There is a feature, which gets into the way here:
It’s a puzzle. For live mode, we don’t want that feature. Can it be disabled?
If you can find a way to disable it, I’ll think about how to do this by default (in live mode). It looks like it’s not possible but please search more.
It’s related to the superblock.
- Mount time
It’s a puzzle because there are many ways in theory to solve it. Either by disabling recording of mount time. The only suggestion I found so far is “mount as read-only”. Another piece of the puzzle.
What options exist to mount /boot as read only?
cat /etc/fstab | grep boot
# /boot was on /dev/sda1 during installation
UUID=redacted /boot ext2 defaults 0 2
You could try to configure mounting /boot as read only in /etc/fstab. You might want to experiment dong that in a VM unless you would be able to undo this using Recovery Mode if that renders the system unbootable.
In another quest for more secure mount options in (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security? we haven’t implemented a good way yet as a Linux distribution on how to change mount options. Would help if /etc/fstab.d · Issue #12506 · systemd/systemd · GitHub was implemented.
So until (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security? is resolved which would change boot options permanently, I don’t think I’ll figure out how to change boot options dynamically, i.e. enable read-only for /boot when booting into live mode unless anyone contributes.
More puzzle pieces: How does the boot process work generally? Who/what mounts /boot? Initramfs? Where is the source code for that? I cannot easily find that out.
Maybe if Whonix changed to dracut (replacing initramfs-tools with dracut) mount related features ((re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security? and mount /boot as read-only in live mode) would be easier to implement.
dracut’s man page mentions /boot. Maybe, hopefully dracut’s interface (config, modules) are flexible enough to implement this.
Roadmap:
- replacing initramfs-tools with dracut - #6 by HulaHoop
- (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security?
- mount /boot as read-only in live mode
It’s a matter of empathy. Successful communication. Trying to estimate what the reader will think.
“Hi upstream, can you please do same as grub-live but better?”
“Hi upstream, can you please do same as [something you’ve never ever heard before] but better?”
“Hi upstream, can you please do same as [something you’ve never ever heard before] but better?”
“Hi upstream, can you please do same as [a package with 16 files of which 3 are important] but better?”
“Hi upstream, can you please do same as [1700 lines of code in total package] but better?”
…that might end up with “lost at hello”.
The hope is, that upstream that provides “99%” of the functionality would be able to implement a feature request that would implement the “1%” functionality that grub-live is implementing, but better, with /boot mounted as read-only. Short of implementing it yourself, a well written feature request is your best chance.
For live mode / same hash of disk: doesn’t help.
Encrypted /boot generally: I don’t think I could provide a better answer than what is avaialble on search engines for search term “encrypted /boot”.