Kexec iso boot fails. Tested: Ubuntu and QubesOS

[tlaurion]

@flammit @osresearch

I'm trying to use iso boot without success. Tried QubesOS and Ubuntu.

I never retested this code path because I knew that it was broken, the mitigation being to dd the iso image directly into a SD card and boot directly from it from Heads, which always worked for QubesOS without added integrity validation functionalities. That's the mitigation I used until now, but i'm running out of free SD cards and USB drives. Plus... It would make total sense to have a single USB drive/SD card for all boot needs. :)

For QubesOS, the public signature being included in the rom makes the integrity validation works out of the box, but the booting of the ISO doesn't find the root of the iso filesystem:

For Ubuntu, I had to gpg --sign --armor --detach Ubuntu.iso from recovery console:

@flammit: I remember there were some magic to be applied to the boot line. Thought it was iso-scan/filename but it doesn't seem to be applied to all discovered boot configurations. The result of attempting to boot any configuration is a reboot.

[tlaurion]

From u-root slack:
@flammit I thought this was fix with a general fix? Going through all slack exchanges...

Here what i've found:

/Qubes-R3.2-x86_64.iso
/Qubes-R3.2-x86_64.iso.asc  <-- (signed by them or you or whoever)
/kexec_iso/Qubes-R3.2-x86_64.iso/kexec_iso_add.txt
/kexec_iso/Qubes-R3.2-x86_64.iso/kexec.sig <-- (signed by you w/ the heads scripts)

kexec_iso_add.txt:
iso-scan/filename=/${ISO_PATH}

[tlaurion]

@flammit :

if those files don’t have a valid kexec.sig - they are ignored
generated by `kexec-sign-config`

[tlaurion]

So my bad for Debian/Ubuntu it was documented in the Wiki. Will test, but thought that it would have been fixed.

From predent picture, we can see that $ISO_PATH doesn't seems to expend and is left to be iso-scan/filename=

When booting from an ISO file on a USB drive, it must be signed by a valid key in the Heads ROM and the boot process will fail if invalid. The kexec_iso_add.txt and kexec_iso_remove.txt are useful to inject the appropriate kernel arguments to allow it to load properly. ISOs for Debian require that kexec_iso_add.txt contains to load properly:

findiso=${ISO_PATH}

Take a look at http://mbusb.aguslr.com/howto.html for more variations on the distro-specific ISO mounting command lines requirements. By default Heads uses two variants of this when booting from ISO where a kexec_iso_add.txt is not specified:

fromiso=/dev/disk/by-uuid/$DEV_UUID/$ISO_PATH iso-scan/filename=/${ISO_PATH}

@flammit : But for QubesOS, I would have expected it to work out of the box.

[tlaurion]

Sorry in advance for poor pictures.... Have to replace that broken lens ASAP.

@flammit : To reproduce:

Under Dom0:
Pass sdcard/usb key to VM

in VM terminal:

cd ~/
git clone https://github.com/osresearch/heads/
cd heads
git remote add tlaurion https://github.com/tlaurion/heads/
git merge tlaurion/current_x230_no-CONFIG_LIBREMKEY

sudo mount /dev/sda1 /media
wget -c http://releases.ubuntu.com/18.10/ubuntu-18.10-desktop-amd64.iso -o /media/ubuntu-18.10-desktop-amd64.iso
mkdir -p /media/kexec_iso/ubuntu-18.10-desktop-amd64.iso/
echo 'findiso=${ISO_PATH}' > /media/kexec_iso/ubuntu-18.10-desktop-amd64.iso/kexec_iso_add.txt
sudo umount /media

from Heads recovery shell:

mount-usb
mount -o remount,rw /media
gpg --sign --armor --detach ubuntu-18.10-desktop-amd64.iso
kexec-sign-config -p /media/kexec_iso/ubuntu-18.10-desktop-amd64.iso/
mount  -o remount,ro /media
reboot

Booting from USB results in a validated configuration:

Note the presence of Overriding standard ISO kernel add argument: findiso=ubuntu-18.10-desktop-amd64.iso

When attempting Install options 3 and 4:

Note that what is to used in option 3 is still an empty scan/filename= instead of scan/filename=${ISO_PATH} and not findiso=ubuntu-18.10-desktop-amd64.iso as expected.
Option 4 presents a boot command line without ISO options.

Booting option 3 or 4 results in an instant reboot.

[flammit]

@tlaurion I just tested Ubuntu 16.04.3 / Ubuntu 18.04.1 / Debian Live 9.5.0 / Qubes 4 installer and they all booted fine for me from ISO. If you're using master, this should work for the plain ISO's with just a detached signature and it doesn't require the kexec-iso-add.txt file or kexec-sign-config -p /media/kexec_iso/* step since kexec-iso-init injects both fromiso and iso-scan/filename.

Note that in your screenshots, that blank iso-scan/filename= comes from the Ubuntu grub config itself (which isn't parsed properly because the grub environment variables aren't interpreted). When debugging, the important thing is looking at the echoed kexec command after hitting y, which should contain the fromiso and iso-scan/filename arguments.

I vaguely recall having an issue later on in the Qubes 4 install where it couldn't find packages when installing from ISO, so I had to revert to a dd onto USB.

[tlaurion]

@flammit was able to boot with master and #471 applied.
I confirm a small screen gibberish when FB switches.

[Pant1993]

Hi,
I am trying to boot using a bootable pendrive ubuntu18.04, I only see a message starting new kernel and it hangs after that.

[tlaurion]

@Pant1993 : This is not iso boot. Additionally, it seems to be linuxboot on top of qemu?

Please open another issue with more details:

• Board attempted, commit ID and the most details you can provide that pertain to your use case.

Normally, if you let it die from timeout, you should get additional details. I suppose mapped disk which was passed to kexec call cannot be found from qemu but that needs to be documented so someone playing with qemu can answer properly.

[Pant1993]

Yes it is not an iso boot, was trying to boot from Ubuntu 18.04 bootable USB drive. I waited for long time, it doesn't timeout.