Re-announcing the first working version of my "FedoraBook" with SELinux and UEFI secure boot. Readonly /etc, split passwd/shadow/group/gshadow , TPM2 support with LUKS2 and clevis. Updates are done via A/B partitions.
oh... forgot to add the #fedorabook hashtag :)
@harald_hoyer Why go with squashfs and A/B instead of OSTree, though?
No ostree, because I want:
* secure boot to the login screen
* immutable base OS
* ensured integrity to the login screen
So on the fedorabook, even a remote attacker gaining root cannot modify /usr without I/O errors.
Also not the evil maid
@harald_hoyer read-only /etc? How is that working out?
Well, with symlinking the parts which need to be configurable to /cfg and hard patching binaries from /etc to /cfg here and there pretty well.
@harald_hoyer Interesting! But is it worth the effort? Usually you need root permissions to change files in /etc. Having root permissions would also allow you to make additional malicious modifications. So isn't it already too late at that point of time?
Well, even a remote attacker with root access should not be able to tamper the boot process for the fedorabook.
So, if you restart fedorabook no malicious code should execute, until after you login. At least, that is the goal.
Fosstodon is a Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.