Specialized boot using USB keys so system won't start without them

The situation:

 1. I have a mom and pop whom run a business with records stored on Family Home PC. 
 2. They have a Daughter with her own PC which she infects freshly about every 2 days despite warnings!
 3. This Daughter is not supposed to touch the Family PC but does so anyways
 4. This Daughter also invites Friends in who also take oportunity to mess with the system causing lots
    of damage.
 5. The Daughter also has a daughter (she's 7) and uses the Family Home PC for school work and games.
 6. Because the Home PC is constantly not working, the mom and pop got a laptop and I put openSUSE 11.1
    , Virtualbox (Sun), and Windows XP on it as Virtualbox guest OS.
 7. The 7 year old uses this machine now for school work and carts it back and forth. She uses Linux most
    of the time to do her math, spelling, grammer, writing, artwork, some games and uses virtual windows
    for games that won't run in Linux. Last week her school was hit by infection(s) that shut down all
    their systems and she was the only one who remained unaffected.
 8. She showed the system to her teachers and principal and they are now eager to switch over to Linux
    openSUSE too! She was excited to tell her grandparents that somehow she managed to lose the power 
    adapter. Now all computers are suffering.

What have they got:

 1. Old Family PC Pentium 1, 60GB harddisk, nvidia, soundblaster16, 512MB ram badly infected.
 2. Toshiba A70 Laptop 1GB ram 80GB harddisk without power adapter.

What do they want:

 1. A Family PC which is more up to date.
 2. Linux as the operating system.
 3. Windows XP PRO running as a virtual guest OS
 4. A method to prevent anyone from accessing the computer without both special key and user/password
 5. A replacement Laptop/Netbook with openSUSE and windows XP PRO running as virtual guest OS.
 6. Same restrictions to be on Laptop/Netbook so both special key and user/password is needed.

Here’s my plan:

 1. Replace old PC with GATEWAY C2D unit:
      [INDENT]
        CPU Intel Core 2 duo
        Ram 2GB expandable to 3GB
        80GB harddisk
        3.5 Floppy
        CD/DVDRW 
        1 serial, 1 parellel, 6 USB 2.0, front and back sound jacks, eth0 10/100 lan
        xSVGA with unknown card type until I unpack it
        keyboard, mouse, XP PRO
      
 2. Make Recovery DVD's
 3. Install openSUSE Linux 11.2 from DVD
 4. Install Virtualbox (Sun)
 5. Install XP PRO as virtual guest
 6. Configure system to boot from USB Key only such that if the system is turned on without the USB key
    it simply just reports no boot device and stops.
 =======================================================
 7. Replace Toshiba A70 Laptop with Acer Aspire-one n270 Netbook:
     
        CPU Intel Atom 1.6 GHz bus 533MHz chipset 945GSE Express
        Ram 1GB expandable to 2GB, 512MB L2 Cache
        160GB harddisk
        integrated WebCam
        WiFi LAN IEEE 802.11gb
        Stereo Speakers, Mic
        Display 10.2in backlit widescreen xhp
        Video Intel GMA 950 Dynamic 3.0
        Card reader RS-MMC, MemoryStick, Multimedia, SDMemory,xD-Picture, MemoryStick Pro
        USB 2.0 x 3 , VGA out
        keyboard,touchpad,XP Home Edition ??
        Battery 3-cell lithium ion 2200mAh ~3 hour
     
 8. Add Toshiba USB external CD/DVDRW drive
 9. Charge Battery
10. Install openSUSE Linux 11.2 from DVD, Install Virtualbox (Sun), Install XP PRO as guest OS
11. Configure system to boot from USB key only such that if the system is turned on without the USB key
    it simply just reports no boot device and stops.
========================================================
12. USB key #1 is an 8GB USBmemory to act as both key and /home/moms_data storage for mom
13. USB key #2 is a  4GB USBmemory to act as both key and /home/pop_data storage for pop
14. USB key #3 is a  4GB USBmemory to act as both key and /home/child_data storage for the child.
========================================================
15. Create a full Video of the whole process and capture it to DVD to be made available later for 
    viewing on-line.

[/INDENT]

Here’s where my problems start.

   -  When I go to install Linux openSUSE on the PC's, should I attach all three USB sticks, partition them with two partitions per stick?
   -  If so, I beleave I need a fat32 on each stick which at some point will need to made active.
   -  what should the other partition format be? fat32, ext3, ext4??
   -  If I put grub and /boot on the active partition of one USBstick how can I migrate it to the others. I vaguely recall doing aa clone drive for harddisks but that was 10 years ago?
   -  Is there a better way to totally stop anyone from using the PC's without resorting to fingerprint or retina scanners?

Now that I’ve stated my case you can laugh!! What a world we live in when our kids won’t listen to the point that such measures need to be taken

I’m open to suggestions … and thanks in advance.

Nice project!
Somewhere in the list, I would also set a BIOS password on the different computers , so that nobody can change the boot order in the bios and boot from, say a CD…

Of course you should make all 3 USB sticks bootable : have a look at Installation without CD - openSUSE

Once that’s done, copying the /boot directory from one to the other shouldn’t be a problem. I would take care, though, that grub (in menu.lst) refers to all drives not by their “by id” names but by their numbering scheme (sda or whatever), else you might not be able to copy from one disk to the other.

As to the format of the partitions, anything goes, perhaps ext3 is still better supported by other system (if you ever need to rescue a stick/partition)?

I can’t think of a better way to protect your PC, if you think that the normal password protection in linux isn’t enough (and it is true that we regularly see (here in the forum, or elsewhere) advice on how to recover a lost root password).

Lenwolf

“else you might not be able to copy from one disk to the other.”

sorry, I Meant, else you might not be able to port the /boot partition simply from one USB stick to the other.

Lenwolf

> I can’t think of a better way to protect your PC

Hollywood would add a retinal scan…or biopsy/DNA match…

that ought’a keep the seven year olds out…for a few minutes…

–
palladium

Hi
If you can, consider a higher spec cpu if your looking at running vbox.
I’m running an ASUS 1000HE with Atom N280 cpu (1.66GHz 667MHz FSB HT)
and don’t think I would run virtualization on it (never tried…hmmmm).

What windows programs are they running, I would look at grabbing
crossover pro/game demos and testing to see if they can work, else it
already comes with XP home, any reason to run Pro?

You could also consider encryption of the data, since your not going to
use the main drive as such, consider getting a SATA SSD for the
operating system I’m happily testing 11.3M2 with an 8GB SSD for the OS
and an 8GB SHDC card for home (On a Toshiba Tecra M3 not netbook though)

There are so many different ways to deal with the netbook scenario with
respect to booting, the main problem with any system is if someone has
physical access there is not a lot you can do…

–
Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.27.42-0.1-default
up 19 days 8:45, 4 users, load average: 0.05, 0.17, 0.17
GPU GeForce 8600 GTS Silent - CUDA Driver Version: 190.53

BIOS password is possible on Gateway PC although gateway does not recommend it due to unresolved bug using it.
The Netbook comes with not a single scrap of paper. No Quick start, No charge Battery instructs, No nothing. My first experience with them. Charged it, Turned it on, fancy splash screen came and then windows XP started to boot.

Of course you should make all 3 USB sticks bootable : have a look at Installation without CD - openSUSE

url noted, knew I saw it someplace here when I peeked to see if I could do a USB install. But then store offered me USB CD/DVDRW drive for only $20 (same price as 8GB flash) for buying all at once.

Once that’s done, copying the /boot directory from one to the other shouldn’t be a problem. I would take care, though, that grub (in menu.lst) refers to all drives not by their “by id” names but by their numbering scheme (sda or whatever), else you might not be able to copy from one disk to the other.

Ok, if I read you right,

• install putting Grub in mbr.
• Insert/mount usb stick (one at a time) under media, partition and format stick, make dev/sdb1 bootable?
• Copy /boot to /media/flash/boot
• unmount the stick and do next stick
• unmount the stick and do third stick
• wipe /boot and make hard link to dev/sdb1
• repeat install grub in mbr and last step on second PC

As to the format of the partitions, anything goes, perhaps ext3 is still better supported by other system (if you ever need to rescue a stick/partition)?

I can’t think of a better way to protect your PC, if you think that the normal password protection in linux isn’t enough (and it is true that we regularly see (here in the forum, or elsewhere) advice on how to recover a lost root password).

Lenwolf

I recall somewhere there being a message that USB sticks must be formated fat32 with size of =< 4GB per partition for an openSUSE iso install image and to make it bootable. Or was that just a method to do the install itself using a USB stick?

This is such over kill. Guess were all getting up there in years. I remember when kids wouldn’t dream of defying their parents. When No touching this meant No touching.

I know I am just doing a sort of deterrent here in hopes that the grand parents kids and their friends stay off the PC’s. The
7 year old grandchild is more grown up than her parent. At least she understands Linux, understands Windows, doesn’t download or chat and has never just clicked links to see what happens.

And if I had the resources, I would install bioplex_retina bootloader or dragonette’s fingerboot with appropriate devices to each PC. Too cost prohibitive at $400 plus per device.

I not sure either, I’m trying to help on my dime. Figured since virtualization worked on old A70 Laptop which isn’t as powerful as the Netbook with a n270 cpu and more hdd it shud work.

What windows programs are they running, I would look at grabbing
crossover pro/game demos and testing to see if they can work, else it already comes with XP home, any reason to run Pro?

Most of the games i have seen the 7 year old use are things like
a horse stable where the user must groom, feed, and put the horses trough their paces. A hospital game where the user must greet patients and move them to beds, assign doctors, order meds, etc for points. A department store where user answers questions, directs customers to right sections, and take payments etc… These run under Linux and Windows through the Firefox browser. Windows only games I haven’t seen but I would presume they are quite mild too.

You could also consider encryption of the data, since your not going to use the main drive as such, consider getting a SATA SSD for the operating system I’m happily testing 11.3M2 with an 8GB SSD for the OS and an 8GB SHDC card for home (On a Toshiba Tecra M3 not netbook though)

For now, the biggest problem is not the kids stealing or changing info but more the blatent downloading of infected stuff,
turning off virus protection so they can visit sites or exchange stuff on chats that the virus protection denies them access too.

So to just keep them off the machines through deterents seems a fair trade-off. I don’t think given their level of understanding
they would have any idea how to work around a system that comes back “no boot device and stops”.

There are so many different ways to deal with the netbook scenario with respect to booting, the main problem with any system is if someone has physical access there is not a lot you can do…

–
Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.27.42-0.1-default
up 19 days 8:45, 4 users, load average: 0.05, 0.17, 0.17
GPU GeForce 8600 GTS Silent - CUDA Driver Version: 190.53

thanks …
btw I tried once more to give points to responders and couldn’t find anything but the “rate this thread”

I’m no longer sure I’d do it that way.
I’d do a “normal” install.
Then Id’ make the USB stick bootable and try to have Grub on it.
Then I’d copy the /boot directory from the computer’s hard disk onto the USB stick.
Then I’d wipe (!) the MBR from the hard disk.

The scheme thus would be:

computer tries to boot.
If no USB stick in it, there is no MBR - computer fails to boot.
If USB stick is in, Grub loads and starts from the USB and then continues from the hard disk.

If their level of expertise is so low, wouldn’t a normal boot with different users protected by passwords be enough?

Was this really ever so? Perhaps today they are just more blatant about it?

Lenwolf

Your new scheme is fairly close except I need to make sure all three USB’s are identical and both PC’s must be identical too. If even 1 thing out of place in structure a PC or USB will fail.

If their level of expertise is so low, wouldn’t a normal boot with different users protected by passwords be enough?

Lenwolf

We tried passwords on bios … they got around it somehow (probably found password printed somewhere). We tried password by user and they just bypassed password opened dos prompt and deleted password file (remember before system had windows) and rebooted.

This was primary reason for choosing Linux with virtual guess of windows so that they can’t just bypass the password to gain access. The USB key came into play as a means to keep them off the system in the first place so they can’t just make blind password attempts to try and fluke their way in.

thanks

I wonder if some of the grub security features might be helpful? (not that I’ve ever resorted to any of these measures…)

GNU GRUB Manual 0.97

Then you could:

1 password protect the BIOS (to prevent arbitrary assignment of boot devices);
2 physically lock the case (to prevent battery removal and cmos resetting.)
3 password protect grub entries with md5 encrypted passwords.

You probably want to nail down access to single-user mode.

Passwords are more secure when they are not written down somewhere

Anyway, just a few quick thoughts. Good luck!

Paul

Hi
On the USB keys just use syslinux (dd the mbr data) to make them
bootable, then install grub but make it a customized one that will just
links to the grub on the main system via for example;

title Desktop -- openSUSE 11.3 M2
root (hd0,8)
configfile /boot/grub/menu.lst

So this way you can do a normal install on the system, boot/grub etc
then using fdisk make the boot partition inactive(?). Plug in the USB
and then boot from that.

Keeping one grub will make it easy for updates as the USB grub will
just be loading a config file.

–
Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 11.3 Milestone 2 (i586) Kernel 2.6.33-rc7-3-desktop
up 14:49, 2 users, load average: 0.00, 0.03, 0.02
ASUS eeePC 1000HE ATOM N280 1.66GHz | GPU Mobile 945GM/GMS/GME

yeh I here you. I seldom travel 300 miles to visit so I as much as I want to see an end to problems with my nieces, I also want to make it as simple as possible to maintain. Guess I may be asking a lot but at least Linux is up to the challenge!!

UPDATE:
I have successfully made the video up to this point:

1. Intro : Using Linux as an alternative to solve a problem
2. Sneek preview: What you might see using Linux as your system instead of windows. Features the grub menu, selecting which OS you want to run, invoking verbose boot to see what is loading and where you might have a problem, openSUSE password screen (switching which desktop you want too)
3. All is loaded and you have the KDE desktop in front of you.
4. Problem: we have a PC which is only supposed to touched by specific individuals but when no-one is looking others get at it and mess it up.
5. Plan: Replace messed up computer with new one running Linux with windows being run virtually, and add a netbook portable PC also running Linux with windows run virtually. Invoke stronger security measures involving USB keys to prevent starting either PC without the keys.
6. Stage 1: set-up pre-installed windows xp on netbook.
7. Stage 2: make factory default and driver/app DVD’s for the netbook using an external DVDRW drive

I know I can use dd if=/dev/sda of=bootsect bs=512 to back-up the mbr including the partition table to a file and restore it doing the reverse.

I can also change bs=512 to bs=446 to only backup the mbr bootcode or reverse the process to restore the bootcode.

1. Can’t I just use YAST–>partitioning to create 2 partitions on each USB key (one for boot and one for data.) Install Linux normally to both the Netbook and Gateway PC. Then modify the keys once with an mbr and once with grub on USB boot partition? Then tweek each PC to use whichever key is inserted?

2. you have special grub file with an entry root (hd0,8) so remembering back to my linuxld and lilo days you are telling grub to access the first harddisk and choose partition 8 as the root system then telling it where to find the grub menu.

?? syslinux by description seems to be a windows exe program. So
I am assuming since I work primarily in Linux I would just dd if=/dev/hda of=/dev/sda bs=446 so that I copy the bootloader from the mbr to the USB (of course need to verify hda & sda to refer to correct drives). **wouldn’t want to change partition tables right!

Ok, just reread the last post and now a bit more confused. Seems I am mixing up the grub parts. If I copy the mbr boot sequence to the USB key to make the USB key active, that would require the partition table wouldn’t it? But then the Partition table would be for the hdd and thusly wouldn’t match custom partitions of a USB.

I wouldn’t be changing the menu.1st of the original install but I would be changing menu.1st on the USB key /boot partition therefore my system would be:
on Pc: hda1 = Linux root, hda2 = Linux swap, hda3 = Linux /home
mbr hda left alone but bios changed to boot from USBhdd
on USB: sda mbr = mbr (possible partition conflict), sda1 = /boot/grub, sda2 = data partition to be mounted at /mnt/data
** all 3 USB keys need to be identical except size of data partition

So if USB’s get lost or damaged one could switch bios back to hdd boot and all would be well. If USB used with bios set to USBhdd then bootcode on USB would look at USB /boot/grub read menu.1st which would then just transfer back to hda1/boot/grub/menu.1st to display menu and wait for selection.

fstab would then need to state automount USB /dev/sda2 to /mnt/data which would mount the usb data at the same point regardless of which USB key is used and a hardlink in each user home folder to /mnt/data would make the data visible for the defined user. If no USB automount would fail as would the hardlink. If USB used to boot system automount would succeed.

Hi
If you install syslinx, you can dd across /usr/share/syslinux/mbr.bin
which contains the mbr code.

I think were on the same track now

Now, if the 160GB drive isn’t going to be used I would short-stroke it
as you can always resize at a later date, eg;

sda1 - windows (20GB?)
sda2 - extended
sda5 - /boot (80~100MB)
sda6 - / (20GB)
sda7 - swap (2xRAM)

Leave the balance of the drive unpartitioned. If you need to expand,
you can boot into rescue mode, delete swap and expand sda6 as required
and remake a new swap partition. It will help improve performance if
it’s not being all used.

You could also look at softlinking to an fstab file on the USB key if
mounting the different drives becomes an issue.

So basically they will get two grub screens, you can overcome this by
adding the hidden option to the usb key menu.lst and set the time out
to 0, then they should only see the one grub.

–
Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.27.42-0.1-default
up 21:04, 3 users, load average: 0.00, 0.08, 0.11
GPU GeForce 8600 GTS Silent - CUDA Driver Version: 190.53

[QUOTE=malcolmlewis;2128776]Hi
If you install syslinx, you can dd across /usr/share/syslinux/mbr.bin
which contains the mbr code.
[/QUTOE]
Just read up on syslinux and it states syslinux should be avoided because opensuse uses gfsboot which is not supported. Also instructions indicate it is run from windoze! I don’t know how to use syslinux and definately don’t want to use windoze to do anything especially something as serious as OS configuration.

“To use syslinux boot into your windows system and download/install syslinux. Start the syslinux program with the desired source and destination points and your done” It does not state the source by example nor the destination, I take it that it would be run as syslinux %1 %2 where clicking the link would prompt for each of %1 and %2?? but who knows?

I think were on the same track now

Now, if the 160GB drive isn’t going to be used I would short-stroke it
as you can always resize at a later date, eg;

sda1 - windows (20GB?)
sda2 - extended
sda5 - /boot (80~100MB)
sda6 - / (20GB)
sda7 - swap (2xRAM)

Leave the balance of the drive unpartitioned. If you need to expand, you can boot into rescue mode, delete swap and expand sda6 as required and remake a new swap partition. It will help improve performance if it’s not being all used.

Windows at 20GB would be fine as opposed to a virtualbox windows
extended , /boot , / also would be fine I would just add /home as rest of drive after the swap

if using dual boot, shared drive is needed besides the /home otherwise if virtual windows /home will suffice.

You could also look at softlinking to an fstab file on the USB key if mounting the different drives becomes an issue.

So basically they will get two grub screens, you can overcome this by adding the hidden option to the usb key menu.lst and set the time out to 0, then they should only see the one grub.

–
Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.27.42-0.1-default up 21:04, 3 users, load average: 0.00, 0.08, 0.11
GPU GeForce 8600 GTS Silent - CUDA Driver Version: 190.53

using /mnt/data common for all 3 keys in the fstab should work without need to softlink to some fstab file that at present I don’t know how to multiplex.

I need to read up on grub more, so far I have 5 different explainations 2 refer to GRUB and 3 refer to GRUB2 none say which GRUBx openSUSE 11.2 32bit use and the explanations contradict each other. eg. one says to manually edit menu.1st then use grub install to implement the other says use grub -edit |grub -install to modify and install the grub.

googled grub +openSUSE 11.2 returns lots of useless links having nothing to do with use of grub in opensuse.

I’ll check man -k7 grub to see if there is something already on my system to explain…

Ok I have an update:
Was checking around for good grub documentation when I came accross a show stopper with my intended method of using virtualbox to run windows on the Netbook. The Netbook has 1GB expandable to 2GB. Local shops don’t have the required mem to increase ram and Windows XP in Virtualbox will need more than 512mb and Linux will need also more than 512mb to run effectively.

Looks like I am looking to Dual boot now so memory constraints don’t kill me. I therefore need to look into grub lock and grub password to prevent booting into windows.

Now if I prepare windows, install Linux, create the USB keys, make each key bootable, change the bios to boot from USBhdd, use yast to make hdd non-bootable, this will allow Linux and windows to function from the usb. If/When windows craps out I will need to use Linux to reset the hdd as bootable, re-install windows (destroys grub in mbr), change bios back to usbhdd boot, which will restore both windows and Linux right??

thanks for all the help so far. Seems my tired old mind is showing itself, I used to be able to figure this stuff out about 10 years ago … so many thanks for guidance.

Hi
I brought my netbook via amazon as well as a 2GB RAM stick…

I have a 1GB SDHC card and made a minimal system along with necessary
tools with SUSE Studio, if any thing goes haywire I can use that…

–
Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 11.3 Milestone 2 (i586) Kernel 2.6.33-rc7-3-desktop
up 1 day 20:48, 2 users, load average: 0.34, 0.15, 0.04
ASUS eeePC 1000HE ATOM N280 1.66GHz | GPU Mobile 945GM/GMS/GME

What about supergrubse I have been hearing about? Doesn’t it CD boot to fix windows/Linux boot issue’s?

Hi
I just basically copied the openSUSE DVD rescue system with a few
extra’s as I’m happy to work from the command line

There are so many these days, that’s the beauty of SUSE Studio, you can
make your own with minimal fuss, plus I wanted it on SDHC for the
netbook to save dragging out the DVD drive…

–
Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.27.42-0.1-default
up 3:49, 3 users, load average: 0.09, 0.19, 0.28
GPU GeForce 8600 GTS Silent - CUDA Driver Version: 190.53