1

Trying to boot Ubuntu installed to disk as read-only.

Installed overlayroot and set overlayroot to tmpfs.

$ sudo apt install -y overlayroot

$ sudo sed -i 's/overlayroot=""/overlayroot="tmpfs"/g' /etc/overlayroot.conf


$ sudo systemctl reboot

Running sudo openssl dgst -sha512 /dev/rdisk5s1 /dev/rdisk5s2 reveals that checksum of /dev/rdisk5s2 changes… why?

How can one make disk forensically read-only?

Test one…

$ sudo openssl dgst -sha512 /dev/rdisk5s1 /dev/rdisk5s2
SHA512(/dev/rdisk5s1)= c533e6d472f9a36009f7dc11c337fe0da71b31e6d77fe40e96a7ea92e4711604c9044b40334782a35ddfbf2537a4bebb6602c6f576ce93092172c98a9fe59672
SHA512(/dev/rdisk5s2)= 072dc609ed857b9cb758b688bd659672db9702d218388e5c4e24ad324f7098c01bacf93742f7cbb28a1387179423f9e90596503b1b4917df16c63b7aaee5b30d

Reboot, do stuff, test two…

$ sudo openssl dgst -sha512 /dev/rdisk5s1 /dev/rdisk5s2
SHA512(/dev/rdisk5s1)= c533e6d472f9a36009f7dc11c337fe0da71b31e6d77fe40e96a7ea92e4711604c9044b40334782a35ddfbf2537a4bebb6602c6f576ce93092172c98a9fe59672
SHA512(/dev/rdisk5s2)= 9fac42f8e27583a2c2489f4888d72d4d662990535cd5355d01f80d94464572b3669d8b1d9b57b0776b65525d3ce5293e6ee52c16bdc0635f2517ad9aecfd62b
sunknudsen
  • 1,060

2 Answers2

1

/dev/rdisk5s2 changes… why?

Analyze it. Compare between boots. Maybe use a smaller test disk (VM).

Related (and maybe the reason you are seeing changes): Why are write blockers needed when there is mount with read-only?

I don't know what both of these partitions are, but I doubt both are root. And I guess overlayroot just works for root.

If you want it read-only as in the case of Tails you need a hardware write blocker. Like USB-SATA/SSD/NVME adapter with write block switch though you theoretically still could work around that. The non-persistence of Tails comes from the media it runs from (DVD, USB is rw, RAM).

If the underlying hardware is read-write and the OS is being made RO only by software then someone can work around that just by remounting the root filesystem RW.

secfren
  • 11
1

Issues was caused by journaling file system… using ext2, checksum no longer changes.

That said, I also had to disable fsck.repair when using read-only disk (example: datAshur PRO² set to read-only).

$ sudo sed -i 's/quiet splash/fsck.repair=no quiet splash/g' /etc/default/grub

$ sudo update-grub
sunknudsen
  • 1,060