LapEE provisioner
The LapEE provisioner is the setup image used before booting the runtime image on a laptop. Its launch-critical job is to prepare firmware Secure Boot policy for the release key or exact runtime UKI hash.
This is separate from the runtime USB image. Run the provisioner first, then boot the verified runtime image.
Current PermawebOS builds are alpha. Run the LapEE provisioner only on a spare laptop that can be dedicated to the experiment.
The provisioner changes firmware Secure Boot policy. A failed or unwanted policy change can leave the laptop unable to boot other operating systems without firmware recovery.
Trust Paths
Use the path published with the release:
- enroll the release signing key;
- admit the exact release UKI hash; or
- for local builds only, enroll operator-owned Secure Boot keys and sign the locally built UKI.
Some firmware clears factory keys when entering Setup Mode. Treat provisioning as a firmware-owner action, not a routine app install.
Provisioner Flow
Before provisioning:
- In firmware setup, clear the Secure Boot keys and enter Setup Mode.
- Power off the laptop.
- Get the provisioner image published with the release.
- Flash the provisioner image to a USB stick.
- Boot the laptop from the provisioner USB.
During provisioning, follow the prompts on the laptop screen. The provisioner boots as a separate image, mounts EFI variables read-write, shows a warning, requires the exact confirmation text published by the release, then applies the requested Secure Boot policy.
If you want LapEE to use non-volatile local storage, select which disk the provisioner should wipe. Otherwise, skip that step. The selected disk is erased.
After provisioning:
- Power off the laptop.
- Ensure Secure Boot is enabled if firmware did not enable it automatically.
- Boot the verified LapEE runtime image.
Adding config.json or wifi.conf to the runtime ESP changes the disk image
hash, but it does not change the signed UKI at EFI/Boot/BootX64.efi.
Local Builds
Normal operators should use release artifacts. From a local source tree only:
make signing-keys
make provisioner-write DEV=/dev/diskN
Local builds create local signing material and local measurements. Verifier policy must explicitly admit them.
What Verifiers See
Secure Boot state, enrolled policy, UKI identity, kernel command line, and node identity are part of the boot measurement. Secure Boot off is not hidden; it is evidence that a verifier can reject or warn on.