USB stick with Tails and SystemRescueCD
With the ongoing surveillance everywhere, it is wise to have some way to work without leaving traces. One of these tools is Tails, famous for having been used by Snowden to transmit the NSA data. On the other hand, it is always good to have a rescue system at hand, and in the last years the SystemRescueCD has often served me (and my friends) very well.
This article describes how to set up a USB stick that boots in one of these two, and in addition boots on both EFI and legacy systems.
Warning: The following instructions require some knowledge of your system and changes of names/devices. Don’t execute them blindly, or you might hose your whole computer!
Wishlist
I have a long wishlist of items a boot stick should fulfil
- boots into Tails and SystemRescueCD
- boots on both EFI and legacy systems
- uses the full size of the USB stick (user data!)
- allows installation of Debian
- if possible, preserve already present user data on the stick
One by one each of these can easily be achieved. Both Tails and SystemRescueCD provide instructions howto install onto usb sticks, but most of the times that deletes all the rest. Furthermore, in many cases the full capacity is not used, meaning it works only as rescue stick, or install stick, but not as universal one.
Another challenge is the requirement to have it boot on both EFI and Legacy systems. Of course, most of the EFI systems one can set into Legacy boot mode, but in an internet cafe you might not be able to do this, or you don’t want to fiddle around in the BIOS.
The players: Tails and SystemRescueCD
As already mentioned, Tails was used by Snowden to transmit information without leaving traces on any device. The web site itself introduces Tails as: Privacy for anyone anywhere, and continues:
Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to:
- use the Internet anonymously and circumvent censorship;
- all connections to the Internet are forced to go through the Tor network;
- leave no trace on the computer you are using unless you ask it explicitly;
- use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.
And indeed, it stands up to it!
SystemRescueCD says about itself:
SystemRescueCd is a Linux system rescue disk available as a bootable CD-ROM or USB stick for administrating or repairing your system and data after a crash. It aims to provide an easy way to carry out admin tasks on your computer, such as creating and editing the hard disk partitions. It comes with a lot of linux software such as system tools (parted, partimage, fstools, …) and basic tools (editors, midnight commander, network tools). It can be used for both Linux and windows computers, and on desktops as well as servers. This rescue system requires no installation as it can be booted from a CD/DVD drive or USB stick, but it can be installed on the hard disk if you wish. The kernel supports all important file systems (ext2/ext3/ext4, reiserfs, btrfs, xfs, jfs, vfat, ntfs), as well as network filesystems (samba and nfs).
It has rescued myself and friends of mine several times from tedious reinstallations.
Requirements
A USB stick, the iso images of Tails (currently version 1.0) and SystemRescueCD (currently version 4.2.0), and some tool to access iso images, for example ISOmaster (often available from your friendly Linux distribution).
If you want to preserve the data that is currently available on the USB stick, you have to make sure that the following requirements are satisfied:
- the first (and hopefully only) partition is vfat/fat32 formatted
- the first partition starts late enough: I cannot qualifiy this exactely, but 2k is enough. Normal partition tools (fdisk, parted) already take care for this. The reason is that we need to install grub into the area between the MBR and the start of the partition.
If one of the two is not satisfied, please backup your stick, and follow the full procedure, otherwise you can skip the next step.
Preparation of the USB stick
The following has to be done as root. We assume that the USB stick is /dev/sdb on the system. WARNING If this is not the case (e.g., you have two hard drives), you have to change this or you will destroy your system!.
- format the USB stick: use fdisk or similar to create delete all partitions on the stick, and recreate one covering the whole stick (default), of type “W95 FAT” (code b).
- create a fat file system on the partition:
mkfs.vfat /dev/sdb1
- mount the USB stick: we will use the mount point /usbstick throughout. This directory has to be first created, then
mount /dev/sdb1 /usbstick
- GRUB install for EFI systems: install the grub-efi variant:
grub-install --removable --target=x86_64-efi --root-directory=/usbstick /dev/sdb
- GRUB install for Legacy systems:
grub-install --removable --target=i386-pc --root-directory=/usbstick /dev/sdb
After these steps you should be able to boot into the GRUB shell on both EFI and Legacy systems. By now, there is not grub.cfg so you are dropped into the normal grub shell and can type in commands manually.
It might be a good idea to try it out before continuing.
Installation of SystemRescueCD files
Assuming you have access to the files on the SystemRescueCD via the directory /systemrescuecd, execute the following commands:
mkdir /usbstick/sysrcd
cp /systemrescuecd/sysrcd.dat /usbstick/
cp /systemrescuecd/sysrcd.md5 /usbstick/
cp /systemrescuecd/version /usbstick/
cp /systemrescuecd/isolinux/rescue32 /usbstick/sysrcd/
cp /systemrescuecd/isolinux/rescue64 /usbstick/sysrcd/
cp /systemrescuecd/isolinux/altker32 /usbstick/sysrcd/
cp /systemrescuecd/isolinux/altker64 /usbstick/sysrcd/
cp /systemrescuecd/isolinux/initram.igz /usbstick/sysrcd/
cp /systemrescuecd/boot/grub/font.pf2 /usbstick/boot/grub/
It would be also possible to keep the isolinux directory as is, but I want to have a clean installation as far as possible, in case I want to add further boot options later on.
Optionally one can also copy the ntpasswd directory to the USB stick. It allows to recover, edit, change Windows passwords, but I don’t know up to which Windows version it works.
Installation of Tails files
Assuming you have access to the files on the Tails via the directory /tails, execute the following commands:
cp -a /tails/live /usbstick/
Tails is very nice here, as it keeps all the files in one directory. I would like to see SystemRescueCD doing the same setup!
Current status of USB stick
Just to make sure, the usb stick should contain at the current stage the following files:
/boot/
grub/
fonts/
lots of files
locale/
lots of files
x86_64-efi/
lots of files
font.pf2
grubenv
grub.cfg *this file we create in the next step!!*
/EFI
BOOT/
BOOTX64.EFI
/live
filesystems.packages
filesystems.squashfs
initrd.img
initrd2.img
Tails.module
vmlinuz
vmlinuz2
/ntpasswd *optionally*
initrd.cgz
scsi.cgz
vmlinuz
/sysrcd
altker32
altker64
initram.igz
rescue32
rescue64
sysrcd.dat
sysrcd.md5
version
The Grub config file grub.cfg
The final step is to provide a grub config file in /usbstick/boot/grub/grub.cfg. I created one by looking at the isoboot.cfg files both in the SystemRescueCD and Tails iso images, and converting them to grub syntax.
WARNING Below you will find my grub.cfg as well as excerpts from it. In both I have added one boot option to all linux kernels:
libata.force=noncq
which is necessary on my laptop to properly boot. If this is not necessary for your system, simply remove all occurrences of it.
So you can either use my provided grub.cfg, or write your own. I quote here the two most common entries for booting SystemRescueCD and Tails:
menuentry "SystemRescueCd (64bit, default boot options)" {
set gfxpayload=keep
linux /sysrcd/rescue64 libata.force=noncq
initrd /sysrcd/initram.igz
}
menuentry "Tails64 Live System" {
linux /live/vmlinuz2 boot=live config live-media=removable nopersistent noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails libata.force=noncq
initrd /live/initrd2.img
}
Debian installer image
As mentioned in my post on Debian on Vaio, I prefer to have a recent boot image of Debian net installer together with the nonfree firmware already built-in. So I get the daily built firmware firmware-testing-amd64-netinst.iso and drop it into /usbstick/debian/.
Now I only have to boot from this ISO image. There are several pages on the web describing the process, but in principle one has to:
- get the information on how booting is done on the CD
- tell grub to loop mount and boot the same way
In principle what I have done is copied the most important menu entries of the grub.cfg from the install iso image to my grub.cfg, and edited in a way that booting from the CD image can be done.
Since these boot parameters normally don’t change, I only need to drop a new debian iso image into the directory and will get a newer installer.
The respective code for the grub entries is:
submenu "Debian SID NetInstall 20140501 ---> " {
set isofile="/debian/firmware-testing-amd64-netinst.iso"
menuentry 'Install' {
set background_color=black
loopback loop (hd0,1)$isofile
linux (loop)/install.amd/vmlinuz vga=788 -- quiet
initrd (loop)/install.amd/initrd.gz
}
menuentry 'Graphical install' {
set background_color=black
loopback loop (hd0,1)$isofile
linux (loop)/install.amd/vmlinuz vga=788 -- quiet
initrd (loop)/install.amd/gtk/initrd.gz
}
menuentry '... Expert install' {
set background_color=black
loopback loop (hd0,1)$isofile
linux (loop)/install.amd/vmlinuz priority=low vga=788 --
initrd (loop)/install.amd/initrd.gz
}
menuentry '... Rescue mode' {
set background_color=black
loopback loop (hd0,1)$isofile
linux (loop)/install.amd/vmlinuz vga=788 rescue/enable=true -- quiet
initrd (loop)/install.amd/initrd.gz
}
}
Mind that here I did not add the libata.force=noncq boot options, as I use the installer normally on other systems, not on mine.
Conclusion
With the above setup I have achieved all the wishlist items from above. The only point that is not fully universally is that I restrict myself to amd64 architecture. That is, I might not be able to boot from an old i386 only system. But I also have none around to test it.
If yo have any comments, improvements or suggestions, please drop me a comment. I hope this helps a few people getting a decent USB boot stick running.
3 Responses
[…] https://www.preining.info/blog/2014/05/usb-stick-tails-systemrescuecd/ […]
[…] https://www.preining.info/blog/2014/05/usb-stick-tails-systemrescuecd/ […]
[…] http://www.preining.info/blog/2014/05/usb-stick-tails-systemrescuecd/ […]