UEFI + BIOS bootable live Debian stretch/buster/bullseye amd64 with persistence

Question

All of the information I currently find on this matter is insufficient for my taste. It is either outdated, misleading or even wrong, seems overly complicated or not covering this specific question.

Goals:

• bootable USB drive (both UEFI and legacy BIOS supported)
• (based on) live Debian 9 (stretch), or buster or bullseye
• persistence (by default and for both UEFI and legacy BIOS)
• German keyboard layout per default
• fit for troubleshooting other GNU/Linux systems

Reasons:

• having to setup the keyboard layout on every use is a real headache
• cryptsetup and efibootmgr are missing in the default Debian live images
• gnome-terminal has this annoying white background per default

No solutions:

• (re)building custom debian live image (it seems tedious, although I did not try it yet)
• unetbootin (asks for an unknown password when starting up on debian stretch and I think it does not support UEFI anyways)
• some foreign automated process where I don't see what is happening

Debian live and install images are isohybrid and can be conveniently written to block devices using dd. And they do work from USB drives like that, which is very nice! However, there will be no persistence and no way to start with a non-english keyboard layout per default without editing the grub and isolinux config, which is included in the very read-only ISO9660 filesystem of the live ISO image. So even after writing the live ISO to a USB drive, these parameters still cannot be changed.

Answer 1

Note that the following stopped working for Debian bookworm (reasons below).

Here is a way to create a Debian live USB drive with persistence. It will allow to install the missing packages which will from then on be available on every live boot using the persistence. Because we re-create the live ISO image filesystem contents on a read-write capable filesystem, we can change the bootloader configurations to enable persistence and set the keyboard layout on boot.

The steps described here were tested to work on Debian stretch and buster and bullseye to create a Debian stretch live image.

There are a lot of steps involved, but it seems that this method is still quite efficient.

Disclaimer: You will lose the data on the target USB drive and if you mess up the commands below you might feel very sorry afterwards. I am not responsible for your actions.

Feeling lucky

If you feel particularly lucky today, you can try a bash script automating the process for you. Give it your ISO image path as first parameter and the USB drive block device name as the second. Note that this script is insanely dangerous and that you should not execute it without reading and understanding it first.

TL;DR

Get Debian live ISO image, install packages (apt install syslinux parted), then do the following:

umount /dev/sdX*
parted /dev/sdX --script mktable gpt
parted /dev/sdX --script mkpart EFI fat16 1MiB 10MiB
parted /dev/sdX --script mkpart live fat16 10MiB 4GiB
parted /dev/sdX --script mkpart persistence ext4 4GiB 100%
parted /dev/sdX --script set 1 msftdata on
parted /dev/sdX --script set 2 legacy_boot on
parted /dev/sdX --script set 2 msftdata on

mkfs.vfat -n EFI /dev/sdX1
mkfs.vfat -n LIVE /dev/sdX2
mkfs.ext4 -F -L persistence /dev/sdX3

mkdir /tmp/usb-efi /tmp/usb-live /tmp/usb-persistence /tmp/live-iso
mount /dev/sdX1 /tmp/usb-efi
mount /dev/sdX2 /tmp/usb-live
mount /dev/sdX3 /tmp/usb-persistence
mount -oro live.iso /tmp/live-iso

cp -ar /tmp/live-iso/* /tmp/usb-live

echo "/ union" > /tmp/usb-persistence/persistence.conf

grub-install --no-uefi-secure-boot --removable --target=x86_64-efi --boot-directory=/tmp/usb-live/boot/ --efi-directory=/tmp/usb-efi /dev/sdX

dd bs=440 count=1 conv=notrunc if=/usr/lib/syslinux/mbr/gptmbr.bin of=/dev/sdX
syslinux --install /dev/sdX2

mv /tmp/usb-live/isolinux /tmp/usb-live/syslinux
mv /tmp/usb-live/syslinux/isolinux.bin /tmp/usb-live/syslinux/syslinux.bin
mv /tmp/usb-live/syslinux/isolinux.cfg /tmp/usb-live/syslinux/syslinux.cfg

sed --in-place 's#isolinux/splash#syslinux/splash#' /tmp/usb-live/boot/grub/grub.cfg

sed --in-place '0,/boot=live/{s/\(boot=live .*\)$/\1 persistence/}' /tmp/usb-live/boot/grub/grub.cfg /tmp/usb-live/syslinux/menu.cfg

sed --in-place '0,/boot=live/{s/\(boot=live .*\)$/\1 keyboard-layouts=de locales=en_US.UTF-8,de_DE.UTF-8/}' /tmp/usb-live/boot/grub/grub.cfg /tmp/usb-live/syslinux/menu.cfg

umount /tmp/usb-efi /tmp/usb-live /tmp/usb-persistence /tmp/live-iso
rmdir /tmp/usb-efi /tmp/usb-live /tmp/usb-persistence /tmp/live-iso

In Detail and with some explanation

You will need to execute most of the following commands with elevated privileges, i.e., using sudo on most GNU/Linux systems.

Download

Download a Debian live ISO image with the window manager of your choice:

https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/

We'll refer to the downloaded ISO image simply as "live.iso".

Determine target drive

Find the device that is your USB drive using lsblk. We'll call that /dev/sdX.

Unmount

Unmount existing partitions on your drive using umount /dev/sdX*

Create partitions

We need an EFI boot partition for UEFI PCs to boot from the USB drive. Then we need a sufficiently large partition to hold the original live ISO filesystem image contents. That partition must have the legacy_boot flag set. Then we add the persistence partition, using up all the remaining space of the USB drive. You can do that with any GPT capable partitioning tool (mind the legacy_boot flag). Here is an example using parted:

parted /dev/sdX --script mktable gpt
parted /dev/sdX --script mkpart EFI fat16 1MiB 10MiB
parted /dev/sdX --script mkpart live fat16 10MiB 4GiB
parted /dev/sdX --script mkpart persistence ext4 4GiB 100%
parted /dev/sdX --script set 1 msftdata on
parted /dev/sdX --script set 2 legacy_boot on
parted /dev/sdX --script set 2 msftdata on

This creates a GPT partition table and a protective MBR partition table.

Create Filesystems

We want FAT on the EFI and live partition and we want ext4 on the persistence parition and we require the label persistence for the persistence feature to work.

mkfs.vfat -n EFI /dev/sdX1
mkfs.vfat -n LIVE /dev/sdX2
mkfs.ext4 -F -L persistence /dev/sdX3

Mounting the resources

We'll need to mount the source ISO and target partitions at temporary mount points.

mkdir /tmp/usb-efi /tmp/usb-live /tmp/usb-persistence /tmp/live-iso
mount /dev/sdX1 /tmp/usb-efi
mount /dev/sdX2 /tmp/usb-live
mount /dev/sdX3 /tmp/usb-persistence
mount -oro live.iso /tmp/live-iso

Install live system

Copy the live ISO filesystem content to the LIVE partition.

cp -ar /tmp/live-iso/* /tmp/usb-live

persistence.conf

Prepare the persistence filesystem with the required configuration file. The persistence feature will not work without this file.

echo "/ union" > /tmp/usb-persistence/persistence.conf

Grub for UEFI support

Install grub2 for UEFI booting support (this requires the grub-efi-amd64-bin package on Debian). We force grub-install to not use UEFI secure boot, which apparently does not work with the --removable option.

grub-install --no-uefi-secure-boot --removable --target=x86_64-efi --boot-directory=/tmp/usb-live/boot/ --efi-directory=/tmp/usb-efi /dev/sdX

Syslinux for legacy BIOS support

Install syslinux gptmbr.bin bootloader to the drive (download syslinux or install package syslinux-common). Then install syslinux to the live partition.

dd bs=440 count=1 conv=notrunc if=/usr/lib/syslinux/mbr/gptmbr.bin of=/dev/sdX
syslinux --install /dev/sdX2

Isolinux fixup

Reuse the isolinux config of the original live ISO to work with syslinux.

mv /tmp/usb-live/isolinux /tmp/usb-live/syslinux
mv /tmp/usb-live/syslinux/isolinux.bin /tmp/usb-live/syslinux/syslinux.bin
mv /tmp/usb-live/syslinux/isolinux.cfg /tmp/usb-live/syslinux/syslinux.cfg

Kernel parameters

Now that we copied the live system files to an actual read-write filesystem, we can manipulate the grub and syslinux config.

Add the persistence kernel parameter to menu.cfg and grub.cfg. In both files, add the keyword persistence at the end of the respective first line with boot=live in it.

sed --in-place '0,/boot=live/{s/\(boot=live .*\)$/\1 persistence/}' /tmp/usb-live/boot/grub/grub.cfg /tmp/usb-live/syslinux/menu.cfg

Set the keyboard-layout kernel parameter. In both files, add the keywords at the end of the respective first line with boot=live in it.

sed --in-place '0,/boot=live/{s/\(boot=live .*\)$/\1 keyboard-layouts=de locales=en_US.UTF-8,de_DE.UTF-8/}' /tmp/usb-live/boot/grub/grub.cfg /tmp/usb-live/syslinux/menu.cfg

Grub splash

Fix the grub splash image (optional; we moved it into another directory).

sed --in-place 's#isolinux/splash#syslinux/splash#' /tmp/usb-live/boot/grub/grub.cfg

Unmounting and Cleanup

umount /tmp/usb-efi /tmp/usb-live /tmp/usb-persistence /tmp/live-iso
rmdir /tmp/usb-efi /tmp/usb-live /tmp/usb-persistence /tmp/live-iso

Why this should work for both UEFI and BIOS

When starting in UEFI mode, the PC will scan the FAT partitions we defined in the GPT partition table. The first FAT partition carries the UEFI grub bootloader, which is found because it is located in the path specified by UEFI for removable drives (the --removable switch to grub-install did this). No UEFI boot entry is necessary for that to work, we only need to make the PC try to boot from the USB drive. That grub is configured to take it from there (load the grub.cfg, show the menu, etc.).

When starting in BIOS mode and selecting to boot from the USB drive, the PC will execute the gptmbr.bin bootloader code we have written to the protective MBR of the USB drive. That bootloader looks for the GPT partition marked with the legacy_boot flag and chainload syslinux from that partition. Syslinux then takes over (load menu.cfg, show the menu, etc.).

Encrypted Persistence

Instead of using plain ext4 on the persistence partition, one could first encrypt the persistence partition with LUKS (using cryptsetup), then format that with ext4 (using the proper label). However, as the documentation says, the live system must include the cryptsetup package. Otherwise, the encrypted partition cannot be decrypted by the live system. This means one has to build a custom live ISO first. That is, however, out of the scope of this answer.

History

The --no-uefi-secure-boot option was previously not part of the call to grub-install. The stick worked fine for me, but that stopped with Debian buster, even though secure boot is still disabled on my machine.

Noted that this approach stopped working for Debian bookworm. Symbolic links were introduced in the ISO image, which cannot be reproduced on the FAT filesystem. When changing the live filesystem to ext*, we need a different bootloader chain. Also, the isolinux boot menu was refactored, which requires adjustments of the sed commands setting the persistence and locale flags.