Re: [Tails-project] boot tails iso with grub

Nachricht löschen

Nachricht beantworten
Autor: intrigeri
Datum:  
To: linux-service
CC: The Tails public development discussion list
Alte Treads: [Tails-project] boot tails iso with grub
Betreff: Re: [Tails-project] boot tails iso with grub
Hi!

Meta: redirecting from tails-project@ to our development mailing list
and taking over from our Help Desk who, understandably, cannot handle
this further than "this is not supported, sorry" :)

linux-service:
> We are selling opensource computers and install default a system where a
> tails iso on the harddrive is booted with grub2 toram.


Interesting! There are a number of concerns with this approach but I'd
like to help you do this in a way that's reasonably safe for your
clients and does not cause us too much additional work.

> The hdd(s) are not mounted. Is this way of booting tails equal secure as
> booting from usb or dvd?


There are a few concerns about this approach, some of them tackle
your question:

- How do you force live-boot to start from an internal drive?
I assume you need to remove live-media=removable, no?
Note that doing this implies full trust in the internal hard drive,
which is not something the users may expect when using Tails.

- Do you communicate to your clients, somehow, that the way you're
installing this Tails system is unsupported by the Tails project
and the resulting system may behave differently than a "real" Tails?

- How do you keep the kernel command line up-to-date? Assuming you
hard-code it in the GRUB configuration, please be aware that we
sometimes change it. I'm worried your GRUB config and what the
installed ISO expects might get de-synchronized over time.

- How do handle upgrades? I'm worried that your clients are left
with an obsolete Tails and no documented way to upgrade it.

- We'll soon stop supporting the ISO image except for DVDs and
virtual machines (https://labs.riseup.net/code/issues/15292).
Probably not a big deal for you in terms of initial installation,
but this will make upgrades even harder for your clients. And an
important upcoming security improvement (persistent RNG seed) will
only work when Tails is installed on a USB stick.

- The Tails user experience relies more and more on our opt-in
persistence feature. While we still support read-only Tails, be
aware that you're shipping a flavour of Tails with a restricted
feature set. It would be nice to communicate this to your users
and point them to our doc about installing a full-blown Tails :)

Cheers,
--
intrigeri