Distribution Morphing Advanced Documentation grub Previous page: Distribution Morphing Index page: Advanced Documentation Next page: grub grub-live - boot an existing Host OS or VM into Live Mode

Live Mode boot option selectable in boot menu. (more screenshots)

The grub-live package offers an additional "LIVE mode" boot menu entry for the GNU GRUB boot loader.

This package is potentially compatible with many Linux distributions such as Debian. In Kicksecure and Whonix^®, it is installed by default. Grub-live can be applied to a host operating system (OS) as well as to a guest OS on a virtual machine.

Context[edit]

This wiki page documents grub-live mostly as a standalone software package outside the context of Kicksecure. Any elements related to Kicksecure are clearly marked as such ("Kicksecure feature").

Version[edit]

Documentation updated for Kicksecure version 17.4.1.0 (unrelated at time of writing).

For Kicksecure version 17.3.9.9 see wiki history: https://www.kicksecure.com/w/index.php?title=Grub-live&oldid=96700 - Free wiki account required for reading. (Reasons: Wiki History)

This notice will be removed after the next stable release.

Compatibility[edit]

grub-live is compatible and tested with Debian, Kicksecure, and Whonix. In Kicksecure and Whonix, it is installed by default. It should also run without any problems on Ubuntu and other Linux distributions that implement Debian live-boot. However, due to little user adoption and testing at this point in time, grub-live for those distributions is still labeled untested.

Installation / Getting started[edit]

The grub-live package is hosted under the grub-live GitHub repository. There you will also find the installation guide.

After the installation, you can instantly use the Live Mode in your operating system. Simply boot/reboot your system and choose the new "LIVE mode" option in the boot menu. For Kicksecure specifically, read: Detailed documentation for using the live mode for Kicksecure.

Set grub-live as Default in GRUB boot menu[edit]

Optional.

If you have installed grub-live and want the "LIVE mode" option to be the default selected option in your GRUB menu, please follow the instructions below. Be aware, however, that due to little user adoption and testing, this option is still labeled untested.

1. Do a grub-live package installation check

By default, the grub-live package is installed in Kicksecure. If you boot your system and a boot menu entry "LIVE mode" is already available, then grub-live is already installed.

Alternatively, you can make sure the grub-live package is installed. The following command can be used to check on the command line if the package is already installed by default.

dpkg -l | grep grub-live

2. Set LIVE mode as the default boot menu entry

There are two ways to accomplish this. Choose one of these options:

Option (A) - symlink method

Advantage: This is easier because updates to grub-live will be automatically applied.
Disadvantage: There will be a duplicate live boot menu entry.
Copy and execute the following command:

sudo ln -s /etc/grub.d/10_20_linux_live /etc/grub.d/09_linux_live

Option (B) - moving method

Advantage: No duplicate live boot menu entry.
Disadvantage: Updates to grub-live will NOT be automatically applied.
Copy and execute the following command:

sudo mv /etc/grub.d/10_20_linux_live /etc/grub.d/09_linux_live

3. Re-generate GRUB boot menu

The GRUB boot menu needs to be regenerated for the changes to be applied. Copy and execute the following command:

sudo update-grub

4. DONE

The process of changing from "live mode opt-in through GRUB boot menu" to "live boot by default" has been completed.

5. Updates

If in step 2, "option (B)" was chosen, then this process might need to be repeated from time to time if there have been updates to GRUB or to your system. The need to repeat this process from step 1 to step 4 will be indicated as soon as the "LIVE mode" entry is no longer the default entry in the GRUB boot menu.

If in step 2, "option (A)" was chosen, then this step is not needed. Updates will be applied automatically.

Get GRUB to remember your last choice (e.g., Live mode)[edit]

Optional.

If you don't want to set Live Mode as your permanent default boot option but still want the comfort of having GRUB remember your last choice, e.g., "Live mode," then follow these instructions. ^[1]

1. Open file /etc/default/grub.d/50_user.conf in an editor with root rights.

Select your platform.

See Open File with Root Rights for detailed instructions on why to use sudoedit for better security and how to use it.

Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

sudoedit /etc/default/grub.d/50_user.conf

NOTES:

When using Kicksecure-Qubes, this needs to be done inside the Template.

sudoedit /etc/default/grub.d/50_user.conf

After applying this change, shutdown the Template.
All App Qubes based on the Template need to be restarted if they were already running.
This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.

This is just an example. Other tools could achieve the same goal.
If this example does not work for you or if you are not using Kicksecure, please refer to this link.

sudoedit /etc/default/grub.d/50_user.conf

2. Now add these two lines to this file: GRUB_DEFAULT=saved GRUB_SAVEDEFAULT=true

3. Finally, execute this command: sudo update-grub

4. Done.

Your boot menu now remembers your last choice.

Alternative to grub-live[edit]

As an alternative to grub-live, it is also possible to automatically detect if the disk is set to read-only and enable live mode automatically using the ro-mode-init package. Read VM Live Mode - Alternative ro-mode-init Configuration for further instructions.

ro-mode-init is currently less tested than grub-live.

Comparison between grub-live and Tails[edit]

Tails is its own operating system, whereas grub-live is a package enabling Live Mode on different Linux distributions. The following table will show the advantages and disadvantages of grub-live in regard to Tails. It should be noted, however, that while Tails is optimized for Live mode, grub-live is vastly more compatible with other systems.

Table: Comparison of grub-live and Tails

Aspect	grub-live on the host ^[2] / grub-default-live on the host with Kicksecure	Tails DVD only	Tails USB / DVD, with persistent USB	Tails read-only medium and other devices with write capability unplugged ^[3] ^[4]
Common ^[5] mode of operation	Yes	Yes	Yes	No ^[6]
Amnesic / protects against disk modifications ^[7]	Yes	Yes	Yes	Yes
Protects against malware persistence on hard drive after malware compromise	No ^[8]	No ^[8]	No ^[8]	Yes ^[8]
Protects against firmware trojans after malware compromise	No ^[8]	No ^[8]	No ^[8]	No ^[8]
Avoid writing to arbitrary (non-boot) host disks	Yes	Yes ^[9]	Yes ^[9]	Yes ^[9]
Disables removable drives auto-mounting	Yes ^[10]	? ^[11]	? ^[11]	? ^[11]
Disables swap	Yes (Kicksecure feature) ^[12]	Yes	Yes	Yes
Disabled virtual machine shared folders	No ^[13]	?	?	?
Wipe RAM on shutdown	No, but see ram-wipe. ^[14]	Yes, but with limitations. ^[15]	Yes, but with limitations. ^[15]	Yes, but with limitations. ^[15]
Wipe video RAM on shutdown	No ^[16]	No ^[17]	No ^[17]	No ^[17]
Emergency shutdown on USB removal	No ^[18]	Yes	Yes	Yes
Live Mode Usability ^[19]	Good ^[20]	Good ^[21]	Good ^[21]	Good ^[21]
Live Mode Indicator Systray	Yes (Kicksecure feature) ^[22]^[23]	Unneeded	Unneeded	Unneeded
Unified Amnesic User Experience	Yes	Yes	Yes	Yes
Unified Amnesic + Anonymous User Experience	Kicksecure: Not applicable ^[24] Whonix: No ^[25]	Yes	Yes	Yes
Easy standard ("everyday") upgrades ^[26]	Yes	?	?	?
Release upgrades ^[27] possible anytime ^[26]	Yes	No ^[28]	No ^[28]	No ^[28]
Live boot by default	grub-live: No ^[29] grub-default-live: Yes	Yes	Yes	Yes
Persistent boot by default	grub-live: Yes ^[29] grub-default-live: No	No	No	No
Full disk encryption compatibility	Yes	No	No	No
Encrypted persistence supported	Yes	Yes ^[30]	Yes ^[30]	Yes ^[30]

Security Considerations[edit]

How secure and reliable is any live mode?

Computers typically default to data persistence rather than amnesia. Coupled with widespread computer security vulnerabilities (see About Computer (In)Security), implementing a secure non-persistent system is challenging.

grub-live is relatively straightforward. It primarily involves installing necessary dependencies and setting kernel parameters (details in Implementation). However, the software it is based on, such as dracut (or initramfs-tools / Debian's live-tools), mount, and overlayfs, are complex. Sparse developer documentation in this area makes this difficult. There is also an increased risk of failures post Release Upgrade or after installing new major versions of Kicksecure or Debian, due to the generic nature of the solution.

There is a potential risk that malware could remount a read-only disk as read-write. While no confirmed cases exist, theoretically, even legitimate software could inadvertently perform such actions. To mitigate this risk, it's advisable to use grub-live in conjunction with

USER session; and/or
physical read-only mode for hard drives, where feasible. See read-only.

Using grub-live on the host operating system, combined with virtual machines (VMs), is a safer configuration. In this setup, any disk remounting as read-write within a VM would be negated upon rebooting the host. VMs, in this context, are unaware of the host's live mode status and cannot directly alter it.

Would using an ISO image be safer? Generally, yes. Because ISOs commonly aren't modified. It seems unlikely that an ISO would be inadvertently remounted as read-write, unless targeted specifically by malware.

Tools like growisofs can append data to an ISO, but it's more complex than a simple remount command. Even without growisofs, malware could potentially repack and rewrite an ISO, but it is an even more complicated process. Not something that can happen by accident.

What about read-only media, like a DVD-R (not DVD-RW)? This is indeed a safer option, but less practical. It requires burning the DVD, then using it in a read-only DVD reader, which is not a common practice. Such devices are not popular anymore nowadays.

Combining physical write protection switches with grub-live would further enhance security. However, even this is not foolproof due to potential hardware vulnerabilities or defects. (See Write Protection.) Thus, it should be considered an additional layer of defense rather than a complete solution.

Reflecting on these aspects, we can categorize security configurations from least to most secure, as follows:

Notes:

This list, created in December 2023, might have minor inaccuracies but generally represents the correct security hierarchy.
ISO HDD: It is possible to boot an ISO located on the hard drive. This is unspecific to Kicksecure and out of scope for this documentation.

VM live mode HDD boot without read-only VM HDD ("least secure")
VM live mode HDD boot with read-only VM hard drive
VM live mode ISO boot without VM HDDs connected
host live mode HDD without read-only HDD
host live mode HDD without read-only HDD + using VMs
host live mode HDD with read-only HDD
host live mode HDD with read-only HDD + using VMs
host live mode ISO HDD with read-only HDD
host live mode ISO HDD with read-only HDD + using VMs
same as above but with Full Disk Encryption as an additional safety layer
same as above but hardware write protection switches enabled
host live mode ISO DVD-RW with
host live mode ISO DVD-RW with + using VMs
host live mode ISO DVD-R with
host live mode ISO DVD-R with + using VMs
same as above but with all other storage devices disconnected ("most secure")

Additional steps users can take to improve the security of live mode:

Avoiding the installation of additional software, especially more complex software that uses mount/loop devices or breaks the live indicator, such as, for example, snapd.
Prevention of Malware Sniffing the Root Password, because remount read-write requires root.

In summary, while striving for maximum security, absolute guarantees are unattainable. Users seeking higher data amnesia assurances should consider becoming developers or auditors, or sponsoring focused development and review in the realm of anti-forensics, including the development of comprehensive automated testing frameworks.

Remount Disk as Read-Write after booting into Live Mode[edit]

This chapter is more of developer documentation, proof of concept, and curiosity rather than something that users should do.

1. Create a mount folder /mnt/disk.

sudo mkdir /mnt/disk

2. Mount.

Note: /dev/sda3 applies to VirtualBox VMs. It needs to be replaced with the actual hard drive device name.

sudo mount /dev/sda3 /mnt/disk

3. Remount as read-write.

sudo mount -o remount,rw /dev/sda3 /mnt/disk

4. Make persistent modifications.

For example, create a file /home/test-file.

touch /mnt/disk/home/test-file

It is unclear if the disk could even be remounted to / but that is left as a sysadmin exercise for the reader.

5. When done, unmount.

sudo umount /mnt/disk

6. Remove the mount point.

Optional.

sudo rmdir /mnt/disk

7. Done.

The process has been completed.

Questions and answers:

Is this a security issue? Yes.
Is this issue specific to, or caused by, grub-live or Kicksecure? No, unspecific to Kicksecure.
Is this issue reproducible on other live systems, i.e., without grub-live or Kicksecure being involved? Yes.
Are similar live systems also affected? Yes, see Security Considerations.
What can users do to improve their security? See the same link as above.

Troubleshooting[edit]

Here are some problems you might encounter and their possible solutions.

Live Mode Without grub-live[edit]

Platform specific.

Kicksecure: In recent versions of Kicksecure, dracut is installed by default. To boot into live mode without using grub-live, simply add the rootovl kernel parameter. Instructions for adding kernel parameters can be found on the grub wiki page.
- Note that booting with the rootovl kernel parameter will only mount the root filesystem live. If you have other filesystems that are mounted by default when the system starts, such as /home on a separate partition, those filesystems will NOT be mounted live when doing this. grub-live remedies this via a live-hardener script that detects additional persistent mountpoints and remounts them read-only with a live writable overlay.
Kicksecure for Qubes: For Qubes OS, the process may not work as expected. For further details, refer to the related Qubes feature request Implement live boot by porting grub-live to Qubes - amnesia / non-persistent boot / anti-forensics

It is recommended to Functionality Test of Live mode to verify non-persistence.

Missing grub-live boot menu entry[edit]

Please run the following commands for debugging/information gathering and post them when creating any support requests.

1. /etc/grub.d/10_20_linux_live file existence.

ls -la /etc/grub.d/10_20_linux_live

2. /etc/grub.d/10_20_linux_live file contents.

Please check your local file /etc/grub.d/10_20_linux_live to ensure it looks exactly the same as /etc/grub.d/10_20_linux_live on GitHub. This will verify that you have the latest version of the grub-live package. Note that the stable version might look slightly different from the developer's or tester's version on GitHub.

cat /etc/grub.d/10_20_linux_live

3. initramfs-tools package version number.

(Probably not installed. This is expected.)

dpkg-query -W -f='${db:Status-Status}' initramfs-tools

4. dracut package version number.

dpkg-query -W -f='${db:Status-Status}' dracut

5. dist-base-files package version number.

dpkg -l | grep dist-base-files

6. grub-live package version number.

dpkg -l | grep grub-live

7. /boot/grub/grub.cfg file contents.

sudo cat /boot/grub/grub.cfg

8. Optional: Compare /boot/grub/grub.cfg with sample grub.cfg.

Use File Comparison Tools.

related forums tips:

Live Check Indicator Systray Issues[edit]

The live mode is indicated by a Live Check Systray icon. It can happen that this icon has issues. If so, here's what you can do.

First of all, this is not an indication of compromise by malware. The real issue is as simple as: the Live Check Systray is broken.

1. Is live-mode.sh showing an error?

bash -x /usr/libexec/helper-scripts/live-mode.sh

2. Is get_writable_fs_lists.sh showing an error?

bash -x /usr/libexec/helper-scripts/get_writable_fs_lists.sh

3. Try lsblk.

If the above method does not work, try also this:

sudo /bin/lsblk

4. Kernel parameter check.

Please check kernel parameters after booting into live mode.

If using dracut (default in newer versions):

cat -- /proc/cmdline | grep --color -- rootovl

If using initramfs-tools (old build versions):

cat -- /proc/cmdline | grep --color -- boot=live

If not booting into live mode, these kernel parameters should not be there.

5. Bug report.

If you are still having issues, you can report a bug with the output from the commands included above.

dracut[edit]

Optional.

Changing from initramfs-tools to dracut is optional and can cause dracut issues, unbootable system. See dracut.

Developer Information[edit]

Users can skip this chapter and below.

Implementation[edit]

The grub-live implementation combines the dracut module 90overlay-root with a script /usr/libexec/grub-live/live-hardener to mount all possible writable filesystems read-only, with a writable RAM-based overlay to allow normal system operation without persistence. 90overlay-root and live-hardener get enabled when kernel parameter rootovl is set. 90overlay-root is only available in the Debian fork of dracut.

dracut module source file: /usr/lib/dracut/modules.d/90overlay-root/overlay-mount.sh
/etc/grub.d/10_20_linux_live on GitHub
main file: /etc/grub.d/10_20_linux_live
90overlay-root vs 90dmsquash-live
https://github.com/dracutdevs/dracut/issues/1565

Simplified Summary[edit]

The first main source file is this one: /etc/grub.d/10_20_linux_live

The most relevant parts...

## initramfs support GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX boot=live plainroot union=overlay ip=frommedia noeject nopersistence"

(But Kicksecure at the time of writing uses the initramfs generator "dracut" by default, so "initramfs-tools" support is legacy.)

## dracut support ## https://www.kicksecure.com/wiki/Grub-live#Developer_Information ## ## using Debian forked upstream module 90overlay-root (tested) GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX rootovl" ## using dracut upstream module 90overlayfs (untested) #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX rd.live.overlay.overlayfs=1 rd.live.overlay.readonly=1"

Therefore, as of June 2025, the majority of what grub-live does is provide a convenient way (the GRUB boot menu entry) to easily set the kernel parameter rootovl, which is a feature provided by Debian's forked version of dracut, module 90overlay-root. In the future, the dracut upstream module 90overlayfs should be used instead. See also Development. These dracut modules in turn make use of Linux kernel features.

The other primary source file is this one: live-hardener. This script detects writable filesystems and remounts most of them read-only, then adds a live overlay on top. This is similar to what Debian's dracut's 90overlay-root does for the root filesystem, but applies to most other writable filesystems on the system, thus preventing reducing persistence even in more complex setups.

live-hardener does not remount writable filesystems if both of the following conditions are met:

The filesystem is mounted to /media, /mnt, or a subdirectory thereof, and
The drive containing the filesystem is detected to be a removable drive (/sys/class/block/DRIVE_ID/removable is equal to 1).

live-hardener is not always able to mount a writable RAM-based overlay on top of all filesystems, as some filesystems are not compatible with the overlayfs kernel feature. These filesystems are simply remounted read-only, without providing a writable overlay.

In summary, the most heavy lifting is done by the initramfs generator (initramfs-tools or dracut) and the Linux kernel. grub-live only implements usability (GRUB boot menu entry), documentation, and a more thorough hardening mechanism for filesystems beyond the root filesystem.

Development[edit]

Should port to 90overlayfs

rd.live.overlay.overlayfs=1 rd.live.overlay.readonly=1

While Debian did not merge overlayfs with nfs for Debian bookworm the module will be updated in the next major version of Debian as per usual as Debian receives newer dracut versions from dracut upstream.

File Names[edit]

Legacy File Names[edit]

/etc/grub.d/11_linux_live has been renamed to /etc/grub.d/10_20_linux_live.

Porting grub-live to other Linux Distributions[edit]

This is an informational chapter for developers. Users can skip this chapter.

Porting grub-live to other Linux Distributions might be rather simple in comparison to other packages.

grub-live should already be compatible with any Debian based distribution as mentioned on top of this wiki page. Testing is very limited.

What grub-live technically in essence does:

1) The grub-live is mainly shipping three files:
- GRUB config file /etc/grub.d/10_20_linux_live
- live-hardener script live-hardener.
- systemd service live-hardener.service.
2) Pull required dependencies in debian/control
3) Postinst runs: "sudo update-grub"

Qubes support:

Might be harder.
That would require packaging grub-live for Fedora.
Or as a first step copying over the config files.
https://github.com/QubesOS/qubes-issues/issues/1018
https://github.com/QubesOS/qubes-issues/issues/4982

grub.cfg[edit]

For reference only.

/boot/grub/grub.cfg will be automatically created. (Auto-generated by sudo update-grub .) No manual user action required. Useful for comparison in case of debugging.

#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
  set have_grubenv=true
  load_env
fi
if [ "${next_entry}" ] ; then
   set default="${next_entry}"
   set next_entry=
   save_env next_entry
   set boot_once=true
else
   set default="0"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
    saved_entry="${chosen}"
    save_env saved_entry
  fi
}
function load_video {
  if [ x$feature_all_video_module = xy ]; then
    insmod all_video
  else
    insmod efi_gop
    insmod efi_uga
    insmod ieee1275_fb
    insmod vbe
    insmod vga
    insmod video_bochs
    insmod video_cirrus
  fi
}

if [ x$feature_default_font_path = xy ] ; then
   font=unicode
else
insmod part_msdos
insmod btrfs
search --no-floppy --fs-uuid --set=root e727c741-7916-416a-a89b-6df8286415eb
    font="/grub/unicode.pf2"
fi

if loadfont $font ; then
  set gfxmode=1024x768
  load_video
  insmod gfxterm
  set locale_dir=$prefix/locale
  set lang=en_US
  insmod gettext
fi
terminal_output gfxterm
insmod part_msdos
insmod btrfs
search --no-floppy --fs-uuid --set=root e727c741-7916-416a-a89b-6df8286415eb
insmod gfxmenu
loadfont ($root)/grub/themes/dist-common/inter-grub_regular_17.pf2
loadfont ($root)/grub/themes/dist-common/inter-grub_regular_20.pf2
loadfont ($root)/grub/themes/dist-common/terminus-grub_14.pf2
insmod png
set theme=($root)/grub/themes/kicksecure/theme-4x3.txt
export theme
if [ "${recordfail}" = 1 ] ; then
  set timeout=30
else
  if [ x$feature_timeout_style = xy ] ; then
    set timeout_style=menu
    set timeout=5
  # Fallback normal timeout code in case the timeout_style feature is
  # unavailable.
  else
    set timeout=5
  fi
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/05_debian_theme ###
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
### END /etc/grub.d/05_debian_theme ###

### BEGIN /etc/grub.d/10_00_linux_dist ###
function gfxmode {
	set gfxpayload="${1}"
}
set linux_gfx_mode=1024x768
export linux_gfx_mode
menuentry 'Kicksecure GNU/Linux' --class kicksecure --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-f980020b-0f30-442d-b3ec-ab4c6c54fa9a' {
	load_video
	gfxmode $linux_gfx_mode
	insmod gzio
	if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
	insmod part_msdos
	insmod btrfs
	search --no-floppy --fs-uuid --set=root e727c741-7916-416a-a89b-6df8286415eb
	echo	'Loading Linux 6.1.0-32-amd64 ...'
	linux	/vmlinuz-6.1.0-32-amd64 root=UUID=f980020b-0f30-442d-b3ec-ab4c6c54fa9a ro rootflags=subvol=@  mitigations=auto,nosmt nosmt=force spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on ssbd=force-on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force l1d_flush=on mmio_stale_data=full,nosmt retbleed=auto,nosmt gather_data_sampling=force reg_file_data_sampling=on slab_nomerge slab_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off kfence.sample_interval=100 vdso32=0 amd_iommu=force_isolation intel_iommu=on iommu=force iommu.passthrough=0 iommu.strict=1 efi=disable_early_pci_dma random.trust_bootloader=off random.trust_cpu=off extra_latent_entropy  rd.luks.uuid=dc1f531b-eea8-47b0-86f2-a841d6d61a4e loglevel=0 quiet
	echo	'Loading initial ramdisk ...'
	initrd	/initrd.img-6.1.0-32-amd64
}

### END /etc/grub.d/10_00_linux_dist ###

### BEGIN /etc/grub.d/10_20_linux_live ###
function gfxmode {
	set gfxpayload="${1}"
}
set linux_gfx_mode=1024x768
export linux_gfx_mode
menuentry 'Kicksecure LIVE mode USER (For daily activities.) GNU/Linux' --class kicksecure --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-f980020b-0f30-442d-b3ec-ab4c6c54fa9a' {
	load_video
	gfxmode $linux_gfx_mode
	insmod gzio
	if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
	insmod part_msdos
	insmod btrfs
	search --no-floppy --fs-uuid --set=root e727c741-7916-416a-a89b-6df8286415eb
	echo	'Loading Linux 6.1.0-32-amd64 ...'
	linux	/vmlinuz-6.1.0-32-amd64 root=/dev/disk/by-uuid/f980020b-0f30-442d-b3ec-ab4c6c54fa9a ro rootflags=subvol=@  mitigations=auto,nosmt nosmt=force spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on ssbd=force-on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force l1d_flush=on mmio_stale_data=full,nosmt retbleed=auto,nosmt gather_data_sampling=force reg_file_data_sampling=on slab_nomerge slab_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off kfence.sample_interval=100 vdso32=0 amd_iommu=force_isolation intel_iommu=on iommu=force iommu.passthrough=0 iommu.strict=1 efi=disable_early_pci_dma random.trust_bootloader=off random.trust_cpu=off extra_latent_entropy rootovl  rd.luks.uuid=dc1f531b-eea8-47b0-86f2-a841d6d61a4e loglevel=0 quiet
	echo	'Loading initial ramdisk ...'
	initrd	/initrd.img-6.1.0-32-amd64
}

### END /etc/grub.d/10_20_linux_live ###

### BEGIN /etc/grub.d/10_50_linux_dist_advanced ###
submenu 'Advanced options for Kicksecure GNU/Linux' $menuentry_id_option 'gnulinux-advanced-f980020b-0f30-442d-b3ec-ab4c6c54fa9a' {
	menuentry 'Kicksecure GNU/Linux, with Linux 6.1.0-32-amd64' --class kicksecure --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-32-amd64-advanced-f980020b-0f30-442d-b3ec-ab4c6c54fa9a' {
		load_video
		gfxmode $linux_gfx_mode
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_msdos
		insmod btrfs
		search --no-floppy --fs-uuid --set=root e727c741-7916-416a-a89b-6df8286415eb
		echo	'Loading Linux 6.1.0-32-amd64 ...'
		linux	/vmlinuz-6.1.0-32-amd64 root=UUID=f980020b-0f30-442d-b3ec-ab4c6c54fa9a ro rootflags=subvol=@  mitigations=auto,nosmt nosmt=force spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on ssbd=force-on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force l1d_flush=on mmio_stale_data=full,nosmt retbleed=auto,nosmt gather_data_sampling=force reg_file_data_sampling=on slab_nomerge slab_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off kfence.sample_interval=100 vdso32=0 amd_iommu=force_isolation intel_iommu=on iommu=force iommu.passthrough=0 iommu.strict=1 efi=disable_early_pci_dma random.trust_bootloader=off random.trust_cpu=off extra_latent_entropy  rd.luks.uuid=dc1f531b-eea8-47b0-86f2-a841d6d61a4e loglevel=0 quiet
		echo	'Loading initial ramdisk ...'
		initrd	/initrd.img-6.1.0-32-amd64
	}
	menuentry 'Kicksecure GNU/Linux, with Linux 6.1.0-32-amd64 (recovery mode)' --class kicksecure --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-32-amd64-recovery-f980020b-0f30-442d-b3ec-ab4c6c54fa9a' {
		load_video
		gfxmode $linux_gfx_mode
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_msdos
		insmod btrfs
		search --no-floppy --fs-uuid --set=root e727c741-7916-416a-a89b-6df8286415eb
		echo	'Loading Linux 6.1.0-32-amd64 ...'
		linux	/vmlinuz-6.1.0-32-amd64 root=UUID=f980020b-0f30-442d-b3ec-ab4c6c54fa9a ro single rootflags=subvol=@  mitigations=auto,nosmt nosmt=force spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on ssbd=force-on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force l1d_flush=on mmio_stale_data=full,nosmt retbleed=auto,nosmt gather_data_sampling=force reg_file_data_sampling=on slab_nomerge slab_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off kfence.sample_interval=100 vdso32=0 amd_iommu=force_isolation intel_iommu=on iommu=force iommu.passthrough=0 iommu.strict=1 efi=disable_early_pci_dma random.trust_bootloader=off random.trust_cpu=off extra_latent_entropy
		echo	'Loading initial ramdisk ...'
		initrd	/initrd.img-6.1.0-32-amd64
	}
	menuentry 'Kicksecure GNU/Linux, with Linux 6.1.0-31-amd64' --class kicksecure --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-31-amd64-advanced-f980020b-0f30-442d-b3ec-ab4c6c54fa9a' {
		load_video
		gfxmode $linux_gfx_mode
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_msdos
		insmod btrfs
		search --no-floppy --fs-uuid --set=root e727c741-7916-416a-a89b-6df8286415eb
		echo	'Loading Linux 6.1.0-31-amd64 ...'
		linux	/vmlinuz-6.1.0-31-amd64 root=UUID=f980020b-0f30-442d-b3ec-ab4c6c54fa9a ro rootflags=subvol=@  mitigations=auto,nosmt nosmt=force spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on ssbd=force-on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force l1d_flush=on mmio_stale_data=full,nosmt retbleed=auto,nosmt gather_data_sampling=force reg_file_data_sampling=on slab_nomerge slab_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off kfence.sample_interval=100 vdso32=0 amd_iommu=force_isolation intel_iommu=on iommu=force iommu.passthrough=0 iommu.strict=1 efi=disable_early_pci_dma random.trust_bootloader=off random.trust_cpu=off extra_latent_entropy  rd.luks.uuid=dc1f531b-eea8-47b0-86f2-a841d6d61a4e loglevel=0 quiet
		echo	'Loading initial ramdisk ...'
		initrd	/initrd.img-6.1.0-31-amd64
	}
	menuentry 'Kicksecure GNU/Linux, with Linux 6.1.0-31-amd64 (recovery mode)' --class kicksecure --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-31-amd64-recovery-f980020b-0f30-442d-b3ec-ab4c6c54fa9a' {
		load_video
		gfxmode $linux_gfx_mode
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_msdos
		insmod btrfs
		search --no-floppy --fs-uuid --set=root e727c741-7916-416a-a89b-6df8286415eb
		echo	'Loading Linux 6.1.0-31-amd64 ...'
		linux	/vmlinuz-6.1.0-31-amd64 root=UUID=f980020b-0f30-442d-b3ec-ab4c6c54fa9a ro single rootflags=subvol=@  mitigations=auto,nosmt nosmt=force spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on ssbd=force-on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force l1d_flush=on mmio_stale_data=full,nosmt retbleed=auto,nosmt gather_data_sampling=force reg_file_data_sampling=on slab_nomerge slab_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off kfence.sample_interval=100 vdso32=0 amd_iommu=force_isolation intel_iommu=on iommu=force iommu.passthrough=0 iommu.strict=1 efi=disable_early_pci_dma random.trust_bootloader=off random.trust_cpu=off extra_latent_entropy
		echo	'Loading initial ramdisk ...'
		initrd	/initrd.img-6.1.0-31-amd64
	}
	menuentry 'Kicksecure GNU/Linux, with Linux 6.1.0-28-amd64' --class kicksecure --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-28-amd64-advanced-f980020b-0f30-442d-b3ec-ab4c6c54fa9a' {
		load_video
		gfxmode $linux_gfx_mode
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_msdos
		insmod btrfs
		search --no-floppy --fs-uuid --set=root e727c741-7916-416a-a89b-6df8286415eb
		echo	'Loading Linux 6.1.0-28-amd64 ...'
		linux	/vmlinuz-6.1.0-28-amd64 root=UUID=f980020b-0f30-442d-b3ec-ab4c6c54fa9a ro rootflags=subvol=@  mitigations=auto,nosmt nosmt=force spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on ssbd=force-on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force l1d_flush=on mmio_stale_data=full,nosmt retbleed=auto,nosmt gather_data_sampling=force reg_file_data_sampling=on slab_nomerge slab_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off kfence.sample_interval=100 vdso32=0 amd_iommu=force_isolation intel_iommu=on iommu=force iommu.passthrough=0 iommu.strict=1 efi=disable_early_pci_dma random.trust_bootloader=off random.trust_cpu=off extra_latent_entropy  rd.luks.uuid=dc1f531b-eea8-47b0-86f2-a841d6d61a4e loglevel=0 quiet
		echo	'Loading initial ramdisk ...'
		initrd	/initrd.img-6.1.0-28-amd64
	}
	menuentry 'Kicksecure GNU/Linux, with Linux 6.1.0-28-amd64 (recovery mode)' --class kicksecure --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-28-amd64-recovery-f980020b-0f30-442d-b3ec-ab4c6c54fa9a' {
		load_video
		gfxmode $linux_gfx_mode
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_msdos
		insmod btrfs
		search --no-floppy --fs-uuid --set=root e727c741-7916-416a-a89b-6df8286415eb
		echo	'Loading Linux 6.1.0-28-amd64 ...'
		linux	/vmlinuz-6.1.0-28-amd64 root=UUID=f980020b-0f30-442d-b3ec-ab4c6c54fa9a ro single rootflags=subvol=@  mitigations=auto,nosmt nosmt=force spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on ssbd=force-on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force l1d_flush=on mmio_stale_data=full,nosmt retbleed=auto,nosmt gather_data_sampling=force reg_file_data_sampling=on slab_nomerge slab_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off kfence.sample_interval=100 vdso32=0 amd_iommu=force_isolation intel_iommu=on iommu=force iommu.passthrough=0 iommu.strict=1 efi=disable_early_pci_dma random.trust_bootloader=off random.trust_cpu=off extra_latent_entropy
		echo	'Loading initial ramdisk ...'
		initrd	/initrd.img-6.1.0-28-amd64
	}
}

### END /etc/grub.d/10_50_linux_dist_advanced ###

### BEGIN /etc/grub.d/10_51_linux_live_advanced ###
submenu 'Advanced options for Kicksecure LIVE mode USER (For daily activities.) GNU/Linux' $menuentry_id_option 'gnulinux-advanced-f980020b-0f30-442d-b3ec-ab4c6c54fa9a' {
	menuentry 'Kicksecure LIVE mode USER (For daily activities.) GNU/Linux, with Linux 6.1.0-32-amd64' --class kicksecure --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-32-amd64-advanced-f980020b-0f30-442d-b3ec-ab4c6c54fa9a' {
		load_video
		gfxmode $linux_gfx_mode
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_msdos
		insmod btrfs
		search --no-floppy --fs-uuid --set=root e727c741-7916-416a-a89b-6df8286415eb
		echo	'Loading Linux 6.1.0-32-amd64 ...'
		linux	/vmlinuz-6.1.0-32-amd64 root=/dev/disk/by-uuid/f980020b-0f30-442d-b3ec-ab4c6c54fa9a ro rootflags=subvol=@  mitigations=auto,nosmt nosmt=force spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on ssbd=force-on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force l1d_flush=on mmio_stale_data=full,nosmt retbleed=auto,nosmt gather_data_sampling=force reg_file_data_sampling=on slab_nomerge slab_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off kfence.sample_interval=100 vdso32=0 amd_iommu=force_isolation intel_iommu=on iommu=force iommu.passthrough=0 iommu.strict=1 efi=disable_early_pci_dma random.trust_bootloader=off random.trust_cpu=off extra_latent_entropy rootovl  rd.luks.uuid=dc1f531b-eea8-47b0-86f2-a841d6d61a4e loglevel=0 quiet
		echo	'Loading initial ramdisk ...'
		initrd	/initrd.img-6.1.0-32-amd64
	}
	menuentry 'Kicksecure LIVE mode USER (For daily activities.) GNU/Linux, with Linux 6.1.0-31-amd64' --class kicksecure --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-31-amd64-advanced-f980020b-0f30-442d-b3ec-ab4c6c54fa9a' {
		load_video
		gfxmode $linux_gfx_mode
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_msdos
		insmod btrfs
		search --no-floppy --fs-uuid --set=root e727c741-7916-416a-a89b-6df8286415eb
		echo	'Loading Linux 6.1.0-31-amd64 ...'
		linux	/vmlinuz-6.1.0-31-amd64 root=/dev/disk/by-uuid/f980020b-0f30-442d-b3ec-ab4c6c54fa9a ro rootflags=subvol=@  mitigations=auto,nosmt nosmt=force spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on ssbd=force-on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force l1d_flush=on mmio_stale_data=full,nosmt retbleed=auto,nosmt gather_data_sampling=force reg_file_data_sampling=on slab_nomerge slab_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off kfence.sample_interval=100 vdso32=0 amd_iommu=force_isolation intel_iommu=on iommu=force iommu.passthrough=0 iommu.strict=1 efi=disable_early_pci_dma random.trust_bootloader=off random.trust_cpu=off extra_latent_entropy rootovl  rd.luks.uuid=dc1f531b-eea8-47b0-86f2-a841d6d61a4e loglevel=0 quiet
		echo	'Loading initial ramdisk ...'
		initrd	/initrd.img-6.1.0-31-amd64
	}
	menuentry 'Kicksecure LIVE mode USER (For daily activities.) GNU/Linux, with Linux 6.1.0-28-amd64' --class kicksecure --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-28-amd64-advanced-f980020b-0f30-442d-b3ec-ab4c6c54fa9a' {
		load_video
		gfxmode $linux_gfx_mode
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_msdos
		insmod btrfs
		search --no-floppy --fs-uuid --set=root e727c741-7916-416a-a89b-6df8286415eb
		echo	'Loading Linux 6.1.0-28-amd64 ...'
		linux	/vmlinuz-6.1.0-28-amd64 root=/dev/disk/by-uuid/f980020b-0f30-442d-b3ec-ab4c6c54fa9a ro rootflags=subvol=@  mitigations=auto,nosmt nosmt=force spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on ssbd=force-on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force l1d_flush=on mmio_stale_data=full,nosmt retbleed=auto,nosmt gather_data_sampling=force reg_file_data_sampling=on slab_nomerge slab_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off kfence.sample_interval=100 vdso32=0 amd_iommu=force_isolation intel_iommu=on iommu=force iommu.passthrough=0 iommu.strict=1 efi=disable_early_pci_dma random.trust_bootloader=off random.trust_cpu=off extra_latent_entropy rootovl  rd.luks.uuid=dc1f531b-eea8-47b0-86f2-a841d6d61a4e loglevel=0 quiet
		echo	'Loading initial ramdisk ...'
		initrd	/initrd.img-6.1.0-28-amd64
	}
}

### END /etc/grub.d/10_51_linux_live_advanced ###

### BEGIN /etc/grub.d/20_linux_xen ###

### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/30_uefi-firmware ###
### END /etc/grub.d/30_uefi-firmware ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg
fi
### END /etc/grub.d/41_custom ###

### BEGIN /etc/grub.d/45_debugging ###
### END /etc/grub.d/45_debugging ###

Footnotes[edit]

↑ Based on this askubuntu answer.
↑ Meaning, grub-live outside of a virtual machine. For grub-live in a VM, see Live Mode.
↑ Assuming Tails on a DVD which can only be written to once, not DVD-RW.
↑ Or using Tails USB with a physical, active, and effective (non-circumventable by software) write protection switch enabled.
↑ As in a substantial user group willing and able to do this.
↑ This would be a prudent approach, but search engines indicate that no or very few users run this configuration.
↑ Excluding malware compromise.
↑ ^8.0 ^8.1 ^8.2 ^8.3 ^8.4 ^8.5 ^8.6 ^8.7 Once targeted malware is active, it can circumvent read-only settings, mount the hard drive, and add malware which becomes active after the next boot.
↑ ^9.0 ^9.1 ^9.2 Avoid writing to arbitrary (non-boot) host disks:
Tails takes care not to use any filesystem that might exist on the host machine's hard drive, unless explicitly told to do so by the user. The Debian Live persistence feature is disabled by passing nopersistence over the kernel command line to live-boot.https://tails.boum.org/contribute/design/
↑
- https://forums.whonix.org/t/disk-usb-automount-in-kicksecure/8728
- https://github.com/Kicksecure/security-misc/blob/master/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
↑ ^11.0 ^11.1 ^11.2
Does Tails enable or disable auto mounting? Conflicting information.
- Tails ticket: Mount external drives automatically (enable automount)
```
automount = true
```
https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/etc/dconf/db/local.d/00_Tails_defaults#L24
Removable drives auto-mounting is disabled in Tails 0.7 and newer.https://tails.boum.org/contribute/design/#index39h3
- https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/etc/dconf/db/local.d/00_Tails_defaults
↑
Disables swap:
- not grub-live: This is not a feature by the standalone grub-live package.
- Kicksecure feature: This is a Kicksecure feature.
- No swap partition: There is no swap partition by default in Kicksecure, except maybe if using Distribution Morphing.
- Kicksecure swap design: Kicksecure comes with swap-file-creator by default that creates an encrypted swap file with an ephemeral key that is lost after poweroff.
- live mode: swap-file-creator refuses to start in live mode.
- Conclusion: Swap is disabled in Kicksecure when booting into live mode.
↑ Considered a feature or bug? Users writing to virtual machine shared folder probably do so explicitly.
↑
- https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix/5596
- https://github.com/QubesOS/qubes-issues/issues/1562
Then a meta package amnesia could depend on both grub-live and wiperam to simplify live boot for users.
↑ ^15.0 ^15.1 ^15.2 https://tails.boum.org/contribute/design/memory_erasure/
↑ https://github.com/QubesOS/qubes-issues/issues/1563
↑ ^17.0 ^17.1 ^17.2 https://gitlab.tails.boum.org/tails/tails/-/issues/5356
↑
- https://forums.whonix.org/t/panic-button-panic-shutdown-buskill-the-usb-kill-cord-for-your-laptop/13755
- https://forums.kicksecure.com/t/unplugging-external-drive-doesnt-trigger-a-shutdown/994
↑ The user being aware of currently running in live mode vs persistent mode.
↑ The live mode status is reported by the Live Mode Indicator Systray widget, which is a Kicksecure feature and not part of grub-live.
↑ ^21.0 ^21.1 ^21.2 Consistently good because amnesia has always been a core Tails feature. It is obvious to the user that nothing persists except folders that have selective persistence enabled.
↑ The systray widget is implemented in desktop-config-dist and is not included in grub-live.
↑ Without Live Mode Indicator Systray (see below), it is not obvious to the user if they booted into persistent or live mode. This might lead to a mistake where live boot is not selected from the grub boot menu (persistent mode is instead set), but the user believes otherwise.
↑ Kicksecure is non-anonymous.
↑ Whonix is anonymous. Whonix is primarily run inside virtualizers. grub-live is an extra configuration step on the user's host.
↑ ^26.0 ^26.1 When booting into Persistent Mode the user can use standard upgrade mechanisms such standard package managers such as apt.
↑ Such as from Debian bookworm to Debian trixie. grub-live functionality must be re-tested in every major distribution release.
↑ ^28.0 ^28.1 ^28.2 Release upgrade of Tails from, let's say, Debian bookworm to Debian trixie, is a non-trivial development effort. See also: https://tails.boum.org/doc/upgrade/
↑ ^29.0 ^29.1 Persistent boot is the default option in grub boot menu.
↑ ^30.0 ^30.1 ^30.2 https://tails.net/doc/persistent_storage/index.en.html

Distribution Morphing Advanced Documentation grub Previous page: Distribution Morphing Index page: Advanced Documentation Next page: grub

Kicksecure

A secure by default operating system with the latest security research in place.

Dark mode

Supported by Power Up Privacy

Kicksecure is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

[1] Based on this askubuntu answer.

[2] Meaning, grub-live outside of a virtual machine. For grub-live in a VM, see Live Mode.

[3] Assuming Tails on a DVD which can only be written to once, not DVD-RW.

[4] Or using Tails USB with a physical, active, and effective (non-circumventable by software) write protection switch enabled.

[5] As in a substantial user group willing and able to do this.

[6] This would be a prudent approach, but search engines indicate that no or very few users run this configuration.

[7] Excluding malware compromise.

[targeted_persistent_malware-8] 8.0 ^8.1 ^8.2 ^8.3 ^8.4 ^8.5 ^8.6 ^8.7 Once targeted malware is active, it can circumvent read-only settings, mount the hard drive, and add malware which becomes active after the next boot.

[tails-avoid-host-disk-usage-9] 9.0 ^9.1 ^9.2 Avoid writing to arbitrary (non-boot) host disks:
Tails takes care not to use any filesystem that might exist on the host machine's hard drive, unless explicitly told to do so by the user. The Debian Live persistence feature is disabled by passing nopersistence over the kernel command line to live-boot.https://tails.boum.org/contribute/design/

[10] 
https://forums.whonix.org/t/disk-usb-automount-in-kicksecure/8728

https://github.com/Kicksecure/security-misc/blob/master/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml

[11] ttps://forums.whonix.org/t/disk-usb-automount-in-kicksecure/8728

[12] ttps://github.com/Kicksecure/security-misc/blob/master/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml

[tails-disables-removable-drives-auto-mounting-11] 11.0 ^11.1 ^11.2 Does Tails enable or disable auto mounting? Conflicting information.
Tails ticket: Mount external drives automatically (enable automount)

automount = true
https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/etc/dconf/db/local.d/00_Tails_defaults#L24

Removable drives auto-mounting is disabled in Tails 0.7 and newer.https://tails.boum.org/contribute/design/#index39h3

https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/etc/dconf/db/local.d/00_Tails_defaults

[14] Tails ticket: Mount external drives automatically (enable automount)

[15] ttps://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/etc/dconf/db/local.d/00_Tails_defaults

[12] Disables swap:
not grub-live: This is not a feature by the standalone grub-live package.

Kicksecure feature: This is a Kicksecure feature.

No swap partition: There is no swap partition by default in Kicksecure, except maybe if using Distribution Morphing.

Kicksecure swap design: Kicksecure comes with swap-file-creator by default that creates an encrypted swap file with an ephemeral key that is lost after poweroff.

live mode: swap-file-creator refuses to start in live mode.

Conclusion: Swap is disabled in Kicksecure when booting into live mode.

[17] t grub-live: This is not a feature by the standalone grub-live package.

[18] Kicksecure feature: This is a Kicksecure feature.

[19] No swap partition: There is no swap partition by default in Kicksecure, except maybe if using Distribution Morphing.

[20] Kicksecure swap design: Kicksecure comes with swap-file-creator by default that creates an encrypted swap file with an ephemeral key that is lost after poweroff.

[21] ve mode: swap-file-creator refuses to start in live mode.

[22] Conclusion: Swap is disabled in Kicksecure when booting into live mode.

[13] Considered a feature or bug? Users writing to virtual machine shared folder probably do so explicitly.

[14] 
https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix/5596

https://github.com/QubesOS/qubes-issues/issues/1562
Then a meta package amnesia could depend on both grub-live and wiperam to simplify live boot for users.

[25] ttps://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix/5596

[26] ttps://github.com/QubesOS/qubes-issues/issues/1562

[tails_wipe_ram-15] 15.0 ^15.1 ^15.2 https://tails.boum.org/contribute/design/memory_erasure/

[16] ttps://github.com/QubesOS/qubes-issues/issues/1563

[tails-wipe-video-ram-17] 17.0 ^17.1 ^17.2 https://gitlab.tails.boum.org/tails/tails/-/issues/5356

[18] 
https://forums.whonix.org/t/panic-button-panic-shutdown-buskill-the-usb-kill-cord-for-your-laptop/13755

https://forums.kicksecure.com/t/unplugging-external-drive-doesnt-trigger-a-shutdown/994

[31] ttps://forums.whonix.org/t/panic-button-panic-shutdown-buskill-the-usb-kill-cord-for-your-laptop/13755

[32] ttps://forums.kicksecure.com/t/unplugging-external-drive-doesnt-trigger-a-shutdown/994

[19] The user being aware of currently running in live mode vs persistent mode.

[20] The live mode status is reported by the Live Mode Indicator Systray widget, which is a Kicksecure feature and not part of grub-live.

[tails-amnesia-usability-21] 21.0 ^21.1 ^21.2 Consistently good because amnesia has always been a core Tails feature. It is obvious to the user that nothing persists except folders that have selective persistence enabled.

[22] The systray widget is implemented in desktop-config-dist and is not included in grub-live.

[23] Without Live Mode Indicator Systray (see below), it is not obvious to the user if they booted into persistent or live mode. This might lead to a mistake where live boot is not selected from the grub boot menu (persistent mode is instead set), but the user believes otherwise.

[24] Kicksecure is non-anonymous.

[25] Whonix is anonymous. Whonix is primarily run inside virtualizers. grub-live is an extra configuration step on the user's host.

[using-apt-26] 26.0 ^26.1 When booting into Persistent Mode the user can use standard upgrade mechanisms such standard package managers such as apt.

[27] Such as from Debian bookworm to Debian trixie. grub-live functionality must be re-tested in every major distribution release.

[tails-release-upgrade-28] 28.0 ^28.1 ^28.2 Release upgrade of Tails from, let's say, Debian bookworm to Debian trixie, is a non-trivial development effort. See also: https://tails.boum.org/doc/upgrade/

[grub-live-persistent-default-29] 29.0 ^29.1 Persistent boot is the default option in grub boot menu.

[tails-encrypted-persistence-30] 30.0 ^30.1 ^30.2 https://tails.net/doc/persistent_storage/index.en.html

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

grub-live - boot an existing Host OS or VM into Live Mode

Contents

Context[edit]

Version[edit]

Compatibility[edit]

Installation / Getting started[edit]

Set grub-live as Default in GRUB boot menu[edit]

Get GRUB to remember your last choice (e.g., Live mode)[edit]

Kicksecure

Kicksecure for Qubes

Others and Alternatives

Alternative to grub-live[edit]

Comparison between grub-live and Tails[edit]

Security Considerations[edit]

Remount Disk as Read-Write after booting into Live Mode[edit]

Troubleshooting[edit]

Live Mode Without grub-live[edit]

Missing grub-live boot menu entry[edit]

Live Check Indicator Systray Issues[edit]

dracut[edit]

Developer Information[edit]

Implementation[edit]

Simplified Summary[edit]

Development[edit]

File Names[edit]

Legacy File Names[edit]

Porting grub-live to other Linux Distributions[edit]

grub.cfg[edit]

Footnotes[edit]

Navigation menu

grub-live - boot an existing Host OS or VM into Live Mode

Context[edit]

Version[edit]

Compatibility[edit]

Installation / Getting started[edit]

Set grub-live as Default in GRUB boot menu[edit]

Get GRUB to remember your last choice (e.g., Live mode)[edit]

Kicksecure

Kicksecure for Qubes

Others and Alternatives

Alternative to grub-live[edit]

Comparison between grub-live and Tails[edit]

Security Considerations[edit]

Remount Disk as Read-Write after booting into Live Mode[edit]

Troubleshooting[edit]

Live Mode Without grub-live[edit]

Missing grub-live boot menu entry[edit]

Live Check Indicator Systray Issues[edit]

dracut[edit]

Developer Information[edit]

Implementation[edit]

Simplified Summary[edit]

Development[edit]

File Names[edit]

Legacy File Names[edit]

Porting grub-live to other Linux Distributions[edit]

grub.cfg[edit]

Footnotes[edit]

Navigation menu

Search