APACHE-2.0 License
Let's put all the fancy features together, we developed in the last years:
and build a Chromebook like Fedorabook, where you can install all software via Flatpak.
This is WIP. Please test and report issues, comments or missing components on https://github.com/haraldh/VerityBook/issues
If a remote attacker modifies your binaries in /usr/bin, you cannot be sure of a secure boot to the login screen anymore.
A remote attacker modifying /etc can completely change your boot sequence and you cannot be sure of a secure boot to the login screen anymore.
All configurable files have been whitelisted and moved to /cfg.
For reproducible squashfs builds use https://github.com/squashfskit/squashfskit. Clone it in the main VerityBook directory and build it.
$ mkdir dist
$ sudo ./prepare-root.sh \
--pkglist pkglist.txt \
--excludelist excludelist.txt \
--name VerityBook \
--logo logo.bmp \
--reposd <REPOSDIR> \
--releasever 31
--baseoutdir $(realpath dist)
This will create the following files and directories:
VerityBook
- keep this directory around for updatesdist/VerityBook-<HASH>.img
- the root imagedist/VerityBook-31.<datetime>.json
- metadata of the imagedist/VerityBook-latest.json
- a symlink to the latest versionGet efitools. Compile and create your keys.
Copy LockDown.efi
DB.key
DB.crt
from efitools to the veritybook directory.
Rename DB.key
DB.crt
to VerityBook.key
and VerityBook.crt
Optionally copy Shell.efi
(might be /usr/share/edk2/ovmf/Shell.efi
) to the veritybook directory.
$ sudo ./mkrelease.sh dist/VerityBook-latest.json
This will create the following files and directories:
dist/VerityBook-<HASH>-efi.tgz
- signed efi binariesdist/VerityBook-31.<datetime>.json.sig
- signature of the metadataif you want to make deltas:
$ sudo ./mkdelta.sh ${CHECKPOINT:+--checkpoint} dist/VerityBook-latest.json
If CHECKPOINT
is set, it will remove old images.
then upload to your update server:
$ rsync -Pavorz dist/ <DESTINATION>/
$ sudo ./mkimage.sh <IMGDIR> image.raw
or with the json file:
$ sudo ./mkimage.sh VerityBook-latest.json image.raw
$ sudo ./mkimage.sh <IMGDIR> /dev/disk/by-path/pci--usb
or with the json file:
$ sudo ./mkimage.sh VerityBook-latest.json /dev/disk/by-path/pci--usb
Warning: This will wipe the entire target disk
If you can encrypt your disk via the BIOS, do so.
If you cannot:
--crypttpm2
, if you have a TPM2 chip--crypt
otherwise$ sudo veritybook-clonedisk <options> <usb stick device> <harddisk device>
The first boot takes longer as the system tries to bind the LUKS to the TPM2 on the machine.
It also populates /var
with the missing directories.
You can always clear the data partition via:
# wipefs --all --force /dev/<disk partition 5>
and then either make a xfs
# mkfs.xfs -L data /dev/<disk partition 5>
or LUKS
# echo -n "zero key" | cryptsetup luksFormat --type luks2 /dev/<disk partition 4> /dev/stdin
# echo -n "zero key" | cryptsetup luksFormat --type luks2 /dev/<disk partition 5> /dev/stdin
On the media created with mkimage.sh, this is partition number 3.
$ sudo mkdir /var/log/journal
Set a new LUKS password, if you installed with --crypt
or --crypttpm2
.
The initial password is zero key
.
# systemd-inhibit veritybook-update <UPDATE-URL>
Warning: This will wipe all the secure boot keys. Make sure the BIOS contains an option to restore the default keys.