site  contact  subhomenews

EasyOS booting up totally in RAM

August 17, 2019 — BarryK

This is a very exciting development. It has been hanging around in the background of my mind for sometime, finally seeing fruition.

On the forum there has been some discussion why some users prefer to boot from optical media. Apart from "old habits die hard", there is a perceived security advantage. Quirky had the ability to boot from CD/DVD and copy the last session from file to RAM, then we are running totally in RAM. Even 'easy.sfs' is copied to RAM, so no drive partitions are mounted, and the CD can be removed if wanted.

I have used the word "perceived" above, as a determined intruder will not have much difficulty getting into the rest of the computer. Quirky had a "save" button on the desktop, which wrote the session to a file on the hard drive. Well, an intruder could also mount any partition and read and write anything.

The container implementation in Easy is a help, as an intruder would have to break out of it, which is possible but very difficult.

I know that some users of Easy are not keen on using the containers. They would prefer to do everything on the main desktop. One reason is that there is a speed penalty in a container, and some things do not work, or may be troublesome -- Internet access for example.

This preamble is leading up to what I have implemented today...

There is a new entry in the boot menu, "Copy session to RAM & disable drives".

This does exactly what it says. The last session, when you did a normal bootup, is copied to RAM, compressed zram actually, as is 'easy.sfs', and when the switch_root occurs, the Linux Capability to mount and unmount partitions is dropped.

You are then on a desktop that is "contained", without containers. In fact, all container functionality is removed, as it requires mount capability. Everything works as normal, except that you cannot access any partitions.

One thing that I immediately observed, it is very fast. My PC has 16GB RAM, and you would probably need 4GB for this to work well. There is no latency as when accessing a drive. Really nice.

So what is the downside? Well, you can't save anything. This of course is a security feature: if you can't save anything, then so too can't an intruder.

The way you would use this "Copy session to RAM & disable drives" option is to do a normal bootup first, to setup Internet connection, etc. Then when you reboot and choose this option, all of the previous session will be copied to RAM and you are good-to-go.

I see this as great when I just want to surf the web, and not risk any contamination of my PC. However, there may be times when I would like to download a file and save it. There are various ways to do this, one of which is to pre-mount a partition in the initrd -- this would be a partition that serves no other purpose than a transfer place for files. The next step is I will consider how to implement saving of files.

This new feature kills off the last justification for booting from an ISO file.  Well, almost... so far, have only dropped the Linux Capability to mount and unmount partitions, but partitions can still be accessed by 'dd' -- I plan to look at dropping some more Capabilities to take care of this too. 

EDIT 2019-08-18:
The latest iteration, only dropping 'cap_mknod' when switch_root, and delete all drive nodes in /dev. As far as I can determine, the only way to get drive nodes back is to physically plug in a drive. For example, unplug then replug the USB-stick that booted off. Then new device nodes will appear -- if the USB-stick had been 'sdb' at bootup, that would be unavailable, but after replugging, new nodes, say 'sdc', 'sdc1, 'sdc2' would be created, and the partitions can be mounted.

So far, haven't found any security weakness in this. It has a great advantage, as have kept mounting rights, can simply replug the USB-stick and then mount it, if want to save something. We could even save the session, however, might leave that out for now, let the "dust settle". Might just release Easy Buster 2.1, then play with this new feature, get feedback on what other features would be useful.  

Tags: easy