Earlier I blogged about being too (little) paranoid.
One of the comments was my unencrypted /boot on my harddrive. So I did something to it. Daniel Baumann told me some stuff at debconf about how to make bootable cd’s with grub – so I had to try to move my /boot to a cdrom instead.
A quick and dirty howto:
mkdir -p builddir/foo
cp -r /boot builddir/foo
genisoimage -no-emul-boot -boot-load-size 4 -boot-info-table -r -b boot/grub/stage2_eltorito -o boot.iso foo
and now you are not yet up and running. It looks like it, but you have to adapt boot/grub/menu.lst to make it boot from cd.
First issue: boot fails with a “Error 29: Disk Write Error” – I wondered a bit and asked for help around and wondered a bit more why grub wanted to write to my harddrives in order to boot … finally solved it with help from the Super Grub Disk Page – it was the savedefault point of all my kernels. Removing that made it boot. So time to remove /boot and trust my cd.
Which was a wrong decision.
All my kernels had root=(hd0,0) so it kind of didn’t work. Changing this to root=(cd) did it – and removing (hd0,0) from my splashimage was also a bit nessesary.
So after this, rebuild the cd again with the genisoimage command mentioned above and now I am up and running completely.
And I of course have secretly marked the cd so evil people can’t replace it without me noticing it.
So what’s next step in my tinfoil covered world ? SELinux? something else? I guess you know how to make comments. Feel free.