Discussion:
Tails - UEFI Secure Boot
(too old to reply)
JD0x
2018-01-31 22:00:04 UTC
Permalink
Hello,

First off, I’d like to give big thanks to the Tails maintainers and community.. truly an amazing distribution. I’ve lurked and used the OS for some time now and I would like to inquire on the current status of UEFI secure boot with Tails. Working in security space I get people ask me what to use for privacy & privacy, however, I believe UEFI Secure Boot is a big pain point for adoption as disabling Secure Boot in BIOS is difficult for the average person.

I have seen resources online that successfully patch this using Shim + Grub2 and would like to understand the current status of this feature. Am willing to contribute time if it would help get this fixed.

https://labs.riseup.net/code/issues/6560

Last status from intri over 3 years ago:
"Honestly, the blueprint is just a compilation of bookmarks we've collected in the last few years. We have no plan, no idea which one of the various main paths we'll pick, and nobody is actively working on it, nor has plans to do so. So, I don't think "In progress" reflects correctly the real state of this task, and I'd rather not see this indication discourage anyone from tackling it. (Oh, and next time you'll triage the "In progress without assignee" tickets, it would pop up on your radar again ;)"

Thanks
intrigeri
2018-02-13 13:23:52 UTC
Permalink
Hi,
Post by JD0x
First off, I’d like to give big thanks to the Tails maintainers and community.. truly
an amazing distribution.
Thanks! :)
Post by JD0x
I’ve lurked and used the OS for some time now and I would
like to inquire on the current status of UEFI secure boot with Tails. Working in
security space I get people ask me what to use for privacy & privacy, however,
I believe UEFI Secure Boot is a big pain point for adoption as disabling Secure Boot
in BIOS is difficult for the average person.
Fully agreed.

Next step is to implement https://labs.riseup.net/code/issues/15292
which is the first blocker (if we don't support Secure Boot for all
USB installation methods we support the UX stumbling block remains for
initial installation). We have submitted a grant proposal that, if
accepted, will allow us to make #15292 happen by the end of the year.

Once this is done adding support for Secure Boot should be doable.
Post by JD0x
Am willing to contribute time if it would help get this fixed.
This would be amazing! Indeed, last time I checked, GRUB2 + Shim
seemed to be the way to go. This won't give fully verified boot until
Debian's Linux kernel is signed but that'll at least address the
UX problem.

Suggestions if you want to start working on this before #15292 is
done:

- https://tails.boum.org/contribute/how/code/
- update the blueprint to include this update
- look into replacing isolinux/syslinux for all installation methods
(starting point: https://labs.riseup.net/code/issues/12440)
- check the status of GRUB2 + Shim in Debian
- look at how other live distros handle this problem

Cheers,
--
intrigeri
Loading...