David Sardari<p><span class="h-card" translate="no"><a href="https://fosstodon.org/@Gentoo_eV" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>Gentoo_eV</span></a></span> Given that I get a KVM console in time, I will demonstrate my installation guide (<a href="https://gentoo.duxsco.de/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">gentoo.duxsco.de/</span><span class="invisible"></span></a>) in English using a <a href="https://fedifreu.de/tags/Hetzner" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Hetzner</span></a> dedicated server.</p><ul><li><strong>What?</strong> <em>Beyond Secure Boot – Measured Boot on Gentoo Linux?</em></li><li><strong>When?</strong> Saturday, 2024-10-19 at 18:00 UTC (20:00 CEST)</li><li><strong>Where?</strong> Video call via BigBlueButton: <a href="https://bbb.gentoo-ev.org/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">bbb.gentoo-ev.org/</span><span class="invisible"></span></a></li></ul><p>The final setup will feature:</p><ul><li><a href="https://fedifreu.de/tags/SecureBoot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecureBoot</span></a>: All EFI binaries and unified kernel images are signed.</li><li><a href="https://fedifreu.de/tags/MeasuredBoot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MeasuredBoot</span></a>: <a href="https://fedifreu.de/tags/clevis" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>clevis</span></a> and <a href="https://fedifreu.de/tags/tang" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>tang</span></a> will be used to check the system for manipulations via <a href="https://fedifreu.de/tags/TPM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TPM</span></a> 2.0 PCRs and for remote LUKS unlock (you don't need tty).</li><li>Fully encrypted: Except for ESPs, all partitions are <a href="https://fedifreu.de/tags/LUKS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LUKS</span></a> encrypted.</li><li><a href="https://fedifreu.de/tags/RAID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAID</span></a>: Except for ESPs, <a href="https://fedifreu.de/tags/btrfs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>btrfs</span></a> and <a href="https://fedifreu.de/tags/mdadm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>mdadm</span></a> based <a href="https://fedifreu.de/tags/RAID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAID</span></a> are used for all partitions.</li><li>Rescue System: A customised <a href="https://fedifreu.de/tags/SystemRescue" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SystemRescue</span></a> (<a href="https://www.system-rescue.org/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">system-rescue.org/</span><span class="invisible"></span></a>) supports SSH logins and provides a convenient chroot.sh script.</li><li>Hardened <a href="https://fedifreu.de/tags/Gentoo" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Gentoo</span></a> <a href="https://fedifreu.de/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Linux</span></a> for a highly secure, high stability production environment.</li><li>If enough time is left at the end, <a href="https://fedifreu.de/tags/SELinux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SELinux</span></a> which provides Mandatory Access Control using type enforcement and role-based access control</li></ul>