-path/pci-…-usb…
```
or with the json file:
```bash
$ sudo ./mkimage.sh FedoraBook-latest.json /dev/disk/by-path/pci-…-usb…
```
## Install from USB stick
**Warning**: This will wipe the entire target disk
### Preparation
- Enter BIOS
* turn on UEFI boot
* turn on TPM2
* set a BIOS admin password
- Enter BIOS boot menu
- Select USB stick
- Login (user: admin, pw: admin)
- Start gnome-terminal
### Installation
If you can encrypt your disk via the BIOS, do so.
If you cannot:
- use the option ```--crypttpm2```, if you have a TPM2 chip
- use the option ```--crypt``` otherwise
```bash
$ sudo fedorabook-clonedisk <options> <usb stick device> <harddisk device>
```
### Post
- reboot
- remove stick
The first boot takes longer as the system tries to bind the LUKS to the TPM2 on the machine.
It also populates ```/var``` with the missing directories.
You can always clear the data partition via:
```bash
# wipefs --all --force /dev/<disk partition 5>
```
and then either make a xfs
```bash
# mkfs.xfs -L data /dev/<disk partition 5>
```
or LUKS
```bash
# echo -n "zero key" | cryptsetup luksFormat --type luks2 /dev/<disk partition 4> /dev/stdin
# echo -n "zero key" | cryptsetup luksFormat --type luks2 /dev/<disk partition 5> /dev/stdin
```
On the media created with mkimage.sh, this is partition number *3*.
## Post Boot
### Persistent journal
```bash
$ sudo mkdir /var/log/journal
```
### LUKS
Set a new LUKS password, if you installed with ```--crypt``` or ```--crypttpm2```.
The initial password is ```zero key```.
## Updating
```bash
# systemd-inhibit fedorabook-update <UPDATE-URL>
```
## Secure Boot
**Warning**: This will wipe all the secure boot keys.
Make sure the BIOS contains an option to restore the default keys.
- Enter BIOS
* turn on Secure Boot
* turn on Setup Mode
- Boot from stick with Shell.efi and LockDown.efi
- Execute LockDown.efi
- reset
- Secure Boot into signed FedoraBook release
Reference in a new issue View git blame Copy permalink