i tried to get an read only Fedora install medium the idea was to use an old Intel optane memory M.2 inside a USB Case with Write Protect Switch so I can Write the image flip the switch and can be sure it does not change afterwards. But the media check fails on it instantly, I tried it with write protection enabled and disabled, no change.
So I started to diff it with another USB Stick with the same image that boots without problems, and diff tells me that all the Files in the Boot and Fedora Partions on the Optane and the USB Stick are identical. So why those the check fail?
The message is just an the service failed because the control process exited with an error code, opening another tty to open the log in journalctl seems to not work in that environment, so what can I do?
So also a question about the media check in general, gpt-oss insisted it is (in combination with Secure Boot) good enough to identify a maliciously modified image, so there is basically a chain of trust from the Secure Boot all the way to the systemd service doing the check. Anything I can find online claimes that it would only detect accidentally corrupted images, so how good is it?
The check is stricter than just requiring all files to be identical. It expects the written drive to be byte-wise identical to the .iso image. This check can break when the structure of the disk gets “repaired” in a way that doesn’t change file content. Particularly, the GPT backup table often gets moved, and this breaks the check despite not changing any file content.
If you’re confident in your own checks of the file integrity, then you could choose the “Start Fedora…” option instead of the default “Test this media & Start Fedora…” option, to bypass the media check and do the install anyway.
After playing around with cmp, I found that the USB I booted was fine but the one I checked against was also corrupted*, after writing it again the optane was fine and it passed a comparesion with cmp against the iso checked via hash and gpg key, and the verify media check.
Thanks!
*a bunch of Z where W and a bunch of / where [, no idea how that happens