Discussion:
[Tails-dev] [Tails-ux] TAILS Secure Boot Support
sajolida
2018-11-04 04:20:00 UTC
Permalink
Hi, UX helpers.
Hi Pavel!
I'd like to see if there's some interest in adding Secure Boot support
for TAILS.
We're definitely interested in having Secure Boot working as right now
it's one of the major pain point when people try to get started with
Tails on PC.

Our plan is to wait until Debian 10 (Buster) which will likely have
support for Secure Boot.

See https://labs.riseup.net/code/issues/6560#note-9.
I'm not sure this is the right list, but, hopefully, you can
direct me the right way.
I think that tails-***@boum.org would be more suited for this
discussion. I'm answering there since you mentioned this Ubuntu
technique that might be relevant to our developers.
There's a blog post with a description of how to patch a TAILS USB stick
http://pav-computer-notes.blogspot.com/2017/10/patching-tails-usb-stick-for-uefi.html
What's described there may not be sufficient for TAILS, since it doesn't
protect against malicious modifications of what's on the USB device. 
(Proper protection would require a private TAILS key for signing kernel,
initrd and module images, and a corresponding public key that's signed
by a well-known authority.)  However, it may be, arguably, better than
requiring a user to disable a machine's Secure Boot in order to run
TAILS on it.
If that's not helpful, hopefully, you can direct me to what current
problems stand in the way of getting that feature.
Cool, thanks for writing this and letting us know!

I'll let our developers have a look and see if such a technique could be
implemented in Tails before Debian 10 (Buster) scheduled for mid-2019.
--
sajolida
Pavel Penev
2018-11-04 17:20:03 UTC
Permalink
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Post by sajolida
Hi, UX helpers.
Hi Pavel!
I'd like to see if there's some interest in adding Secure Boot support
for TAILS.
We're definitely interested in having Secure Boot working as right now
it's one of the major pain point when people try to get started with
Tails on PC.
Our plan is to wait until Debian 10 (Buster) which will likely have
support for Secure Boot.
See https://labs.riseup.net/code/issues/6560#note-9.
I'm not sure this is the right list, but, hopefully, you can
direct me the right way.
discussion. I'm answering there since you mentioned this Ubuntu
technique that might be relevant to our developers.
There's a blog post with a description of how to patch a TAILS USB stick
http://pav-computer-notes.blogspot.com/2017/10/patching-tails-usb-stick-for-uefi.html
What's described there may not be sufficient for TAILS, since it doesn't
protect against malicious modifications of what's on the USB device. 
(Proper protection would require a private TAILS key for signing kernel,
initrd and module images, and a corresponding public key that's signed
by a well-known authority.)  However, it may be, arguably, better than
requiring a user to disable a machine's Secure Boot in order to run
TAILS on it.
If that's not helpful, hopefully, you can direct me to what current
problems stand in the way of getting that feature.
Cool, thanks for writing this and letting us know!
I'll let our developers have a look and see if such a technique could be
implemented in Tails before Debian 10 (Buster) scheduled for mid-2019.
Thanks, Sajolida!

I'm not subscribed to these lists, so I'm not sure I'll see the replies there, but, hopefully, people will by copying me, as well.
--
P
intrigeri
2018-11-05 09:34:36 UTC
Permalink
Hi,
Post by sajolida
I'll let our developers have a look and see if such a technique could be
implemented in Tails before Debian 10 (Buster) scheduled for mid-2019.
Thanks for caring.

This technique is basically what we're going to do when we add Secure
Boot support. In theory one could probably implement it this right
now. Having to use the signed shim and GRUB2 packages from Buster,
while we build in a Stretch environment, may make it a little bit more
challenging than waiting until Tails is based on Buster but I doubt
that would be a serious blocker. All in all, I suspect the hardest
part is not really the Secure Boot part, it's distributing an USB
image (#15292) and then migrating to GRUB2 (#15806).

So your question boils down to "can we do it earlier than planned?".
Our Foundations Team is plenty busy with other matters in 2018Q4 and
2019Q1. If the community thinks we should postpone some of this
planned work in order to tackle GRUB2 and Secure Boot earlier, please
let us know.

Now, if anyone else wants to work on this earlier, I'll be more than
happy to review your work :)

Cheers,
--
intrigeri
Continue reading on narkive:
Loading...