Questions making boatable usb with writeprotection and some stuff

8 risposte [Ultimo contenuto]
justlooking
Offline
Iscritto: 03/11/2014

Hello,

I ve questions too many about makeing my bootable usb with trisquel and use it with corebootgluglugx60:

1.Why do I have to give password when the startup diskcreator install the bootloader (Action: com.ubuntu.usbcreator) "An application is attempting to perform action that requires privilegues?" is this safe?

2.Is there a usb stick with a trustworthy hardwareswitch (mechanically) for blocking to write? are there good products (fsf cert)?

3.Could I use this write protection with at bootable Stick ?

4.What effects on safety/usage does the formatting FAT/ext2/ext3/encryptedFAT have if I want to make a bootable stick?

Thank you, for your help!

..and when there is any Power

.. I want to know the pros and cons in safety/usage when compareing a:booting from a (extern) live cd/dvd with b:bootable usb stick WITH hardware switch for write protection. eg strange preinstalled things in usb sticks?

In the past I got some strange behavior after using bootable usb sticks and now I have bad feeling with these sticks. Last week got problems booting live cds from external samsung/lg dvd drives. Itried some too much hours with my gluglugcorebootx60 by adding parmeters.

Magic Banana

I am a member!

I am a translator!

Offline
Iscritto: 07/24/2010

Those questions are indeed many and their answers are not trivial. Anyway, I will give a try and invite the other users of the forum to correct my errors:

  1. The startup disk creator can erase files on the USB stick. Those files may be owned by anybody (although they are more probably owned by nobody because most USB sticks use the FAT filesystem with no notion of ownership and permission) and administrative privileges are needed to do so. At least, that is my understanding.
  2. I do not think there exists any freedom issue with USB sticks: Linux-libre can drive them all.
  3. I see no reason why you could not. You then want a startup disk with no "extra space for storing document and settings", i.e., you want to select the last option "Discarded on shutdown, unless you saved them elsewhere" in the startup disk creator. With any write blocked, the USB disk would then be equivalent to a CD/DVD.
  4. As far as I understand, the Live system is directly installed on the device, not in a partition of the device. In other words, the installed filesystem(s) should not make any difference for the Live system.
elodie
Offline
Iscritto: 01/31/2014

1. What do you mean by safe? Safe might mean almost anything. From not getting raped in your own home to not getting bad sectors on your hard drive.

2. What do you mean by trustworthy? Trust, as safe above, can mean almost anything.

You can also take a look at SD cards which come with a lock switch by default. Booting them should not be more complicated than booting a regular USB stick.

Finally, once things are more clear for you, you can go ahead and contact Moritz Bartl[1] who has done some actual research in this direction.

3. Don't get it.

4. Never heard of encryptedFAT. Is it supported by the Linux kernel?

[1] http://comments.gmane.org/gmane.network.tor.user/29632

justlooking
Offline
Iscritto: 03/11/2014

hi,

thank you for your answers

1. ok. As I remember - first it was writing most of the files on the stick and at the end it ask for the password for writing the bootloader on the stick. And cause I'm kind of new to GNU/Linux trisquel I am sometimes not sure if I should putting the password and badly used the words "is this safe?" (The stick was formated in trisquel before, where I found these 4 formating options)

2. I meant if the switch is locked does corrupt software really have no chance to write on the stick.. or are there possible products where you cant "trust" this switch due to badintence/crappy construction

3. Okay.. I thought there should be no problems but there may be occureing errors when I block writing from reasons I dont get (like in the link with german stick)

4. Okay.. unfortunatly I dont know too but I'll test to format with the encrypted option..

unfortunatly the german stick isnt bootable in read only.. but this a great link with Moritz Barth!

First Time I was dreaming to have pc with a open bios which is read only and booting something like tails

Are there some thoughts about if coreboot is "safe" from getting bad flashed by rootkit? I'd like to have absolute bios write protection.

Legimet
Offline
Iscritto: 12/10/2013

About asking for the password, that's because it has to write to the mbr of the usb stick, which needs root permissions.

Magic Banana

I am a member!

I am a translator!

Offline
Iscritto: 07/24/2010

3. There will be no error if you create a startup disk with no "extra space for storing document and settings". Such a system never tries to write on the removable device. Instead, it writes everything in the RAM, which is emptied at shutdown.

justlooking
Offline
Iscritto: 03/11/2014

Now I tried. I tried writing e.g. trisquel_image with startup diskcreator. Unfortunatly I dont get this booting from coreboot and lately found some similar expierience in the web.

Then I wrote the image with dd command as I found in the web* (unfortunaly dont have knowledge) It now nicely boots from coreboot as it should.

*sudo dd if="pathfromiso" of="pathfromusb"

But.. there is something which could/must still be better. I tried with 2 diffrent sticks. When it has booted there is some quiet beeping but annoying noise which sometimes changes with running some program.(It isnt easy to locate but in my mind, it has to do with the bootable usb stick.

I hope to get rid of the noise and that coreboot will boot the readonly stick which Im now going to get.

(It seems that a sd card lock is no real write protection as there exist write protected usb drives.)

BugRep
Offline
Iscritto: 04/05/2012

2. You might find USB sticks that have hardware switches, but they are usually hard to find. This doesn't guarantee that they can't be written to. Some might leave write restrictions to the system, but inform the system they are locked. Even if they allow only reading, this is usually implemented in the drive firmware, and it might be upgradeable. This means, a new firmware can be installed, and the drive can be written to.

BTW, the FSF is okay with this kind of firmware, because it is not meant to be changed by the user, and doesn't run on the main CPU.

Magic Banana

I am a member!

I am a translator!

Offline
Iscritto: 07/24/2010

The fact that it does not run on the CPU has no importance. Wifi or video card firmware do not run on the CPU either.