Re: [Tails-dev] Tails - UEFI Secure Boot

Delete this message

Reply to this message
Autore: intrigeri
Data:  
To: JD0x
CC: The Tails public development discussion list
Oggetto: Re: [Tails-dev] Tails - UEFI Secure Boot
Hi,

JD0x:
> First off, I’d like to give big thanks to the Tails maintainers and community.. truly
> an amazing distribution.


Thanks! :)

> I’ve lurked and used the OS for some time now and I would
> like to inquire on the current status of UEFI secure boot with Tails. Working in
> security space I get people ask me what to use for privacy & privacy, however,
> I believe UEFI Secure Boot is a big pain point for adoption as disabling Secure Boot
> in BIOS is difficult for the average person.


Fully agreed.

Next step is to implement https://labs.riseup.net/code/issues/15292
which is the first blocker (if we don't support Secure Boot for all
USB installation methods we support the UX stumbling block remains for
initial installation). We have submitted a grant proposal that, if
accepted, will allow us to make #15292 happen by the end of the year.

Once this is done adding support for Secure Boot should be doable.

> Am willing to contribute time if it would help get this fixed.


This would be amazing! Indeed, last time I checked, GRUB2 + Shim
seemed to be the way to go. This won't give fully verified boot until
Debian's Linux kernel is signed but that'll at least address the
UX problem.

Suggestions if you want to start working on this before #15292 is
done:

- https://tails.boum.org/contribute/how/code/
- update the blueprint to include this update
- look into replacing isolinux/syslinux for all installation methods
(starting point: https://labs.riseup.net/code/issues/12440)
- check the status of GRUB2 + Shim in Debian
- look at how other live distros handle this problem

Cheers,
--
intrigeri