Skip to content
Permalink
Browse files

Merge pull request #2 from LumIT-Labs/feature/repository-change

Feature/repository change
  • Loading branch information...
lumitlabs committed Dec 21, 2018
2 parents dd63225 + 083dc84 commit 173cc42c98b2b78bc45fc5cf758f5577a396eb4d
@@ -4,22 +4,22 @@ Open Secure-K OS
What is
^^^^^^^

**Open Secure-K OS** is an operating system booting from a USB key in which you can safely create and store your personal and private data. It is an advanced Debian Stretch Linux-based live USB operating system built for security: user and system data are saved encrypted within the USB key (AES 512bit), so the system can be used as a clean and safe environment for your on-line security-critical activities. Moreover Open Secure-K OS does not rely on the PC hard drive and, being a Linux derivative, it’s immune to most viruses and it’s spyware / adware / backdoor free.
**Open Secure-K OS** is an operating system booting from a USB key in which you can safely create and store your personal and private data. It is an **advanced Debian Stretch Linux-based live USB operating system built for security**: user and system data are saved encrypted within the USB key (AES 512bit), so the system can be used as a clean and safe environment for your on-line security-critical activities. Moreover Open Secure-K OS does not rely on the PC hard drive and, being a Linux derivative, it’s immune to most viruses and it’s spyware / adware / backdoor free.

Open Secure-K OS features a unique partitioning scheme - it is **liveng-compliant** (https://github.com/LumIT-Labs/liveng, https://liveng.readthedocs.io) -, which allows complete system and kernel update with a readonly system partition. GRUB is the bootloader for both BIOS and UEFI; the Linux Foundation’s preloader assures the Secure Boot compliance.
Open Secure-K OS features a unique partitioning scheme - it is liveng-compliant (https://github.com/LumIT-Labs/liveng, https://liveng.readthedocs.io) -, which allows complete system and kernel update with a readonly system partition. GRUB is the bootloader for both BIOS and UEFI; the Linux Foundation’s preloader assures the Secure Boot compliance.

Unique system features are:

* native encrypted persistence;
* kernel update (on a standard ISO 9660 filesystem, which is the best option for a live operating system because of its strength against data corruption and tampering);
* **kernel update** (**on a ISO9660 filesystem**, which is the best option for a live operating system because of its strength against data corruption and tampering);
* UEFI, with UEFI Secure Boot compatibility, with a real efi partition;
* user creation wizard upon the first boot. Live operating systems use to have the “live” user already created, while Open Secure-K OS pops up the Initial Setup interface in order to create one, together with language, keyboard and time zone.

None of the existing ISO9660-based live operating systems except Open Secure-K OS provides a kernel update feature.

`Secure-K OS <https://mon-k.com/products/secure-k-personal>`_ is built upon Open Secure-K OS.

At the end of the day, Open Secure-K OS is thought as a the most solid and secure base for your own live operating system - you can customimze it at your will.
At the end of the day, Open Secure-K OS is thought as a **the most solid and secure base for your own live operating system** - you can customize it at your will (only the very basic programs are installed by default).


Screenshots
@@ -41,9 +41,9 @@ Open Secure-K OS is a **LumIT Labs** project.
How to build the initial ISO image
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

A **Debian Stretch** host is required for the build (other Debian-derived systems may work).
A **Debian Stretch** host is required for the build (64 bit preferred); other Debian-derived systems may work.

The Open Secure-K OS ISO image is built using the standard Debian **live-build** framework, so you first need to install it::
The Open Secure-K OS ISO image is built using the standard Debian **live-build** framework, so you first need to install it::
apt-get install -y live-build

@@ -70,9 +70,10 @@ How to deploy

Some Open Secure-K OS notes:

* root user's password is: *liveng*;
* use sudo for super-cow powers;
* during the boot, you will be asked for the decryption password of the data persistence partition - the secret you enter while deploying;
* system user will be created upon the first boot.
* system user will be created upon the first boot;
* [only for 32 bit builds] a GNOME Initial Setup bug triggers a crash if setting the network in the Initial Setup interface. In this case, just reboot the system.


What about Secure-K OS?
Binary file not shown.
Binary file not shown.
@@ -0,0 +1,2 @@
deb http://repo.secure-k.com:8080/osk-stretch osk-stretch main contrib non-free

@@ -1,2 +1,2 @@
deb http://repo.secure-k.com:8080/sk-90 sk-90 main contrib non-free
deb http://repo.secure-k.com:8080/osk-stretch osk-stretch main contrib non-free

@@ -0,0 +1,2 @@
deb http://httpredir.debian.org/debian stretch-backports main contrib non-free
deb-src http://httpredir.debian.org/debian stretch-backports main contrib non-free
@@ -14,9 +14,9 @@ fi
# Kernel installation.
# @todo: if kernel installation is moved into the chroot stage, persistence gets broken, try to fix this.
echo "Kernel upgrading..."
# sk-linux-image-update depends on kernel packages.
# It also triggers the initrd build and the re-write of the Open Secure-K OS' second system partition for updating the kernel and the initrd
# (while not live-building).
# sk-linux-image-update pre-depends on kernel packages.
# It also triggers the initrd build and the re-write of the Open Secure-K OS' second system partition
# for updating the kernel and the initrd (while not live-building).
apt-get install -y sk-linux-image-update |&log

# Removing the old kernel.
@@ -26,21 +26,16 @@ apt-get -y --purge remove linux-image-4.9.0* linux-headers-4.9.0* |&log
apt-get install -y broadcom-sta-dkms |&log

# Divert the following files, for we don't want them to be updated.
programFiles=("/lib/systemd/system/gdm.service")
programFiles=("/lib/systemd/system/gdm.service") # this way, a standard gdm3 package - and not a forked one - is installed.
for programFile in ${programFiles[@]};
do
programFileName=$(echo -n "$programFile" | sed -r -e 's#(.*)/(.*)#\2#')
dpkg-divert --divert /tmp/$programFileName --rename $programFile |&log
cp -a /tmp/$programFileName $programFile |&log
done

# Change root password, the command line way.
passwd --quiet root <<EOF
liveng
liveng
EOF

chmod 750 /root |&log
# Disabling root login, the Initial Setup will create a sudoers' users.
passwd -l root

# Clean fstab, it will be written later.
rm -f /etc/fstab |&log
@@ -51,7 +46,7 @@ systemctl enable systemd-timesyncd |&log
# And disable Openntpd (if installed).
systemctl disable openntpd |&log

# User's keyboard (desktop, login screen) will be set by G.I.S., so initial keymap must be null in /etc/default and in dconf/user.
# User's keyboard (desktop, login screen) and language will be set by the Initial Setup; keymap must be null in /etc/default and in dconf/user.

# dconf/user for skel (only), compile from "sources".
mkdir /tmp/dconf |&log
@@ -62,10 +57,7 @@ chmod 750 /etc/skel/.config/dconf/user |&log
chown 0:0 /etc/skel/.config/dconf/user |&log
rm -fR /tmp/dconf |&log

# Copy dconf/user in skel/ to a users' readable file, for being used by "dconf/user watchdog" in GDM postlogin script.
cp -afv /etc/skel/.config/dconf/user /etc/config-dconf-user-sk && chmod 755 /etc/config-dconf-user-sk |&log

# Secure-K OS version file. Don't move the following lines before the kernel installation.
# Open Secure-K OS version file. Don't move the following lines before the kernel installation.
cat > /etc/os-release <<EOF
NAME="Open Secure-K OS"
PRETTY_NAME="Open Secure-K OS"

This file was deleted.

@@ -12,7 +12,7 @@ fi
####################################################################################################################################

# Divert the following files, for we don't want them to be ever updated.
programFiles=("/usr/lib/os-release")
programFiles=("/usr/lib/os-release") # we set this file in a previous hook.
for programFile in ${programFiles[@]};
do
programFileName=$(echo -n "$programFile" | sed -r -e 's#(.*)/(.*)#\2#')
@@ -3,6 +3,6 @@ Pin: release n=stretch
Pin-Priority: 900

Package: *
Pin: release n=sk-90
Pin: release n=osk-stretch
Pin-Priority: 950

@@ -1 +1 @@
LANG="en_US.UTF-8"
LANG="en_US.UTF-8"

This file was deleted.

@@ -4,7 +4,7 @@
# Halt system immediately if the boot USB (Secure-K USB) is removed.
DEV=$(mount | grep persistence | grep mapper | cut -d " " -f 1 | cut -d "/" -f 4)
if [ "$DEV" != "" ]; then
echo "KERNEL==\"${DEV:0:3}3\",ENV{UDISKS_IGNORE}=\"1\"" > /etc/udev/rules.d/99-hide-disk.rules
echo "KERNEL==\"${DEV:0:3}2\",ENV{UDISKS_IGNORE}=\"1\"" > /etc/udev/rules.d/99-hide-disk.rules
echo "KERNEL==\"${DEV:0:3}5\",ENV{UDISKS_IGNORE}=\"1\"" >> /etc/udev/rules.d/99-hide-disk.rules
echo "KERNEL==\"${DEV:0:3}\",ACTION==\"remove\",SUBSYSTEM==\"block\",RUN+=\"/usr/bin/sdmem -ll\",RUN+=\"/bin/chvt 5\",RUN+=\"/sbin/halt -fpn\"" > /etc/udev/rules.d/99-halt-on-sk-disconnection.rules
fi

This file was deleted.

@@ -40,7 +40,7 @@ locate-pointer=true
app-picker-view=uint32 1
command-history=['r']
enabled-extensions=['alternative-status-menu@gnome-shell-extensions.gcampax.github.com', 'drive-menu@gnome-shell-extensions.gcampax.github.com', 'gnome-shell-trash-extension', 'user-theme@gnome-shell-extensions.gcampax.github.com', 'panel-osd@berend.de.schouwer.gmail.com', 'secure-k@mon-k.com', 'TaskBar@zpydr', 'dash-to-dock@micxgx.gmail.com', 'TopIcons@phocean.net', 'CoverflowAltTab@palatis.blogspot.com']
favorite-apps=['support-center.desktop', 'digitalarx.desktop', 'org.gnome.Terminal.desktop']
favorite-apps=['org.gnome.Terminal.desktop', 'org.gnome.gedit.desktop', 'firefox-esr.desktop']

[org/gnome/shell/calendar]
show-weekdate=false
@@ -1,4 +1,3 @@
sk-apple-compatibility
sk-apt-guardian
sk-gnome-extensions
sk-linux-image-update-common
@@ -1,15 +1,15 @@
adwaita-icon-theme
at-spi2-core
baobab
at-spi2-core
baobab
caribou
chrome-gnome-shell
chromium
chromium-l10n
dconf-cli
dconf-gsettings-backend
eog
evince
evolution-data-server
dconf-cli
dconf-gsettings-backend
eog
evince
evolution-data-server
ffmpeg
file-roller
firefox-esr
@@ -21,28 +21,28 @@ gedit-plugins
gjs
gksu
gnome-backgrounds
gnome-bluetooth
gnome-calculator
gnome-characters
gnome-bluetooth
gnome-calculator
gnome-characters
gnome-clocks
gnome-color-manager
gnome-contacts
gnome-control-center
gnome-disk-utility
gnome-font-viewer
gnome-disk-utility
gnome-font-viewer
gnome-initial-setup gnome-getting-started-docs- yelp-
gnome-keyring
gnome-logs
gnome-keyring
gnome-logs
gnome-menus
gnome-online-accounts
gnome-online-accounts
gnome-online-miners
gnome-screensaver
gnome-screenshot
gnome-session
gnome-settings-daemon
gnome-shell
gnome-session
gnome-settings-daemon
gnome-shell
gnome-shell-common
gnome-shell-extensions
gnome-shell-extensions
gnome-shell-extension-dashtodock
gnome-shell-extension-taskbar
gnome-shell-extension-top-icons-plus
@@ -54,34 +54,49 @@ gnome-themes-standard
gnome-themes-standard-data
gnome-user-share
gsettings-desktop-schemas
gstreamer1.0-plugins-base
gstreamer1.0-plugins-bad
gstreamer1.0-plugins-good
gstreamer1.0-plugins-ugly
gstreamer1.0-pulseaudio
gstreamer1.0-plugins-base
#gstreamer1.0-plugins-bad
gstreamer1.0-plugins-good
#gstreamer1.0-plugins-ugly
gstreamer1.0-pulseaudio
gucharmap
guvcview
gvfs-backends
gvfs-bin
gvfs-fuse
gvfs-backends
gvfs-bin
gvfs-fuse
mutter
nautilus
nautilus-sendto
network-manager* modemmanager-
network-manager modemmanager-
network-manager-pptp
network-manager-iodine
network-manager-iodine-gnome
network-manager-strongswan
network-manager-openconnect-gnome
network-manager-ssh
network-manager-vpnc
network-manager-gnome
network-manager-openvpn
network-manager-ssh-gnome
network-manager-dev
network-manager-openvpn-gnome
network-manager-vpnc-gnome
network-manager-openconnect
network-manager-pptp-gnome
notification-daemon
plymouth-themes
policykit-1-gnome
pulseaudio
rhythmbox
rhythmbox-plugins
sound-theme-freedesktop
sound-theme-freedesktop
system-config-printer-common
system-config-printer-udev
totem
tracker-gui
ttf-dejavu
ttf-freefont
vino
vlc
xdg-user-dirs-gtk
zeitgeist
zenity

0 comments on commit 173cc42

Please sign in to comment.
You can’t perform that action at this time.