Re: [Tails-dev] [Tails-ux] TAILS Secure Boot Support

Delete this message

Reply to this message
Autor: sajolida
Data:  
A: Pavel Penev, The Tails public development discussion list
Assumpte: Re: [Tails-dev] [Tails-ux] TAILS Secure Boot Support
Pavel Penev:
> Hi, UX helpers.


Hi Pavel!

> I'd like to see if there's some interest in adding Secure Boot support
> for TAILS.


We're definitely interested in having Secure Boot working as right now
it's one of the major pain point when people try to get started with
Tails on PC.

Our plan is to wait until Debian 10 (Buster) which will likely have
support for Secure Boot.

See https://labs.riseup.net/code/issues/6560#note-9.

> I'm not sure this is the right list, but, hopefully, you can
> direct me the right way.


I think that tails-dev@??? would be more suited for this
discussion. I'm answering there since you mentioned this Ubuntu
technique that might be relevant to our developers.

> There's a blog post with a description of how to patch a TAILS USB stick
> to run on a Secure Boot machine from Ubuntu:
>
> http://pav-computer-notes.blogspot.com/2017/10/patching-tails-usb-stick-for-uefi.html
>
> What's described there may not be sufficient for TAILS, since it doesn't
> protect against malicious modifications of what's on the USB device. 
> (Proper protection would require a private TAILS key for signing kernel,
> initrd and module images, and a corresponding public key that's signed
> by a well-known authority.)  However, it may be, arguably, better than
> requiring a user to disable a machine's Secure Boot in order to run
> TAILS on it.
>
> If that's not helpful, hopefully, you can direct me to what current
> problems stand in the way of getting that feature.


Cool, thanks for writing this and letting us know!

I'll let our developers have a look and see if such a technique could be
implemented in Tails before Debian 10 (Buster) scheduled for mid-2019.

--
sajolida