Skip to content

4. Rescue System

Info

A feature request has been opened to have SystemRescue support "measured boot".

While we are still on SystemRescue and not within chroot, download the SystemRescue .iso file and create a customised one out of it.

4.1. Downloads And Verification

Prepare the working directory:

mkdir -p /mnt/gentoo/etc/gentoo-installation/systemrescuecd && \
chown meh:meh /mnt/gentoo/etc/gentoo-installation/systemrescuecd && \
echo -e "\e[1;32mSUCCESS\e[0m"

Import the GnuPG public key used to sign the SystemRescue .iso:

su -l meh -c "
mkdir --mode=0700 /tmp/gpgHomeDir && \
curl -fsSL --proto '=https' --tlsv1.3 https://www.system-rescue.org/security/signing-keys/gnupg-pubkey-fdupoux-20210704-v001.pem | gpg --homedir /tmp/gpgHomeDir --import && \
gpg --homedir /tmp/gpgHomeDir --import-ownertrust <<<'62989046EB5C7E985ECDF5DD3B0FEA9BE13CA3C9:6:' && \
gpgconf --homedir /tmp/gpgHomeDir --kill all && \
echo -e '\e[1;32mSUCCESS\e[0m'
"

Download the .iso and .asc files:

rescue_system_version="$(su -l meh -c "curl -fsS --proto '=https' --tlsv1.3 https://gitlab.com/systemrescue/systemrescue-sources/-/raw/main/VERSION")" && \
su -l meh -c "
curl --continue-at - -L --proto '=https' --tlsv1.2 --ciphers 'ECDHE+AESGCM:ECDHE+CHACHA20' --output /mnt/gentoo/etc/gentoo-installation/systemrescuecd/systemrescue.iso \"https://fastly-cdn.system-rescue.org/releases/${rescue_system_version}/systemrescue-${rescue_system_version}-amd64.iso\" && \
curl -fsSL --proto '=https' --tlsv1.3 --output /mnt/gentoo/etc/gentoo-installation/systemrescuecd/systemrescue.iso.asc \"https://www.system-rescue.org/releases/${rescue_system_version}/systemrescue-${rescue_system_version}-amd64.iso.asc\" && \
echo -e '\e[1;32mSUCCESS\e[0m'
"

Verify the .iso file with GnuPG:

su -l meh -c '
    gpg_status="$(gpg --homedir /tmp/gpgHomeDir --batch --status-fd 1 --verify /mnt/gentoo/etc/gentoo-installation/systemrescuecd/systemrescue.iso.asc /mnt/gentoo/etc/gentoo-installation/systemrescuecd/systemrescue.iso 2>/dev/null)" && \
    gpgconf --homedir /tmp/gpgHomeDir --kill all && \
    grep -E -q "^\[GNUPG:\][[:space:]]+GOODSIG[[:space:]]+" <<< "${gpg_status}" && \
    grep -E -q "^\[GNUPG:\][[:space:]]+VALIDSIG[[:space:]]+" <<< "${gpg_status}" && \
    grep -E -q "^\[GNUPG:\][[:space:]]+TRUST_ULTIMATE[[:space:]]+" <<< "${gpg_status}" && \
    echo -e "\e[1;32mSUCCESS\e[0m"
' && \
chown -R 0:0 /mnt/gentoo/etc/gentoo-installation/systemrescuecd && \
echo -e "\e[1;32mSUCCESS\e[0m"

4.2. Configuration

Create the folder structure which will contain SystemRescue customisations:

mkdir -p /mnt/gentoo/etc/gentoo-installation/systemrescuecd/{recipe/{iso_delete,iso_add/{autorun,sysresccd,sysrescue.d},iso_patch_and_script,build_into_srm/{etc/sysctl.d,usr/local/sbin}},work} && \
echo -e "\e[1;32mSUCCESS\e[0m"

Disable "magic SysRq" for security sake:

echo "kernel.sysrq = 0" > /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/etc/sysctl.d/99sysrq.conf && \
echo -e "\e[1;32mSUCCESS\e[0m"

Copy chroot.sh created by disk.sh:

rsync -av --numeric-ids --chown=0:0 --chmod=u=rwx,go=r /tmp/chroot.sh /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/usr/local/sbin/ && \
echo -e "\e[1;32mSUCCESS\e[0m"

Copy the firewall script:

# set firewall rules upon bootup.
rsync -av --numeric-ids --chown=0:0 --chmod=u=rw,go=r /tmp/firewall.sh /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/iso_add/autorun/autorun && \
echo -e "\e[1;32mSUCCESS\e[0m"

Create the settings YAML (copy&paste one command after the other):

# set the password you want to use to login via TTY on the rescue system
crypt_pass="$(openssl passwd -6)"

# set default settings
echo "\
---
global:
    copytoram: true
    checksum: true
    nofirewall: true
    loadsrm: true
    setkmap: de-latin1-nodeadkeys
    dostartx: false
    dovnc: false
    rootshell: /bin/bash
    rootcryptpass: '${crypt_pass}'

autorun:
    ar_disable: false
    ar_nowait: true
    ar_nodel: false
    ar_ignorefail: false\
" > /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/iso_add/sysrescue.d/500-settings.yaml

# unset the password variable
unset crypt_pass

Integrate additional packages required for chroot.sh to work:

pacman -Sy clevis efitools libpwquality luksmeta sbctl sbsigntools tpm2-tools && \
cowpacman2srm /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/iso_add/sysresccd/zz_additional_packages.srm && \
echo -e "\e[1;32mSUCCESS\e[0m"

4.3 (Optional) SSH Server

Info

This section is only required if you want to access the rescue system over SSH.

Take care of public key authentication (copy&paste one command after the other):

mkdir -p /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/root/.ssh

# add your ssh public keys to
# /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/root/.ssh/authorized_keys

# set correct modes
chmod u=rwx,g=rx,o= /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/root
chmod -R u=rwX,go= /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/root/.ssh

Configure the SSH server:

mkdir -p /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/etc/ssh && \

rsync -a /etc/ssh/sshd_config /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/etc/ssh/sshd_config && \

# do some ssh server hardening
sed -i \
-e 's/^#Port 22$/Port 50023/' \
-e 's/^#X11Forwarding no$/X11Forwarding no/' /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/etc/ssh/sshd_config && \

echo "
AuthenticationMethods publickey" >> /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/etc/ssh/sshd_config && \

# create ssh_host_* files in build_into_srm/etc/ssh/
ssh-keygen -A -f /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm && \

{ diff /etc/ssh/sshd_config /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/etc/ssh/sshd_config || true; } && \
echo -e "\e[1;32mSUCCESS\e[0m"

Open the SSH port:

echo "
iptables  -A INPUT -p tcp --dport 50023 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 50023 -j ACCEPT" >> /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/iso_add/autorun/autorun

Write down fingerprints to double check upon initial SSH connection to the rescue system:

find /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/etc/ssh/ -type f -name "ssh_host*\.pub" -exec ssh-keygen -vlf {} \; && \
echo -e "\e[1;32mSUCCESS\e[0m"

4.4. Folder Structure

After running through above installation steps, you should have the following file/folder structure:

 tree -a /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe
/mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe
├── build_into_srm
│   ├── etc
│      ├── ssh
│         ├── sshd_config
│         ├── ssh_host_ecdsa_key
│         ├── ssh_host_ecdsa_key.pub
│         ├── ssh_host_ed25519_key
│         ├── ssh_host_ed25519_key.pub
│         ├── ssh_host_rsa_key
│         └── ssh_host_rsa_key.pub
│      └── sysctl.d
│          └── 99sysrq.conf
│   ├── root
│      └── .ssh
│          └── authorized_keys
│   └── usr
│       └── local           └── sbin
│               └── chroot.sh
├── iso_add
│   ├── autorun
│      └── autorun
│   ├── sysresccd
│      └── zz_additional_packages.srm
│   └── sysrescue.d
│       └── 500-settings.yaml
├── iso_delete
└── iso_patch_and_script

16 directories, 13 files
 tree -a /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe
/mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe
├── build_into_srm
│   ├── etc
│      └── sysctl.d
│          └── 99sysrq.conf
│   └── usr
│       └── local           └── sbin
│               └── chroot.sh
├── iso_add
│   ├── autorun
│      └── autorun
│   ├── sysresccd
│      └── zz_additional_packages.srm
│   └── sysrescue.d
│       └── 500-settings.yaml
├── iso_delete
└── iso_patch_and_script

13 directories, 5 files

4.5. ISO And Rescue Partition

Create an installation medium with above changes:

sysrescue-customize \
    --auto --overwrite \
    -s /mnt/gentoo/etc/gentoo-installation/systemrescuecd/systemrescue.iso \
    -d /mnt/gentoo/etc/gentoo-installation/systemrescuecd/systemrescue_custom.iso \
    -r /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe \
    -w /mnt/gentoo/etc/gentoo-installation/systemrescuecd/work && \
echo -e "\e[1;32mSUCCESS\e[0m"

Copy the content of the custom installation medium to the "rescue" partition:

mkdir /mnt/iso /mnt/gentoo/mnt/rescue && \
mount -o loop,ro /mnt/gentoo/etc/gentoo-installation/systemrescuecd/systemrescue_custom.iso /mnt/iso && \
mount -o noatime /mnt/gentoo/mapperRescue /mnt/gentoo/mnt/rescue && \
rsync -HAXSacv --delete /mnt/iso/{autorun,sysresccd,sysrescue.d} /mnt/gentoo/mnt/rescue/ && \
umount /mnt/iso && \
echo -e "\e[1;32mSUCCESS\e[0m"

4.6. Kernel Installation

Create the unified kernel image which will be used to boot the rescue system:

echo "cryptdevice=UUID=$(blkid -s UUID -o value /mnt/gentoo/devRescue):root root=/dev/mapper/root archisobasedir=sysresccd archisolabel=rescue31415fs noautologin loadsrm=y" > /tmp/my_cmdline && \
objcopy \
  --add-section .osrel="/usr/lib/os-release" --change-section-vma .osrel=0x20000 \
  --add-section .cmdline="/tmp/my_cmdline" --change-section-vma .cmdline=0x30000 \
  --add-section .linux="/mnt/gentoo/mnt/rescue/sysresccd/boot/x86_64/vmlinuz" --change-section-vma .linux=0x2000000 \
  --add-section .initrd="/mnt/gentoo/mnt/rescue/sysresccd/boot/x86_64/sysresccd.img" --change-section-vma .initrd=0x3000000 \
  "/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "/tmp/systemrescuecd.efi" && \
while read -r my_esp; do
  mkdir "${my_esp/devE/boot\/e}" && \
  mount -o noatime,dmask=0022,fmask=0133 "${my_esp}" "${my_esp/devE/boot\/e}" && \
  rsync -av "/tmp/systemrescuecd.efi" "${my_esp/devE/boot\/e}/" && \
  echo -e "\e[1;32mSUCCESS\e[0m"
done < <(find /mnt/gentoo/devEfi* -maxdepth 0)