Re: [Tails-dev] [Tails-project] boot tails iso with grub

Delete this message

Reply to this message
Author: linux-service
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] [Tails-project] boot tails iso with grub
I am just putting the iso on our server (now  wget
https://www.ubuntushop.be/tails.iso
) because of the iso version numbering.

I am no expert, i am looking for a wget command for downloading always
the late st iso from tails.

than renaming it to tails.iso

Booting tails.iso live from hd with grub, with loopback and toram, the
internal hard drive is not mounted.

gd

Op 11/01/19 om 20:00 schreef intrigeri:
> Hi,
>
> sorry for the delay…
>
> linux-service:
>> More and more business customers ask to disable usb on their notebooks
>> for security, so we have no option other than work with grub and iso.
> Got it, thanks. Please disregard my question about "blocked USB ports"
> on the other, private discussion. I assume they also ask you to disable
> any micro SD slot the laptops might have, right?
>
> I understand that if we supported installing Tails on the hard drive,
> this would satisfy your needs. We're very close to removing one
> major blocker for this (incidentally, thanks to the USB image project).
> I'm not sure how much initial work and maintenance it would take
> to fully support this use case. I would be happy to take a look
> if we knew this work could be funded ;)
>
>> We working with iso's:
>> menuentry "tails" {
>>     set isofile="/iso/tails.iso"
>>     loopback loop $isofile
>> set root=(loop)
>>     linux (loop)/live/vmlinuz boot=live iso-scan/filename=${isofile}
>> findiso=${isofile} apparmor=1 nopersistence noprompt timezone=Etc/UTC
>> block.events_dfl_poll_msecs=1000 splash noautologin module=Tails
>> slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1
>> union=aufs  quiet toram
>>     initrd (loop)/live/initrd.img
>> }
> I see that you're removing live-media=removable, as expected. As said
> before, this implies full trust in the internal hard drive, which is
> something the users might not be expecting when using Tails. I'm not
> sure how best this should be dealt with. I think this needs a little
> bit of UX design.
>
>> We have created a bash script with gksu or pkexec for the user for
>> updating their tails iso :
>> #!/bin/bash
>> cd /iso
>> gksu -- bash -c 'xterm -e "rm tails.iso; wget
>> http://95.211.190.99/astick1804/tails.iso"'
> This upgrade method is significantly weaker than the initial
> installation and upgrade paths we document and support:
>
>   - Due to the use of cleartext HTTP and no verification, it's
>     vulnerable to an active MitM attacker.

>
>   - No verification is done, while all our supported installation and
>     upgrade methods verify at the very least checksums served over
>     HTTPS from our own website (which is trusted in our thread model).

>
> Do you make this clear to your users in any way?
>
> I'm worried they could be assuming "it's Tails, thus it's safe"
> while running code that does not meet our standards. This could
> harm them and the Tails "brand".
>
> Instead of trying to communicate about this weakness to users, I think
> the best way is to:
>
>   - Either let them follow the Tails official documentation for
>     downloading, which gives you verification for free. It works at
>     least in Chrome and Firefox. And them have them use your script for
>     installing the upgrade.

>
>   - Or add verification to your upgrade script. The best way to do that
>     will change soon and the corresponding design doc will be updated
>     on our website on Jan 29. Meanwhile, check out this file, that's
>     used by our "Tails Verification" browser extension to verify the
>     ISO image downloaded from untrusted sources:
>     https://tails.boum.org/install/v2/Tails/amd64/stable/latest.json

>
>> We have also a script for updating grub's 40_custom.
> Good :)
>
>> I am donating to tails per sold computer.
> Thanks!
>
> Finally, I'm still interested in your answers to these questions of
> mine:
>
>> Op 31/10/18 om 11:06 schreef intrigeri:
>>>    - Do you communicate to your clients, somehow, that the way you're
>>>      installing this Tails system is unsupported by the Tails project
>>>      and the resulting system may behave differently than a "real" Tails?

>>>
>>>    - The Tails user experience relies more and more on our opt-in
>>>      persistence feature. While we still support read-only Tails, be
>>>      aware that you're shipping a flavour of Tails with a restricted
>>>      feature set. It would be nice to communicate this to your users
>>>      and point them to our doc about installing a full-blown Tails :)
> Cheers,