1

Trying to boot Ubuntu installed to disk as read-only.

Installed overlayroot and set overlayroot to tmpfs.

$ sudo apt install -y overlayroot

$ sudo sed -i 's/overlayroot=""/overlayroot="tmpfs"/g' /etc/overlayroot.conf

$ sudo systemctl reboot

Running sudo openssl dgst -sha512 /dev/rdisk5s1 /dev/rdisk5s2 reveals that checksum of /dev/rdisk5s2 changes… why?

How can one make disk forensically read-only?

Test one…

$ sudo openssl dgst -sha512 /dev/rdisk5s1 /dev/rdisk5s2
SHA512(/dev/rdisk5s1)= c533e6d472f9a36009f7dc11c337fe0da71b31e6d77fe40e96a7ea92e4711604c9044b40334782a35ddfbf2537a4bebb6602c6f576ce93092172c98a9fe59672
SHA512(/dev/rdisk5s2)= 072dc609ed857b9cb758b688bd659672db9702d218388e5c4e24ad324f7098c01bacf93742f7cbb28a1387179423f9e90596503b1b4917df16c63b7aaee5b30d

Reboot, do stuff, test two…

$ sudo openssl dgst -sha512 /dev/rdisk5s1 /dev/rdisk5s2
SHA512(/dev/rdisk5s1)= c533e6d472f9a36009f7dc11c337fe0da71b31e6d77fe40e96a7ea92e4711604c9044b40334782a35ddfbf2537a4bebb6602c6f576ce93092172c98a9fe59672
SHA512(/dev/rdisk5s2)= 9fac42f8e27583a2c2489f4888d72d4d662990535cd5355d01f80d94464572b3669d8b1d9b57b0776b65525d3ce5293e6ee52c16bdc0635f2517ad9aecfd62b
sunknudsen
  • 902
  • 11
  • 23
  • Hardware solution: clone disk, and *on the clone* set security permissions to read-only. Forensic analysis should not affect the original media. – DrMoishe Pippik Jan 08 '23 at 18:24
  • Thanks for helping out… trying to make sure one can use Ubuntu without data persistence (similar to how Tails works). – sunknudsen Jan 08 '23 at 19:03
  • One can boot a fully-functional Ubuntu from DVD, which is immutable, *but* one **can** make changes (to the OS and to the file system in RAM) while operating, such as downloading additional software and installing it. *However*, those changes do *not* persist after reboot. Not sure if that answers your question, though. Are you looking for a kiosk mode? https://ubuntu.com/tutorials?q=kiosk – DrMoishe Pippik Jan 08 '23 at 21:26
  • For the record, in your post you mentioned nothing about actually setting any mountpoint (including but not limited to `/`) to `ro` or enabling this overlayroot thing. Also, for `/` if you set `ro` in fstab for its entry (if any) instead of in the kernel command line, the `/` filesystem might still be mounted `rw` for a while every boot. – Tom Yan Jan 09 '23 at 10:41
  • Thanks to @secfren’s answer, I believe the issue might be caused to `noauto` flag missing… investigation. – sunknudsen Jan 09 '23 at 10:59

2 Answers2

1

/dev/rdisk5s2 changes… why?

Analyze it. Compare between boots. Maybe use a smaller test disk (VM).

Related (and maybe the reason you are seeing changes): Why are write blockers needed when there is mount with read-only?

I don't know what both of these partitions are, but I doubt both are root. And I guess overlayroot just works for root.

If you want it read-only as in the case of Tails you need a hardware write blocker. Like USB-SATA/SSD/NVME adapter with write block switch though you theoretically still could work around that. The non-persistence of Tails comes from the media it runs from (DVD, USB is rw, RAM).

If the underlying hardware is read-write and the OS is being made RO only by software then someone can work around that just by remounting the root filesystem RW.

secfren
  • 11
  • 3
1

Issues was caused by journaling file system… using ext2, checksum no longer changes.

That said, I also had to disable fsck.repair when using read-only disk (example: datAshur PRO² set to read-only).

$ sudo sed -i 's/quiet splash/fsck.repair=no quiet splash/g' /etc/default/grub

$ sudo update-grub
sunknudsen
  • 902
  • 11
  • 23