Re: [Tails-dev] allow read only usb images

Elmar Stellnberger:
> My security infrastructure has suffered a significant setback since
> you have decided to separate usb and cd images. I need a read only
> image that can be booted from a read only usb stick or in my case
> from a read-only sdcard used with an sdcard reader that supports
> write protection.
I believe you have misunderstood the implications of the USB image. First of all, let me clarify that there just isn't anything like a "read-only image". An image is just the raw data intended to be written directly to a disk, with a valid partition table, file systems with files or even a complete operation system etc. So I am guessing that what you meant with "read-only" is that the resulting Tails installation should treat the media it is installed on as read-only, and I'm happy to tell you that that is still the case no matter how you install Tails.

Whatever Tails does for write protection (i.e. considering some storage media as "read-only") is done purely in software, so it is just a root exploit away to be bypassed. In fact, the main reason Tails does it is not for security, but to support being able to run from a read-only media like DVD (Tails was originally CD only :)). And if your SD-card simply refuses to abide with writes on a physical level (ignoring signals sent via the card writer) there is no way to override and make the compromise persist.

So as long as Tails boots on your read-only SD-card you are safe against persistent threats on that particular media (let's just hope They don't compromise your computer's BIOS or some firmware instead :)).

Cheers!