Re-announcing the first working version of my "FedoraBook" with SELinux and UEFI secure boot. Readonly /etc, split passwd/shadow/group/gshadow , TPM2 support with LUKS2 and clevis. Updates are done via A/B partitions.
@harald_hoyer Interesting! But is it worth the effort? Usually you need root permissions to change files in /etc. Having root permissions would also allow you to make additional malicious modifications. So isn't it already too late at that point of time?
Well, even a remote attacker with root access should not be able to tamper the boot process for the fedorabook.
So, if you restart fedorabook no malicious code should execute, until after you login. At least, that is the goal.
Fosstodon is a Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.