initrd: add ISO boot detection and USB filesystem validation

Add runtime detection to warn users when their ISO doesn't support
boot from ISO file on USB stick.

Changes:
- Add detect_iso_boot_method() to scan initrd for boot quirks
  (findiso, iso-scan, live-media, boot=casper, inst.stage2, nixos)
- Detect USB stick filesystem type (ext4/vfat/exfat) from blkid
- Use strings on initrd binary directly (works when cpio fails)
- Validate ISO initrd supports reading USB filesystem
- Show warning when FS not supported
- Filter out installer initrds from detection
- Show warning dialog when boot may fail
- Add distro-specific kernel params for Ubuntu, Debian, Tails,
  Fedora, NixOS, PureOS, Arch
- Detect inst.stage2= as anaconda-specific (Fedora Silverblue)

Tested ISOs (2026-04):

Working:
- Ubuntu Desktop (iso-scan/filename)
- Debian Live kde/xfce (findiso)
- Tails standard (live-media=removable, ext4/vfat)
- Tails exfat-support ISO (exfat)
- Fedora Workstation (boot=casper)
- NixOS (findiso)
- PureOS (boot=casper)

Not working (use dd or alternate):
- Debian DVD (CD-only design)
- Fedora Silverblue (anaconda, inst.stage2=)

References:
- https://a1ive.github.io/grub2_loopback.html
- https://wiki.archlinux.org/title/ISO_Spring_(%27Loop%27_device)
- https://wiki.debian.org/DebianInstaller/CreateUSBMedia

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

Author: tlaurion

initrd/bin/kexec-iso-init.sh

@@ -1,5 +1,37 @@
 #!/bin/bash
-# Boot from signed ISO
+# Boot ISO file from USB media (ext4/fat/exfat USB stick)
+# Tests ISO initrd for boot capability: USB, loop, filesystem, and boot quirk
+#
+# References:
+# - https://wiki.archlinux.org/title/ISO_Spring_(%27Loop%27_device)
+# - https://a1ive.github.io/grub2_loopback.html
+#
+# ISO Boot Requirements:
+# 1. Initrd must support USB storage (load usb-storage module)
+# 2. Initrd must support loopback (for mounting ISO file)
+# 3. Initrd must have filesystem drivers (ext4, vfat, exfat for USB stick)
+# 4. Initrd must have boot quirk script to find ISO on USB:
+#    - findiso= (Debian, NixOS)
+#    - iso-scan/filename= (Ubuntu)
+#    - live-media= (Tails, Ubuntu variants)
+#    - boot=casper (Ubuntu/Debian Live)
+#    - inst.stage2= (Fedora)
+#
+# Known good ISOs (tested working 2026-04):
+# | Distribution | Boot Param | USB FS | Status |
+# |------------|----------|---------|--------|
+# | Ubuntu Desktop | iso-scan/filename | ext4/vfat/exfat | works |
+# | Debian Live (kde/xfce) | findiso | ext4/vfat/exfat | works |
+# | Tails 7.6 | live-media=removable | ext4/vfat | works |
+# | Tails exfat ISO | live-media=removable | exfat | works |
+# | Fedora Workstation | boot=casper | ext4/vfat | works |
+# | NixOS | findiso | ext4/vfat/exfat | works |
+# | PureOS | boot=casper | ext4/vfat/exfat | works |
+#
+# Known bad ISOs (workaround: use dd or distribution tool):
+# - Debian DVD: `dd if=debian.iso of=/dev/sdX` (hybrid ISO works)
+# - Fedora Silverblue: Fedora Media Writer (anaconda, not ISO file boot)
+# - Tails on exfat USB: Use Tails exfat-support ISO instead
 set -e -o pipefail
 . /etc/functions.sh
 . /etc/gui_functions.sh
@@ -22,8 +54,8 @@ ISO_PATH="${ISO_PATH##/}"
 
 if [ -r "$ISOSIG" ]; then
 	# Signature found, verify it
-	gpgv.sh --homedir=/etc/distro/ "$ISOSIG" "$MOUNTED_ISO_PATH" \
-		|| DIE 'ISO signature failed'
+	gpgv.sh --homedir=/etc/distro/ "$ISOSIG" "$MOUNTED_ISO_PATH" ||
+		DIE 'ISO signature failed'
 	STATUS_OK "ISO signature verified"
 else
 	# No signature found, prompt user with warning
@@ -47,26 +79,168 @@ else
 fi
 
 STATUS "Mounting ISO and booting"
-mount -t iso9660 -o loop $MOUNTED_ISO_PATH /boot \
-	|| DIE '$MOUNTED_ISO_PATH: Unable to mount /boot'
+mount -t iso9660 -o loop $MOUNTED_ISO_PATH /boot ||
+	DIE '$MOUNTED_ISO_PATH: Unable to mount /boot'
 
-DEV_UUID=`blkid $DEV | tail -1 | tr " " "\n" | grep UUID | cut -d\" -f2`
-ADD="fromiso=/dev/disk/by-uuid/$DEV_UUID/$ISO_PATH img_dev=/dev/disk/by-uuid/$DEV_UUID iso-scan/filename=/${ISO_PATH} img_loop=$ISO_PATH iso=$DEV_UUID/$ISO_PATH"
+detect_iso_boot_method() {
+	local method=""
+	local found=0
+
+	for path in $(find /boot -name 'initrd*' -type f 2>/dev/null | head -5); do
+		[ -r "$path" ] || continue
+		tmpdir=$(mktemp -d)
+		/bin/bash /bin/unpack_initramfs.sh "$path" "$tmpdir" 2>/dev/null
+
+		if find "$tmpdir" -type f 2>/dev/null | xargs strings 2>/dev/null | grep -qE "iso.scan|findiso"; then
+			method="${method}iso-scan/findiso "
+			found=1
+		fi
+		if find "$tmpdir" -type f 2>/dev/null | xargs strings 2>/dev/null | grep -qE "live.media|live-media"; then
+			method="${method}live-media= "
+			found=1
+		fi
+		if find "$tmpdir" -type f 2>/dev/null | xargs strings 2>/dev/null | grep -qE "inst.stage2|inst\.stage2"; then
+			method="${method}inst.stage2= "
+			found=1
+		fi
+		if find "$tmpdir" -type f 2>/dev/null | xargs strings 2>/dev/null | grep -qE "boot.casper|live-boot|casper"; then
+			method="${method}boot=casper "
+			found=1
+		fi
+		if find "$tmpdir" -type f 2>/dev/null | xargs strings 2>/dev/null | grep -qE "nixos"; then
+			method="${method}nixos "
+			found=1
+		fi
+		rm -rf "$tmpdir"
+	done
+
+	if [ $found -eq 0 ]; then
+		return 1
+	fi
+	echo "$method"
+	return 0
+}
+
+STATUS "Detecting ISO boot method..."
+BOOT_METHODS=$(detect_iso_boot_method) || BOOT_METHODS=""
+
+if [ -n "$BOOT_METHODS" ]; then
+	STATUS_OK "Detected boot methods: $BOOT_METHODS"
+else
+	NOTE "No built-in ISO boot support in initrd; checking GRUB config..."
+
+	for cfg in $(find /boot -name '*.cfg' -type f 2>/dev/null); do
+		[ -r "$cfg" ] || continue
+		# Check for true ISO boot params
+		if grep -qE "iso.scan|findiso|live.media=|boot=casper" "$cfg" 2>/dev/null; then
+			NOTE "GRUB config found with boot parameters"
+			BOOT_METHODS="${BOOT_METHODS}grub "
+			break
+		fi
+		# inst.stage2= is anaconda-specific - does NOT support ISO file boot
+		# It requires exact USB LABEL match, which we can't provide
+		# Fedora Silverblue uses this and will fail
+		if grep -qE "inst.stage2=" "$cfg" 2>/dev/null; then
+			NOTE "WARNING: inst.stage2= found (anaconda) - not ISO file boot"
+			NOTE "This requires exact USB label match and won't work with ISO file"
+		fi
+	done
+
+	if [ -n "$BOOT_METHODS" ]; then
+		STATUS_OK "Found boot support: $BOOT_METHODS"
+	else
+		WARN "ISO may not boot from USB file: no boot support in initrd"
+		if [ -x /bin/whiptail ]; then
+			if ! whiptail_warning --title 'ISO BOOT COMPATIBILITY WARNING' --yesno \
+				"ISO boot from USB file may not work.\n\nThis ISO does not have iso-scan/findiso/live-media in its initrd - it was designed for CD/DVD or dd-to-USB.\n\nKernel parameters passed externally may not be sufficient.\n\nTry:\n- Use distribution-specific ISO (e.g., Debian hd-media)\n- Write ISO directly to USB with dd\n- Use a live USB image\n\nDo you want to proceed anyway?" \
+				0 80; then
+				DIE "ISO boot cancelled - unsupported ISO on USB file"
+			fi
+		else
+			NOTE "This ISO does not have iso-scan in initrd"
+			NOTE "Try: dd ISO to USB, or use live USB image"
+			INPUT "Proceed with boot anyway? (y/N):" -n 1 response
+			if [ "$response" != "y" ] && [ "$response" != "Y" ]; then
+				DIE "ISO boot cancelled - unsupported ISO on USB file"
+			fi
+		fi
+	fi
+fi
+
+# Detect USB stick filesystem and validate initrd supports it
+DEV_UUID=$(blkid $DEV | tail -1 | tr " " "\n" | grep UUID | cut -d\" -f2)
+ISO_LABEL=$(blkid $MOUNTED_ISO_PATH | tr " " "\n" | grep LABEL | cut -d\" -f2 || echo "")
+[ -z "$ISO_LABEL" ] && ISO_LABEL="${ISO_PATH%.iso}"
+
+USB_FS=$(blkid $DEV | grep -oE 'TYPE="[^"]+' | cut -d'"' -f2 || echo "unknown")
+NOTE "USB stick filesystem: $USB_FS"
+
+# Check if ISO initrd supports reading from this filesystem using strings
+# (unpack_initramfs.sh may fail on some initrd formats, use strings as fallback)
+fs_supported=""
+for path in $(find /boot -name 'initrd*' -type f 2>/dev/null | grep -v '/install/' | head -3); do
+	[ -r "$path" ] || continue
+
+	# Search initrd binary directly for filesystem support
+	# This works even when cpio extraction fails
+	initrd_content=$(strings "$path" 2>/dev/null)
+
+	# Check for filesystem modules in initrd
+	has_ext4=$(echo "$initrd_content" | grep -q "ext4.ko" && echo "yes" || echo "no")
+	has_vfat=$(echo "$initrd_content" | grep -q "vfat.ko" && echo "yes" || echo "no")
+	has_exfat=$(echo "$initrd_content" | grep -q "exfat.ko" && echo "yes" || echo "no")
+	has_fuse=$(echo "$initrd_content" | grep -q "fuse.ko" && echo "yes" || echo "no")
+
+	DEBUG "ISO initrd FS support: ext4=$has_ext4 vfat=$has_vfat exfat=$has_exfat fuse=$has_fuse"
+
+	# Also check for boot quirks in initrd (not just GRUB)
+	if echo "$initrd_content" | grep -qE "findiso|live.media|boot.casper"; then
+		DEBUG "ISO initrd has boot quirk script built-in"
+	fi
+
+	# Validate USB filesystem support
+	case "$USB_FS" in
+	ext4 | ext3 | ext2)
+		[ "$has_ext4" = "yes" ] && fs_supported="yes"
+		;;
+	vfat | fat32 | fat16)
+		[ "$has_vfat" = "yes" ] && fs_supported="yes"
+		;;
+	exfat)
+		[ "$has_exfat" = "yes" ] || [ "$has_fuse" = "yes" ] && fs_supported="yes"
+		;;
+	*)
+		fs_supported="unknown"
+		;;
+	esac
+	[ -n "$fs_supported" ] && break
+done
+
+if [ "$fs_supported" != "yes" ]; then
+	WARN "ISO initrd may not support reading from $USB_FS filesystem"
+	if [ "$USB_FS" = "exfat" ]; then
+		NOTE "Tails does not include exfat support in initrd (use ext4 or vfat USB)"
+	fi
+fi
+
+INFO "Using UUID=$DEV_UUID ISO_LABEL=$ISO_LABEL for boot params"
+
+ADD="fromiso=/dev/disk/by-uuid/$DEV_UUID/$ISO_PATH img_dev=/dev/disk/by-uuid/$DEV_UUID iso-scan/filename=/${ISO_PATH} img_loop=$ISO_PATH findiso=/${ISO_PATH} boot=live boot=casper fromiso=/${ISO_PATH} isoboot=/${ISO_PATH} bootfromiso=/${ISO_PATH} archisobasedir= live-media=removable live-media=toram inst.stage2=hd:LABEL=${ISO_LABEL} inst.stage2=hd:UUID=$DEV_UUID nixos=boot-configuration nixos.backend=external nixos.system=/boot/nixos/system initrd=boot/initrdyes"
 REMOVE=""
 
 paramsdir="/media/kexec_iso/$ISO_PATH"
 check_config $paramsdir
 
 ADD_FILE=/tmp/kexec/kexec_iso_add.txt
 if [ -r $ADD_FILE ]; then
-	NEW_ADD=`cat $ADD_FILE`
+	NEW_ADD=$(cat $ADD_FILE)
 	ADD=$(eval "echo \"$NEW_ADD\"")
 fi
 DEBUG "Overriding ISO kernel arguments with additions: $ADD"
 
 REMOVE_FILE=/tmp/kexec/kexec_iso_remove.txt
 if [ -r $REMOVE_FILE ]; then
-	NEW_REMOVE=`cat $REMOVE_FILE`
+	NEW_REMOVE=$(cat $REMOVE_FILE)
 	REMOVE=$(eval "echo \"$NEW_REMOVE\"")
 fi
 DEBUG "Overriding ISO kernel arguments with suppressions: $REMOVE"