Boot Linux ISOs From USB Sticks Using GRUB

Bootable GRUB2 Emergency Flash Drive

The goal of this tutorial is to document the steps to create a simple USB flash drive with GRUB2 installed and configured to boot ISO images. This will enable me to put Ubuntu, memtesters, etc on archival flash drives.

Storing the ISO images directly allows their integrity and authenticity to be easily verified using hashes.

Furthermore, the remaining portion of the disk can be used for anything. I’ve had good luck creating additional partitions and creating LUKS partitions there.

Steps

1. Define some environmental variables used later:

   DEV=/dev/sdx
   USB=/mnt/usb
   

2. Zero the old partition table and create a new one, feel free to tweak the size of the boot partition if you intend to hold more then 1 or 2 ISO images. The grub partition is where the GRUB boot loader will be setup, don’t use this partition directly. The boot partition is where all the primary boot files are stored.

   sudo sgdisk --zap-all $DEV
   
   sudo sgdisk -n 1:0:+2M $DEV
   sudo sgdisk -t 1:ef02 $DEV
   sudo sgdisk -c 1:grub $DEV
   
   sudo sgdisk -n 2:0:+4G $DEV
   sudo sgdisk -t 2:8300 $DEV
   sudo sgdisk -c 2:boot $DEV
   

   Verify things went as expected:

   $ sudo sgdisk --print $DEV
   Disk /dev/sdc: 61739008 sectors, 29.4 GiB
   Logical sector size: 512 bytes
   Disk identifier (GUID): CC79C82D-BC1D-4D3C-BE85-0068162BC053
   Partition table holds up to 128 entries
   First usable sector is 34, last usable sector is 61738974
   Partitions will be aligned on 2048-sector boundaries
   Total free space is 53346237 sectors (25.4 GiB)
   
   Number  Start (sector)    End (sector)  Size       Code  Name
      1            2048            6143   2.0 MiB     EF02  grub
      2            6144         8394751   4.0 GiB     8300  boot
   

3. Create the file system for GRUB and the ISO images and then mount it:

   sudo mkfs.vfat -n SAFEBOOT003 ${DEV}2
   sudo mkdir -p $USB
   sudo mount ${DEV}2 $USB
   

4. Install GRUB

   sudo mkdir -p $USB/boot/grub
   

   For tradtional PCs:

   sudo grub-install --no-floppy --boot-directory=$USB/boot $DEV
   

   (Optional) Add support for EFI Apple computers:

   sudo grub-install --target=x86_64-efi --boot-directory=$USB/boot --efi-directory=$USB --removable --recheck $DEV
   

5. Create a basic GRUB configuration file, modify path to ISO as appropriate, add more menuentries if desired. Becareful your shell doesn’t replace $iso.

   cat <<EOF | sudo tee $USB/boot/grub/grub.cfg
   set timeout=10
   set default=0
   
   menuentry "Ubuntu 14.04.1 Live ISO" {
      set iso="/iso/ubuntu-14.04.1-desktop-amd64.iso"
      loopback loop \$iso
      linux (loop)/casper/vmlinuz.efi boot=casper iso-scan/filename=\$iso splash
      initrd (loop)/casper/initrd.lz
   }
   EOF
   

6. Fetch an ISO. In this case Ubuntu 14.04.1 works well on my System76 Galgo UltraPro laptop. Surprisingly, 14.04 works better then 14.10 on my Apple 2012 Retina MacBook Pro.

   sudo mkdir $USB/iso
   cd $USB/iso
   sudo wget -c http://releases.ubuntu.com/14.04/ubuntu-14.04.1-desktop-amd64.iso
   

7. For the security paranoid, download and verify signatures:

   cd $USB/iso
   sudo wget http://releases.ubuntu.com/14.04/SHA256SUMS.gpg http://releases.ubuntu.com/14.04/SHA256SUMS
   gpg --keyserver keyserver.ubuntu.com --recv-keys FBB75451
   gpg --export -a FBB75451 | sudo tee ubuntu.public.key
   gpg --verify SHA256SUMS.gpg SHA256SUMS
   sha256sum -c <(grep ubuntu-14.04.1-desktop-amd64.iso SHA256SUMS)
   

   After rebooting into LiveCD, a quick check can be performed to verify the integrity of hte boot media. Be sure to manually verify the fingerprint to ensure the ubuntu.public.key file hasn’t been tampered with. Security usability is hard, sigh.

   gpg --import ubuntu.public.key
   gpg --verify SHA256SUMS.gpg SHA256SUMS
   sha256sum -c <(grep ubuntu-14.04.1-desktop-amd64.iso SHA256SUMS)
   

8. Add extra stuff. Examples:

   • LUKS partition for sensitive data
   • General purpose partition for easy file transfers
   • Hash / checksum files for integrity verification
   • GPG tools and signatures for authenticity verification
   • Memory tester ISOs
   • Additional Linux distributions
   • Software to run offline code wallet storage like Bitcoin Armory for cold wallets
   • Backup software or recovery tools

I’d recommend all auxiliary software be stored on a LUKS secured partition to avoid concern of tampering (i.e. backdoored Bitcoin wallet software).

Testing

• Insert flash drive in to a PC. Interrupt the boot process and instruct the BIOS to boot off the USB flash drive. The GRUB screen should appear.
• Insert flash drive in to a Mac. Hold the “Option” key down during power on and select the “EFI Boot” option that should be present. Prepare for a semi-broken user experience as the system boots on the edge of disaster that is Apple hardware. Be ready for no Ethernet or WiFi. The ultimate offline device.

Notes

Grub2 version for generation using Arch Linux:

$ pacman -Q grub
grub 1:2.02.beta2-5