Created by harald 2 months ago
Immutable Fedora Desktop for Flatpak use
Members 1
Harald Hoyer committed 2 days ago


Let's put all the fancy features together, we developed in the last years:

  • Combined kernel+initramfs EFI binaries
  • Secure Boot
  • clevis with TPM2
  • LUKS2
  • dm-verity + squashfs root
  • Flatpak
  • flickerless boot

and build a Chromebook like Fedorabook, where you can install all software via Flatpak.

This is WIP. Please test and report issues, comments or missing components on https://pagure.io/Fedorabook/issues


  • secure boot to the login screen
  • immutable base OS
  • ensured integrity to the login screen
  • encrypted volatile data
  • A/B boot switching for updates
  • Flatpak
  • basic desktop
  • optional: bind encrypted data partition to TPM2
  • optional: frequent reencryption of the data partition


  • can't secure against a remote attacker writing anything to disk
  • can't secure against a remote attacker scraping secret keys from the kernel


Isn't encrypting everything enough?

If a remote attacker modifies your binaries in /usr/bin, you cannot be sure of a secure boot to the login screen anymore.

Why readonly /etc?

A remote attacker modifying /etc can completely change your boot sequence and you cannot be sure of a secure boot to the login screen anymore.

All configurable files have been whitelisted and moved to /cfg.


  • merge mkimage.sh and clonedisk
  • move all quirks from prepare-root.sh to quirks directory
  • source all quirks depending on package installation on command line options
  • change partition UUIDs for /data
  • UUID for LUKS
  • UUID for unencrypted xfs
  • ensure /data to be on same disk as root
  • add "load=<efipath>" to kernel command line via efi stub
  • add admin LUKS key via public key
  • sssd
  • support more clevis pins and mixed pins
  • option to always clean data disk on boot

Complete / What works already?

  • boot from single efi binary
  • dm_verity + squashfs immutable, integrity checked root
  • passwd + shadow + group + gshadow decoupled from system in /var
  • bind LUKS2 with tpm2 to machine
  • swap on LUKS2 with tpm2 (no password for resume from disk??)
  • /home /cfg and /var on single data partition
  • Secure Boot
  • selinux
  • firmware update (works, but needs a secure boot signed fwup*.efi)

Known Failures

  • no kernel command line on DELL ( you need a newer systemd https://github.com/systemd/systemd/pull/10001 ) cp linuxx64.efi.stub to this git repo dir from a compiled upstream systemd
  • gnome-software: can't update firmware repo
  • systemd: failed to umount /var
  • needs a ´´´restorecond -FmvR /cfg /var /home´´´ after first boot, because systemd-tmpfiles does not seem to restore all context
  • vga switcheroo is not accessible for lockdown=1, because the kernel does not allow access to /sys/kernel/debug


Export your GPG Key

$ gpg2 --export --export-options export-minimal <KEYNAME> > FedoraBook.gpg

Prepare the Image

$ sudo ./prepare-root.sh \
  --pkglist pkglist.txt \
  --excludelist excludelist.txt \
  --name FedoraBook \
  --logo logo.bmp \
  --reposd <REPOSDIR> \
  --releasever 29

This will create the following files and directories: - FedoraBook - keep this directory around for updates (includes needed passwd/group history) - FedoraBook-29.<datetime> - the resulting <imgdir> - FedoraBook-latest.json - a metadata file for the update server

or download a prebuilt image, unpack and use this as <IMGDIR>.

Sign the release

Get efitools. Compile and create your keys. Copy LockDown.efi DB.key DB.crt from efitools to the fedorabook directory.

Optionally copy Shell.efi (might be /usr/share/edk2/ovmf/Shell.efi) to the fedorabook directory.

$ sudo ./mkrelease.sh FedoraBook-latest.json

then upload to your update server:

$ TARBALL="$(jq -r '.name' FedoraBook-latest.json)-$(jq -r '.version' FedoraBook-latest.json)".tgz
$ scp "$TARBALL" FedoraBook-latest.json <DESTINATION> 

QEMU disk image

$ sudo ./mkimage.sh <IMGDIR> image.raw 

or with the json file:

$ sudo ./mkimage.sh FedoraBook-latest.json image.raw 

USB stick

$ sudo ./mkimage.sh <IMGDIR> /dev/disk/by-path/pci-…-usb…

or with the json file:

$ sudo ./mkimage.sh FedoraBook-latest.json /dev/disk/by-path/pci-…-usb…

Install from USB stick

Warning: This will wipe the entire target disk


  • Enter BIOS
  • turn on UEFI boot
  • turn on TPM2
  • set a BIOS admin password
  • Enter BIOS boot menu
  • Select USB stick
  • Login (user: admin, pw: admin)
  • Start gnome-terminal


If you can encrypt your disk via the BIOS, do so.

If you cannot:

  • use the option --crypttpm2, if you have a TPM2 chip
  • use the option --crypt otherwise
$ sudo fedorabook-clonedisk <options> <usb stick device> <harddisk device>


  • reboot
  • remove stick

The first boot takes longer as the system tries to bind the LUKS to the TPM2 on the machine. It also populates /var with the missing directories.

You can always clear the data partition via:

# wipefs --all --force /dev/<disk partition 5>

and then either make a xfs

# mkfs.xfs -L data /dev/<disk partition 5>


# echo -n "zero key" | cryptsetup luksFormat --type luks2 /dev/<disk partition 4> /dev/stdin
# echo -n "zero key" | cryptsetup luksFormat --type luks2 /dev/<disk partition 5> /dev/stdin

On the media created with mkimage.sh, this is partition number 3.

Post Boot

Persistent journal

$ sudo mkdir /var/log/journal


Set a new LUKS password, if you installed with --crypt or --crypttpm2. The initial password is zero key.


# systemd-inhibit fedorabook-update <UPDATE-URL>

Secure Boot

Warning: This will wipe all the secure boot keys. Make sure the BIOS contains an option to restore the default keys.

  • Enter BIOS
  • turn on Secure Boot
  • turn on Setup Mode
  • Boot from stick with Shell.efi and LockDown.efi
  • Execute LockDown.efi
  • reset
  • Secure Boot into signed FedoraBook release