Re: [Tails-dev] Tails for arm64 (with support for Apple Sili…

Delete this message

Reply to this message
Autore: n9iu7pk
Data:  
To: The Tails public development discussion list
Oggetto: Re: [Tails-dev] Tails for arm64 (with support for Apple Silicon)
Hi NoisyColi,

what a great work! That's the missing link! I tried that a couple of
years ago, struggled on knowledge, missing platforms like M1/M2 and
ARM's missing common boot process (might be less painful with EFI). And
re-started last year as I learned from the Asahi project.

>                                                     ... This makes the 
> Tor Browser
> the single blocker for Tails on arm64 AFAICS (more on this later).

One of my first steps years ago was to build the Tor Browser from the
official repo and run it on a RPI (wasn't arm64, I guess armhf), hope I
can find my old stuff somewhere.

However, I hope that I can support you in some way. Thanks for sharing
your work, keep on!

All the best!
n9iu7pk

Am 20.01.2024 16:43 schrieb NoisyCoil via Tails-dev:
> *** For the casual reader: please do not use this version of Tails.
> This is just a developer preview, it won't protect you like official
> releases do ***
>
> Hey there,
>
> During the last few weeks I've been working on porting Tails to the
> arm64 architecture, with the aim to ultimately being able to run Tails
> on Apple hardware again. If anyone is interested in a developer
> preview, you will find two USB images at
> https://mega.nz/folder/BrJFGQyR#8rsN06I_pC_YV6spqATeBA. The code is
> hosted at https://gitlab.tails.boum.org/noisycoil/tails in the
> "wip/arm64" and "wip/asahi" branches. The former enables general arm64
> support, while the latter contains additional, currently
> non-upstreamable patches that make Tails run on Apple Silicon with
> M1/M2 processors (no M3 support yet). In both cases, the builds are
> native (you must build the arm64 version of Tails on arm64 hardware;
> I've been building it on Apple Silicon (Asahi Debian) and on a
> Raspberry Pi (Raspberry Pi OS) interchangeably).
> The wip/asahi patches currently break amd64 builds due to a new entry
> in the APT preferences file, but this can be fixed  (I didn't do so
> yet because, as I said, the Asahi patches cannot be upstreamed anyway,
> more on this later).
>
> Both the wip/arm64 and the wip/asahi images use GRUB for arm64 as a
> boot loader. For the former, this is all there is at the moment,
> meaning that the image can run in a VM, but may not run on hardware
> that needs special firmware or arrangements to make it boot. As for
> the latter, GRUB is all that's needed to boot on bare metal Apple
> Silicon (from the Tails side, that is).
> For those unfamiliar with the boot process on arm64 Apple hardware,
> here's a quick recap. Out of the box, Apple Silicon does not support
> booting from external media, nor of course booting Linux. It does,
> however, support booting multiple macOSes from internal storage. The
> smart folks at Asahi Linux (https://asahilinux.org/) came up with a
> process to boot Linux both from internal and external storage (there
> may be issues with booting from large external hard drives, but this
> is not relevant to Tails). What they do is they install a fake macOS
> on the hard drive, which after a couple of intermediate steps runs the
> U-Boot boot loader (https://docs.u-boot.org/en/latest/), which is then
> able to run GRUB both from internal and from external storage. This
> mechanism is currently in use to run, among others, the official remix
> of Fedora for Apple Silicon (https://asahilinux.org/fedora/), and -
> except for the part where you actually have to install the boot loader
> and for a second small exception, see below - is 100% transparent to
> the user.
>
>
> So how do you boot Tails on Apple Silicon?
>
> 1) Install U-Boot on your Apple Silicon Mac. This can be done using
> the official Asahi installer (see https://asahilinux.org/):
>
> curl https://alx.sh | sh
>
> The correct option, which should only require around 3GB of storage
> space on a separate partition, is "EFI environment only (m1n1 + U-Boot
> + ESP)" and, crucially, does not require you to install a
> fully-fledged Linux OS like Fedora. Once you do so, the U-Boot
> partition will be set as the default boot partition. This can be
> reverted at any time if you want to boot macOS by default instead (as
> you probably do in the context of Tails). Also, the U-Boot partition
> can be deleted at any moment if you don't need it anymore
>
> 2) Burn the Asahi Tails image onto a USB drive as usual
>
> 3) Plug the USB drive into your Mac. If the U-Boot partition is the
> default boot partition, just turn on your Mac. If it isn't, turn it on
> by keeping the power button pressed until it says "Entering startup
> options..." and then releasing it. At that point you can select the
> U-Boot partition (similarly, if the U-Boot partition is the default
> and you want to boot macOS, do the same but select the macOS
> partition)
>
> 4) Hit ESC when U-Boot says you can do so in order to interrupt the
> boot process and get dropped to a command line. Now you must tell
> U-Boot you want to boot from an external USB (this is the second small
> exception mentioned above): on the command line, execute
>
> env set boot_efi_bootmgr
> run bootcmd_usb0
>
> This is the officially supported way to boot from an external USB
> drive. Maybe at some point U-Boot will support doing so without the
> user entering any command, but that's not possible at the moment
> AFAIK.
>
> 5) That's it. You're in
>
> If you happen to already have Asahi Linux installed on your arm64 Mac,
> you don't need to follow Step 1 as U-Boot comes installed with the OS.
> Just choose your Asahi Linux boot partition in Step 3.
>
>
> As for the arm64 port itself, i.e. what's in the images. Both
> wip/arm64 and wip/asahi are forked from feature/bookworm. The arm64
> packages that are available from the official Debian repositories are
> installed from there (more on this later), whereas the Tails-specific
> packages (notably: live-boot, cryptsetup, fontconfig and
> network-manager) were rebuilt from source and installed manually
> (using config/chroot_local-packages). For this developer preview, I
> installed Heikki Lindholm's arm64 port of the Tor Browser
> (https://sourceforge.net/projects/tor-browser-ports/), the source code
> of which I have personally reviewed and made small contributions to
> (also, Heikki gave me permission to redistribute the binaries). Of
> course, this can never be upstreamed, but I thought it would be better
> to see an actual working Tor Browser in the developer preview rather
> than nothing. I am not aware of any other software component of Tails
> that is not officially available for arm64. This makes the Tor Browser
> the single blocker for Tails on arm64 AFAICS (more on this later).
>
> As for the Apple Silicon port in particular, the main differences with
> the pure arm64 port are:
>
> 1. custom kernel and Mesa packages, which are needed for hardware
> support (including the GPU)
>
> 2. the asahi-scripts and m1n1 packages; the former is needed for
> correctly building the initramfs, while the latter is possibly useless
> on a live system (it deals with a stage of the boot process which
> happens before the squashfs is unpacked) - but I included it anyway
> because it may be needed in the future
>
> 3. unsigned, rather than signed, GRUB. This could be fixed if I figure
> out why signed GRUB does not work on Apple Silicon with the Asahi
> setup (I suspect this has to do with Apple Silicon not supporting UEFI
> variables. Incidentally, this same thing makes tails-debugging-info
> fail. But let's not delve into the gory details)
>
> The Asahi kernel and Mesa packages are not offically packaged for
> Debian yet, so they're installed from Thomas Glanzmann's repository
> (Thomas gave me permission to redistribute his binaries). This is what
> the Debian Bananas Team (https://wiki.debian.org/Teams/Bananas) - that
> is, the team which is working on getting official Debian support for
> Apple Silicon - is currently doing. In principle I could have
> installed v6.1.0 of the kernel (Bookworm's), but to track the latest
> hardware support I installed v6.5.0 instead (Trixie's). Not installing
> these packages from the official Debian repositories is, I believe,
> the single serious blocker for Tails on arm64 Macs (plus the Tor
> Browser).
> As for asahi-scripts and m1n1, these are already in the Debian testing
> and unstable repositories. I'm installing them from the latter, since
> the unstable source is already enabled on Tails.
> Notably, audio is disabled for this developer preview (v6.5.0 would
> actually support the M1 MacBook Air speakers, while v6.6.0 would
> support most of the M1/M2 series speakers).
>
>
> Finally, as to how I'm building the images:
>
> 1. since the Tails mirrors do not support the arm64 architecture, I
> hijacked my own internal DNS resolution to point back to the official
> Debian repositories. To do so, I patched a couple of points in the
> code where GPG keys are actually verified, configured a web server to
> correctly redirect stuff  and pointed the DNS to that webserver using
> /etc/hosts and the systemd-resolved stub resolver (I'm willing to
> share more on this if anyone is interested in actually building the
> images). This of course is a temporary patch that can be immediately
> reverted if Tails starts to mirror arm64 packages. Note that this
> implies that the wip/arm64 and wip/asahi branches won't build (not
> even on amd64!) without properly hijacking your DNS!
>
> 2. I had to fork tails/live-build (and use my fork as a submodule) in
> order to add a single small patch that teaches it how to deal with one
> single default configuration on arm64. There are multiple ways in
> which this can be reverted
>
> 3. more generally, I added a number of temporary patches which cannot
> be upstreamed for various reasons, but which can be reverted under
> appropriate conditions. All of them are marked as "Temporary:" in
> their commit messages, and the conditions under which they can be
> reverted are clearly stated. In the wip/arm64 branch, the only
> temporary patch which is not under Tails's control (i.e. whose removal
> does not depend on actions taken by the Tails project) is the
> inclusion of Heikki's build of the Tor Browser. This is what I meant
> before by "This makes the Tor Browser the single blocker for Tails on
> arm64".
> As for wip/asahi, most of the contents of the additional commit are
> temporary anyways (again, the kernel and Mesa package are not
> officially packaged yet by Debian), so the "Temporary:" label would
> have been an understatement. Asahi Tails (i.e. Tails on Apple Silicon
> Macs) can only be a thing if Debian puts out an official
> linux-image-asahi (possibly with proper backports, given the nature of
> Debian) and something like a mesa-asahi set of packages. This is,
> until the Asahi changes are merged into their respective upstreams
>
> 4. I'm following the current procedure of "first build the ISO and
> then convert to USB image" in order to keep the code as close as
> possible to feature/bookworm. The ISO is unbootable (UEFI does not
> boot ISO 9660 file systems), but the USB image works. Eventualy, one
> can just try to build the USB image directly
>
>
> There are tons of other details about the build process and contents
> of the image I could share (e.g., off the top of my head, Tails cloner
> does not work on arm64 because it doesn't find some syslinux/mbr files
> which are intentionally not there anymore) and I'm already probably
> forgetting important stuff, but I think this email is already long
> enough, so if anybody is interested feel free to ping me. The reason
> why I made this port is first, for fun. But then also, to provide a
> PoC that Tails can already run on Apple Silicon machines and that with
> some effort from various projects (Tails in providing arm64 mirrors
> and packages, Tor in finally providing an official arm64 release of
> the Tor Browser, Debian in packaging the Asahi kernel and Mesa
> libraries - until the Asahi changes get merged upstream), bringing
> Tails back to Apple machines, and bringing it for the first time to
> arm64 hardware, is just around the corner.
>
>
> Best,
>
> NoisyCoil
>
>
> P.S.: This is the first time I put my hands on the Tails codebase, so
> it may very well be that I got caught in some obvious gotchas. Also, I
> am not affiliated with the Asah Linux project, the Debian Bananas Team
> (or the Debian project at large), the Tor project, or any other
> organization mentioned above.
> _______________________________________________
> Tails-dev mailing list
> Tails-dev@???
> https://www.autistici.org/mailman/listinfo/tails-dev
> To unsubscribe from this list, send an empty email to
> Tails-dev-unsubscribe@???.