diff --git a/Containerfile b/Containerfile
index 155c807..1b02cdc 100644
--- a/Containerfile
+++ b/Containerfile
@@ -179,6 +179,28 @@ RUN <<-EOF
         iso/
 EOF
 
+# Need sfdisk from util-linux
+COPY --from=util-linux . .
+RUN <<-EOF
+    set -eux
+    # Increase the size of the ISO by 512 MB to create space for the third partition
+    dd if=/dev/zero bs=1M count=512 >> airgap.iso
+
+    # Append a new partition that uses the additional space
+    echo ", +" | sfdisk --append airgap.iso
+
+    # Set the newly added third partition to FAT32
+    sfdisk --part-type airgap.iso 3 b
+
+    # Calculate the byte offset of the third partition
+    # This is done by finding the end of the first partition using fdisk, adding 1 sector, 
+    # and multiplying by 512 (since each sector is 512 bytes).
+    OFFSET=$(fdisk -l airgap.iso | awk '/^airgap.iso1/ {print ($4 + 1) * 512}')
+
+    # Format the third partition as FAT32 and label it 'USER'
+    mformat -v USER -i airgap.iso@@$OFFSET ::
+EOF
+
 ## Minimal Autorun SD card image
 COPY sdcard sdcard
 RUN <<-EOF
diff --git a/Makefile b/Makefile
index 4c573cd..bf3948e 100644
--- a/Makefile
+++ b/Makefile
@@ -55,7 +55,9 @@ vm-bios: out/airgap.iso
 		-usbdevice tablet \
 		-drive id=external,if=none,format=raw,file=out/sdcard.img \
 		-display gtk,show-menubar=off,zoom-to-fit=on \
-		-cdrom "out/airgap.iso"
+        -device usb-storage,drive=usbdrive \
+        -drive id=usbdrive,if=none,format=raw,file=out/airgap.iso \
+		-boot order=c
 
 .PHONY: vm-efi
 vm-efi: out/airgap.iso
@@ -70,7 +72,9 @@ vm-efi: out/airgap.iso
 		-usbdevice tablet \
 		-drive id=external,if=none,format=raw,file=out/sdcard.img \
 		-display gtk,show-menubar=off,zoom-to-fit=on \
-		-cdrom "out/airgap.iso"
+        -device usb-storage,drive=usbdrive \
+        -drive id=usbdrive,if=none,format=raw,file=out/airgap.iso \
+		-boot order=c
 
 ## Signing, Verification, and Release Targets
 
diff --git a/rootfs/usr/local/bin/autorun b/rootfs/usr/local/bin/autorun
index 89a8db2..c811d6a 100755
--- a/rootfs/usr/local/bin/autorun
+++ b/rootfs/usr/local/bin/autorun
@@ -4,7 +4,17 @@ source /etc/profile
 
 folder=${1?}
 
-if [ -f "${folder}/autorun.sh.asc" ]; then
+if [ "$folder" == "/media/USER" ] && [ -f "${folder}/autorun.sh" ]; then
+	if touch "${folder}/.write_test" 2>/dev/null; then
+        echo "!! Autorun: Read-only verification failed for /media/USER" >/dev/console
+		exit 1;
+    else
+		echo "" >/dev/console
+		echo "++ Autorun: Found /media/USER/autorun.sh" >/dev/console;
+		echo "** Autorun: Executing /media/USER/autorun.sh" >/dev/console
+		/bin/bash "/media/USER/autorun.sh" >/dev/console
+	fi
+elif [ -f "${folder}/autorun.sh.asc" ]; then
 	echo "" >/dev/console
 	echo "++ Autorun: Found ${folder}/autorun.sh" >/dev/console;
 	gpg --verify "${folder}/autorun.sh.asc" >/dev/null 2>&1 || {