0

I want to create a Ubuntu bootable USB flash and install my apps in that, then pass USB to any other person. they should run Ubuntu from USB flash and run my applications from it, so that nobody could change Ubuntu's kernel modules and also my application's modules and I want to prevent booting Ubunto if one of that modules was changed.

I think I have two options to achieve my purpose, first, UEFI bootloader programming and checks hash of USB contents through my customized bootloader, second, Use secure boot feature of UEFI.

I prefer second option because I think secure boot does everything I want and it is much easier than the first option, but I couldn't find any tutorial for creating secure boot enabled USB flash(with only my keys).

I will appreciate you if you could provide a step-by-step tutorial for clear default keys, enroll my keys, enabling secure boot for flash disk, and everything else I will need.

hamed
  • 101
  • 1
  • 4
  • A typical live session is not the way to go. A full installation in the USB (eventually with bootloaders both for UEFI and BIOS, if required to boot in a wide variety of hardware) and a non-admin user is probably doable for your requirements. – ChanganAuto Apr 20 '21 at 11:11
  • Any live Ubuntu system will only boot into its kernel and kernel drivers, even if people [try to] install a new kernel. - Your applications are protected in a live [live-only] system, but if people make a persistent live system, your applications might be overwritten. Secure boot does not protect applications from being overwritten. - In an installed system neither the kernel nor your applications are protected from overwriting / modification / upgrading (but only kernels with correct signature will boot). – sudodus Apr 21 '21 at 13:32
  • @sudodus, I think secure-boot could check overwritten file signatures and prevent OS from booting, so I looking for a fully installed Ubunto on a USB flash and secure its files with secure boot. am I wrong? – hamed Apr 23 '21 at 10:28
  • @hamed, If I understand correctly, secure boot addresses the booting process (grub, kernel, kernel drivers) but not launching application programs. The affected software (grub, kernel, kernel drivers) must be signed with a valid signature to be accepted by the secure boot process, but software that is activated later on, typically application software, is not checked by secure boot. – sudodus Apr 23 '21 at 13:11
  • @sudodus You made me doubt , but I think it does not matter to secure boot what you want to sign. do you have any other solution? – hamed Apr 23 '21 at 15:17
  • @hamed, You can try according to Rinzwind's answer at How to customize the Ubuntu Live CD? - 'Creating your own Custom Live CD - the manual way.' or something similar, if you much upgrade some command to match the current version of Ubuntu. – sudodus Apr 23 '21 at 18:17

1 Answers1

1

Maybe this will help you?

How to customize the Ubuntu Live CD?

You can customize the base image and install it in the USB.

Majal
  • 7,711
  • Do you mean I should use a live custom Ubuntu instead of a safe-boot? Can I force the user to select the "Try Ubuntu" option and prevent them from installing my custom iso? because if users could install my custom iso then they could boot Ubuntu normally and change its modules. – hamed Apr 23 '21 at 10:21