Re-announcing the first working version of my "FedoraBook" with SELinux and UEFI secure boot. Readonly /etc, split passwd/shadow/group/gshadow , TPM2 support with LUKS2 and clevis. Updates are done via A/B partitions.
@harald_hoyer read-only /etc? How is that working out?
Well, with symlinking the parts which need to be configurable to /cfg and hard patching binaries from /etc to /cfg here and there pretty well.
Well, even a remote attacker with root access should not be able to tamper the boot process for the fedorabook.
So, if you restart fedorabook no malicious code should execute, until after you login. At least, that is the goal.
Fosstodon is a Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.