How to move your /boot partition onto removable media.

19 April 2014

Part of every traveler's threat model today should include the following scenario:

When you're trying to fly into or out of an airport en route to someplace else, it is entirely possible that the airport's security staff will take you aside for a more thorough search and questioning while your stuff is taken someplace out of your control and analyzed. We know that there are malware packages available today that boobytrap the boot device of laptop computers to install various forms of surveillance malware which run the next time you start your machine up and compromise the OS even though you may have locked it down to prevent live attacks. That the malware may capture the passphrase used to unlock an encrypted hard drives in the computer is an additional kick in the pants that one must be prepared to dodge.

Here's one way to mitigate this threat, which involves the use of a USB key that you work to keep out of the clutches of others at all times. Here's what I've got to work with:

  • A laptop computer running Arch Linux
  • /boot is on its own partition
  • The rest of the drive is encrypted with LUKS
  • I'm using SYSLINUX as my boot loader
  • I have a tiny USB key that I carry on my person at all times (let's say it's this one)

The first thing I did was partition and format the USB key so that it looks like this:

[drwho@windbringer ~]$ sudo fdisk -l /dev/sdb

Disk /dev/sdb: 7.3 GiB, 7862353920 bytes, 15356160 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xefb32997

Device    Boot     Start       End  Blocks  Id System
/dev/sdb1 *         2048   4196351 2097152  83 Linux
/dev/sdb2        4196352  15356159 5579904  83 Linux

I formatted the first partition with the EXT4 file system because that's what I'm using on all of my Linux machines these days. After mounting the USB key on Windbringer I copied everything on the /boot partition onto it: sudo cp -rv /boot/* /media/USB

I then mounted my USB key in place of the /boot partition so I could install the boot loader:

sudo umount /boot
sudo umount /media/USB
sudo mount /dev/sdb1 /boot

Now to install the boot loader on my USB key. I use SYSLINUX (they spell it in all caps so I'll do the same) because GRUB2 pisses me off to no end these days, so this was actually quite straightforward: sudo syslinux-install_update -i -a -m

SYSLINUX requires that a configuration file syslinux/syslinux.cfg exist on the boot device to tell it where to find the boot files. I copied the one generated for me when I installed Arch Linux on this laptop, quoted here for the curious:

UI menu.c32

MENU MASTER PASSWD nevergonnagiveyouupnevergonnaletyoudown

LABEL linux
    MENU LABEL Primary Kernel
    LINUX vmlinuz-linux
    INITRD initramfs-linux.img
    APPEND root=/dev/mapper/root cryptdevice=/dev/sda2:root rw

LABEL fallback
    MENU LABEL Fallback Kernel
    LINUX vmlinuz-linux
    INITRD initramfs-linux-fallback.img
    APPEND root=/dev/mapper/root cryptdevice=/dev/sda2:root rw

That's really all there is to it. To use it, before powering on your laptop plug the USB key in. After hitting the power button, hit whatever key combination that will cause your laptop to prompt you for the device to boot from. For me it's F12 but your mileage will probably differ. Select your USB key, and when prompted enter the passphrase to unlock your hard drive. After you boot, disconnect your USB key and put it away. If you can help it, never let it out of your sight. Wear it around your neck on a chain or something. Remember that you'll have to update your USB key by recopying the contents of /boot to your USB key whenever you install updates that involve your system's kernel. If you're extra paranoid, you may wish to set the immutable extended file system attribute on all of the files on your USB key to make it more difficult for someone to tamper with them: sudo chattr -R +i /mnt/USB/*

Now let's go for style points. Let's say that there's a live distro that you like to keep handy for emergencies, like Ubuntu Desktop Edition or TAILS. What you can do is download a copy of the .iso image and put it in the root of your USB key. Make sure that you have a copy of the memdisk utility from SYSLINUX on your USB key (if you installed it correctly, you should). Then append the following to the end of your syslinux/syslinux.cfg file:

    MENU LABEL Rescue Media
    LINUX memdisk
    INITRD ../name_of_your_live_distro.iso
    APPEND iso raw

Then, the next time you need to run your live distro of choice plug your USB key into the machine, cursor down to the menu option called iso, and hit the enter key. It'll take a while for your live distro to start up (my copy of TAILS v0.23 takes around five or six minutes to boot using this technique) so be patient, it'll get there. Be warned that you might be sticking your more trustworthy personal boot media into an untrusted macihne, so think twice before you do this willy nilly; it is conceivable that someone may trick you into doing this so that they can compromise your boot media. Remember that we live in an age in which the most tinfoil hat paranoid people on the Internet weren't paranoid enough.

This work by The Doctor [412/724/301/703][ZS] is published under a Creative Commons By Attribution / Noncommercial / Share Alike v3.0 License.