[Tails-dev] Tails for arm64 (with support for Apple Silicon)

このメッセージを削除

このメッセージに返信
著者: noisycoil
日付:  
To: Tails Dev
題目: [Tails-dev] Tails for arm64 (with support for Apple Silicon)
*** For the casual reader: please do not use this version of Tails. This is just a developer preview, it won't protect you like official releases do ***

Hey there,

During the last few weeks I've been working on porting Tails to the arm64 architecture, with the aim to ultimately being able to run Tails on Apple hardware again. If anyone is interested in a developer preview, you will find two USB images at https://mega.nz/folder/BrJFGQyR#8rsN06I_pC_YV6spqATeBA. The code is hosted at https://gitlab.tails.boum.org/noisycoil/tails in the "wip/arm64" and "wip/asahi" branches. The former enables general arm64 support, while the latter contains additional, currently non-upstreamable patches that make Tails run on Apple Silicon with M1/M2 processors (no M3 support yet). In both cases, the builds are native (you must build the arm64 version of Tails on arm64 hardware; I've been building it on Apple Silicon (Asahi Debian) and on a Raspberry Pi (Raspberry Pi OS) interchangeably).
The wip/asahi patches currently break amd64 builds due to a new entry in the APT preferences file, but this can be fixed  (I didn't do so yet because, as I said, the Asahi patches cannot be upstreamed anyway, more on this later).

Both the wip/arm64 and the wip/asahi images use GRUB for arm64 as a boot loader. For the former, this is all there is at the moment, meaning that the image can run in a VM, but may not run on hardware that needs special firmware or arrangements to make it boot. As for the latter, GRUB is all that's needed to boot on bare metal Apple Silicon (from the Tails side, that is).
For those unfamiliar with the boot process on arm64 Apple hardware, here's a quick recap. Out of the box, Apple Silicon does not support booting from external media, nor of course booting Linux. It does, however, support booting multiple macOSes from internal storage. The smart folks at Asahi Linux (https://asahilinux.org/) came up with a process to boot Linux both from internal and external storage (there may be issues with booting from large external hard drives, but this is not relevant to Tails). What they do is they install a fake macOS on the hard drive, which after a couple of intermediate steps runs the U-Boot boot loader (https://docs.u-boot.org/en/latest/), which is then able to run GRUB both from internal and from external storage. This mechanism is currently in use to run, among others, the official remix of Fedora for Apple Silicon (https://asahilinux.org/fedora/), and - except for the part where you actually have to install the boot loader and for a second small exception, see below - is 100% transparent to the user.


So how do you boot Tails on Apple Silicon?

1) Install U-Boot on your Apple Silicon Mac. This can be done using the official Asahi installer (see https://asahilinux.org/):

curl https://alx.sh | sh

The correct option, which should only require around 3GB of storage space on a separate partition, is "EFI environment only (m1n1 + U-Boot + ESP)" and, crucially, does not require you to install a fully-fledged Linux OS like Fedora. Once you do so, the U-Boot partition will be set as the default boot partition. This can be reverted at any time if you want to boot macOS by default instead (as you probably do in the context of Tails). Also, the U-Boot partition can be deleted at any moment if you don't need it anymore

2) Burn the Asahi Tails image onto a USB drive as usual

3) Plug the USB drive into your Mac. If the U-Boot partition is the default boot partition, just turn on your Mac. If it isn't, turn it on by keeping the power button pressed until it says "Entering startup options..." and then releasing it. At that point you can select the U-Boot partition (similarly, if the U-Boot partition is the default and you want to boot macOS, do the same but select the macOS partition)

4) Hit ESC when U-Boot says you can do so in order to interrupt the boot process and get dropped to a command line. Now you must tell U-Boot you want to boot from an external USB (this is the second small exception mentioned above): on the command line, execute

env set boot_efi_bootmgr
run bootcmd_usb0

This is the officially supported way to boot from an external USB drive. Maybe at some point U-Boot will support doing so without the user entering any command, but that's not possible at the moment AFAIK.

5) That's it. You're in

If you happen to already have Asahi Linux installed on your arm64 Mac, you don't need to follow Step 1 as U-Boot comes installed with the OS. Just choose your Asahi Linux boot partition in Step 3.


As for the arm64 port itself, i.e. what's in the images. Both wip/arm64 and wip/asahi are forked from feature/bookworm. The arm64 packages that are available from the official Debian repositories are installed from there (more on this later), whereas the Tails-specific packages (notably: live-boot, cryptsetup, fontconfig and network-manager) were rebuilt from source and installed manually (using config/chroot_local-packages). For this developer preview, I installed Heikki Lindholm's arm64 port of the Tor Browser (https://sourceforge.net/projects/tor-browser-ports/), the source code of which I have personally reviewed and made small contributions to (also, Heikki gave me permission to redistribute the binaries). Of course, this can never be upstreamed, but I thought it would be better to see an actual working Tor Browser in the developer preview rather than nothing. I am not aware of any other software component of Tails that is not officially available for arm64. This makes the Tor Browser the single blocker for Tails on arm64 AFAICS (more on this later).

As for the Apple Silicon port in particular, the main differences with the pure arm64 port are:

1. custom kernel and Mesa packages, which are needed for hardware support (including the GPU)

2. the asahi-scripts and m1n1 packages; the former is needed for correctly building the initramfs, while the latter is possibly useless on a live system (it deals with a stage of the boot process which happens before the squashfs is unpacked) - but I included it anyway because it may be needed in the future

3. unsigned, rather than signed, GRUB. This could be fixed if I figure out why signed GRUB does not work on Apple Silicon with the Asahi setup (I suspect this has to do with Apple Silicon not supporting UEFI variables. Incidentally, this same thing makes tails-debugging-info fail. But let's not delve into the gory details)

The Asahi kernel and Mesa packages are not offically packaged for Debian yet, so they're installed from Thomas Glanzmann's repository (Thomas gave me permission to redistribute his binaries). This is what the Debian Bananas Team (https://wiki.debian.org/Teams/Bananas) - that is, the team which is working on getting official Debian support for Apple Silicon - is currently doing. In principle I could have installed v6.1.0 of the kernel (Bookworm's), but to track the latest hardware support I installed v6.5.0 instead (Trixie's). Not installing these packages from the official Debian repositories is, I believe, the single serious blocker for Tails on arm64 Macs (plus the Tor Browser).
As for asahi-scripts and m1n1, these are already in the Debian testing and unstable repositories. I'm installing them from the latter, since the unstable source is already enabled on Tails.
Notably, audio is disabled for this developer preview (v6.5.0 would actually support the M1 MacBook Air speakers, while v6.6.0 would support most of the M1/M2 series speakers).


Finally, as to how I'm building the images:

1. since the Tails mirrors do not support the arm64 architecture, I hijacked my own internal DNS resolution to point back to the official Debian repositories. To do so, I patched a couple of points in the code where GPG keys are actually verified, configured a web server to correctly redirect stuff  and pointed the DNS to that webserver using /etc/hosts and the systemd-resolved stub resolver (I'm willing to share more on this if anyone is interested in actually building the images). This of course is a temporary patch that can be immediately reverted if Tails starts to mirror arm64 packages. Note that this implies that the wip/arm64 and wip/asahi branches won't build (not even on amd64!) without properly hijacking your DNS!

2. I had to fork tails/live-build (and use my fork as a submodule) in order to add a single small patch that teaches it how to deal with one single default configuration on arm64. There are multiple ways in which this can be reverted

3. more generally, I added a number of temporary patches which cannot be upstreamed for various reasons, but which can be reverted under appropriate conditions. All of them are marked as "Temporary:" in their commit messages, and the conditions under which they can be reverted are clearly stated. In the wip/arm64 branch, the only temporary patch which is not under Tails's control (i.e. whose removal does not depend on actions taken by the Tails project) is the inclusion of Heikki's build of the Tor Browser. This is what I meant before by "This makes the Tor Browser the single blocker for Tails on arm64".
As for wip/asahi, most of the contents of the additional commit are temporary anyways (again, the kernel and Mesa package are not officially packaged yet by Debian), so the "Temporary:" label would have been an understatement. Asahi Tails (i.e. Tails on Apple Silicon Macs) can only be a thing if Debian puts out an official linux-image-asahi (possibly with proper backports, given the nature of Debian) and something like a mesa-asahi set of packages. This is, until the Asahi changes are merged into their respective upstreams

4. I'm following the current procedure of "first build the ISO and then convert to USB image" in order to keep the code as close as possible to feature/bookworm. The ISO is unbootable (UEFI does not boot ISO 9660 file systems), but the USB image works. Eventualy, one can just try to build the USB image directly


There are tons of other details about the build process and contents of the image I could share (e.g., off the top of my head, Tails cloner does not work on arm64 because it doesn't find some syslinux/mbr files which are intentionally not there anymore) and I'm already probably forgetting important stuff, but I think this email is already long enough, so if anybody is interested feel free to ping me. The reason why I made this port is first, for fun. But then also, to provide a PoC that Tails can already run on Apple Silicon machines and that with some effort from various projects (Tails in providing arm64 mirrors and packages, Tor in finally providing an official arm64 release of the Tor Browser, Debian in packaging the Asahi kernel and Mesa libraries - until the Asahi changes get merged upstream), bringing Tails back to Apple machines, and bringing it for the first time to arm64 hardware, is just around the corner.


Best,

NoisyCoil


P.S.: This is the first time I put my hands on the Tails codebase, so it may very well be that I got caught in some obvious gotchas. Also, I am not affiliated with the Asah Linux project, the Debian Bananas Team (or the Debian project at large), the Tor project, or any other organization mentioned above.