[syslinux] Bootable ISO with extra data outside the ISO?
ian_bruce at mail.ru
ian_bruce at mail.ru
Sun Aug 6 07:27:36 PDT 2017
On Fri, 4 Aug 2017 12:23:44 -0400
Bret Schuhmacher via Syslinux <syslinux at zytor.com> wrote:
> I'm working on a project and I'd like to create a Linux bootable ISO
> disc with an extra chunk of data **outside** the ISO space.
Does it have to be a *disk*? What you are asking for is actually a
standard feature of some Linux distribution ISOs (such as
Ubuntu/LinuxMint), when they are installed on a USB flashdrive.
> This chunk of data might be a 10MB tar/zip. The goal would be to boot
> into Linux in RAM off the disc and mount the extra chunk of data to
> access it.
Specifically, you can setup a FAT32-formatted flashdrive to boot an
unmodified ISO image contained as a read-only file. After the system in
the ISO image boots, it looks for two ext4 images also contained in the
FAT32 filesystem, and union-mounts those on top of both system and user
data. The intended purpose of this is to allow persistent changes to the
system without modifying the ISO image, which certainly seems to cover
your use case.
http://manpages.ubuntu.com/manpages/xenial/en/man7/casper.7.html
> I need this because I want the Linux ISO to be constant and verifiable
> with an SHA hash... the extra stuff will vary from customer to
> customer.
What base ISO image are you using? Ubuntu and LinuxMint live ISOs have a
boot option called "integrity check", which presumably does something
like this. In any case, having the ISO image contained as a regular file
within a flashdrive filesystem makes it easy to verify its hash
signature from any other operating system.
(Since the system that actually runs can be modified in almost any way
by the persistence file, the verification of the ISO image doesn't
really prove very much. But maybe you don't have to point this out to
your customers.)
> I see there's a memtest on the Linux discs I've created... would it be
> possible to put another program in place (a module, perhaps?) that can
> calculate a hash using a certain algorithm (i.e. SHA512 or similar) to
> validate and print out the hash of the boot ISO before booting it? The
> integrity of the ISO is absolutely critical.
An advantage of using a flashdrive is that it gives you the option of
booting with GRUB, which already has builtin facilities for doing
exactly this,
https://www.gnu.org/software/grub/manual/html_node/hashsum.html
and is fully scriptable.
https://www.gnu.org/software/grub/manual/html_node/Shell_002dlike-scripting.html
(Of course, if somebody had maliciously altered the ISO image, they
could also alter a program which was supposed to check that, so that it
would falsely claim the opposite. This is just security theatre. The
only convincing verification would come from software not contained or
controlled by the media that was supposedly being tested.)
-- Ian Bruce
More information about the Syslinux
mailing list