HalogenOS/image-builder
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
River 2025-04-14 11:43:10 -04:00
parent 0b04600858
commit 5022a60750
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -19,10 +19,12 @@ These files allow a server to build a working image, sign it with a release key,
There are a few overridable variables that control configuration elements of HalogenOS. These are set at build time, and are permanently immutable throughout the lifetime of the OS, unless the values are changed, the image is rebuilt with the same keys and URL, and the installation is updated. There are a few overridable variables that control configuration elements of HalogenOS. These are set at build time, and are permanently immutable throughout the lifetime of the OS, unless the values are changed, the image is rebuilt with the same keys and URL, and the installation is updated.
- `DISTURL`: Unset by default. The URL that HalogenOS files will be served at. If it is not set, OTA updates from a server are disabled, but updating can be done manually as long as the images are signed. - `DISTURL`: Unset by default. The URL that HalogenOS files will be served at. If it is not set, OTA updates from a server are disabled, but updating can be done manually as long as the images are signed.
- `TPM`: Default is `true`. This will control automatic decryption of the root partition. Disable if your system does not have TPM 2.0. - `TPM`: Default is `true`. This will control automatic decryption of the root partition. Disable if your system does not have TPM 2.0, or if you would rather manually input your root encryption password.
- `SECBOOT`: Default is `true`. This will control whether or not Secure Boot keys are generated and enrolled. Disable if your system does not support Secure Boot. - `SECBOOT`: Default is `true`. This will control whether or not Secure Boot keys are generated and enrolled. Disable if your system does not support Secure Boot.
- `REQSIG`: Default is `true`. This will control whether or not update images and overlays require signatures. Disable ONLY for testing or development purposes. - `REQSIG`: Default is `true`. This will control whether or not update images and overlays require signatures. Disable ONLY for testing or development purposes.
Disabling `SECBOOT` or `REQSIG` sets a flag in the system partition indicating that the installation has a fundamentally insecure configuration, as important system files could be tampered with easily.
## Signing Keys ## Signing Keys
Unless you disable `REQSIG`, HalogenOS will require a signing key for updates and for overlays. If you do disable `REQSIG`, HalogenOS will still attempt to verify updates and overlays, but will not enforce these checks, and will not panic if there is no public signing key. To totally disable the inclusion of the signing key, you must remove `signing_key_public` from `build` in [compose.yml](/compose.yml). Unless you disable `REQSIG`, HalogenOS will require a signing key for updates and for overlays. If you do disable `REQSIG`, HalogenOS will still attempt to verify updates and overlays, but will not enforce these checks, and will not panic if there is no public signing key. To totally disable the inclusion of the signing key, you must remove `signing_key_public` from `build` in [compose.yml](/compose.yml).