Re: [Tails-dev] Tails for arm64 (with support for Apple Sili…

Supprimer ce message

Répondre à ce message
Auteur: n9iu7pk
Date:  
À: The Tails public development discussion list
Sujet: Re: [Tails-dev] Tails for arm64 (with support for Apple Silicon)
Hi NoisyCoil,

>                                                      ... This makes the 
> Tor Browser
> the single blocker for Tails on arm64 AFAICS (more on this later).

that helped me years ago to get Tor Browser running on a rpi ->
https://gitlab.torproject.org/legacy/trac/-/issues/12631

Best Regards
n9iu7pk

Am 20.01.2024 16:43 schrieb NoisyCoil via Tails-dev:
> *** For the casual reader: please do not use this version of Tails.
> This is just a developer preview, it won't protect you like official
> releases do ***
>
> Hey there,
>
> During the last few weeks I've been working on porting Tails to the
> arm64 architecture, with the aim to ultimately being able to run Tails
> on Apple hardware again. If anyone is interested in a developer
> preview, you will find two USB images at
> https://mega.nz/folder/BrJFGQyR#8rsN06I_pC_YV6spqATeBA. The code is
> hosted at https://gitlab.tails.boum.org/noisycoil/tails in the
> "wip/arm64" and "wip/asahi" branches. The former enables general arm64
> support, while the latter contains additional, currently
> non-upstreamable patches that make Tails run on Apple Silicon with
> M1/M2 processors (no M3 support yet). In both cases, the builds are
> native (you must build the arm64 version of Tails on arm64 hardware;
> I've been building it on Apple Silicon (Asahi Debian) and on a
> Raspberry Pi (Raspberry Pi OS) interchangeably).
> The wip/asahi patches currently break amd64 builds due to a new entry
> in the APT preferences file, but this can be fixed  (I didn't do so
> yet because, as I said, the Asahi patches cannot be upstreamed anyway,
> more on this later).
>
> Both the wip/arm64 and the wip/asahi images use GRUB for arm64 as a
> boot loader. For the former, this is all there is at the moment,
> meaning that the image can run in a VM, but may not run on hardware
> that needs special firmware or arrangements to make it boot. As for
> the latter, GRUB is all that's needed to boot on bare metal Apple
> Silicon (from the Tails side, that is).
> For those unfamiliar with the boot process on arm64 Apple hardware,
> here's a quick recap. Out of the box, Apple Silicon does not support
> booting from external media, nor of course booting Linux. It does,
> however, support booting multiple macOSes from internal storage. The
> smart folks at Asahi Linux (https://asahilinux.org/) came up with a
> process to boot Linux both from internal and external storage (there
> may be issues with booting from large external hard drives, but this
> is not relevant to Tails). What they do is they install a fake macOS
> on the hard drive, which after a couple of intermediate steps runs the
> U-Boot boot loader (https://docs.u-boot.org/en/latest/), which is then
> able to run GRUB both from internal and from external storage. This
> mechanism is currently in use to run, among others, the official remix
> of Fedora for Apple Silicon (https://asahilinux.org/fedora/), and -
> except for the part where you actually have to install the boot loader
> and for a second small exception, see below - is 100% transparent to
> the user.
>
>
> So how do you boot Tails on Apple Silicon?
>
> 1) Install U-Boot on your Apple Silicon Mac. This can be done using
> the official Asahi installer (see https://asahilinux.org/):
>
> curl https://alx.sh | sh
>
> The correct option, which should only require around 3GB of storage
> space on a separate partition, is "EFI environment only (m1n1 + U-Boot
> + ESP)" and, crucially, does not require you to install a
> fully-fledged Linux OS like Fedora. Once you do so, the U-Boot
> partition will be set as the default boot partition. This can be
> reverted at any time if you want to boot macOS by default instead (as
> you probably do in the context of Tails). Also, the U-Boot partition
> can be deleted at any moment if you don't need it anymore
>
> 2) Burn the Asahi Tails image onto a USB drive as usual
>
> 3) Plug the USB drive into your Mac. If the U-Boot partition is the
> default boot partition, just turn on your Mac. If it isn't, turn it on
> by keeping the power button pressed until it says "Entering startup
> options..." and then releasing it. At that point you can select the
> U-Boot partition (similarly, if the U-Boot partition is the default
> and you want to boot macOS, do the same but select the macOS
> partition)
>
> 4) Hit ESC when U-Boot says you can do so in order to interrupt the
> boot process and get dropped to a command line. Now you must tell
> U-Boot you want to boot from an external USB (this is the second small
> exception mentioned above): on the command line, execute
>
> env set boot_efi_bootmgr
> run bootcmd_usb0
>
> This is the officially supported way to boot from an external USB
> drive. Maybe at some point U-Boot will support doing so without the
> user entering any command, but that's not possible at the moment
> AFAIK.
>
> 5) That's it. You're in
>
> If you happen to already have Asahi Linux installed on your arm64 Mac,
> you don't need to follow Step 1 as U-Boot comes installed with the OS.
> Just choose your Asahi Linux boot partition in Step 3.
>
>
> As for the arm64 port itself, i.e. what's in the images. Both
> wip/arm64 and wip/asahi are forked from feature/bookworm. The arm64
> packages that are available from the official Debian repositories are
> installed from there (more on this later), whereas the Tails-specific
> packages (notably: live-boot, cryptsetup, fontconfig and
> network-manager) were rebuilt from source and installed manually
> (using config/chroot_local-packages). For this developer preview, I
> installed Heikki Lindholm's arm64 port of the Tor Browser
> (https://sourceforge.net/projects/tor-browser-ports/), the source code
> of which I have personally reviewed and made small contributions to
> (also, Heikki gave me permission to redistribute the binaries). Of
> course, this can never be upstreamed, but I thought it would be better
> to see an actual working Tor Browser in the developer preview rather
> than nothing. I am not aware of any other software component of Tails
> that is not officially available for arm64. This makes the Tor Browser
> the single blocker for Tails on arm64 AFAICS (more on this later).
>
> As for the Apple Silicon port in particular, the main differences with
> the pure arm64 port are:
>
> 1. custom kernel and Mesa packages, which are needed for hardware
> support (including the GPU)
>
> 2. the asahi-scripts and m1n1 packages; the former is needed for
> correctly building the initramfs, while the latter is possibly useless
> on a live system (it deals with a stage of the boot process which
> happens before the squashfs is unpacked) - but I included it anyway
> because it may be needed in the future
>
> 3. unsigned, rather than signed, GRUB. This could be fixed if I figure
> out why signed GRUB does not work on Apple Silicon with the Asahi
> setup (I suspect this has to do with Apple Silicon not supporting UEFI
> variables. Incidentally, this same thing makes tails-debugging-info
> fail. But let's not delve into the gory details)
>
> The Asahi kernel and Mesa packages are not offically packaged for
> Debian yet, so they're installed from Thomas Glanzmann's repository
> (Thomas gave me permission to redistribute his binaries). This is what
> the Debian Bananas Team (https://wiki.debian.org/Teams/Bananas) - that
> is, the team which is working on getting official Debian support for
> Apple Silicon - is currently doing. In principle I could have
> installed v6.1.0 of the kernel (Bookworm's), but to track the latest
> hardware support I installed v6.5.0 instead (Trixie's). Not installing
> these packages from the official Debian repositories is, I believe,
> the single serious blocker for Tails on arm64 Macs (plus the Tor
> Browser).
> As for asahi-scripts and m1n1, these are already in the Debian testing
> and unstable repositories. I'm installing them from the latter, since
> the unstable source is already enabled on Tails.
> Notably, audio is disabled for this developer preview (v6.5.0 would
> actually support the M1 MacBook Air speakers, while v6.6.0 would
> support most of the M1/M2 series speakers).
>
>
> Finally, as to how I'm building the images:
>
> 1. since the Tails mirrors do not support the arm64 architecture, I
> hijacked my own internal DNS resolution to point back to the official
> Debian repositories. To do so, I patched a couple of points in the
> code where GPG keys are actually verified, configured a web server to
> correctly redirect stuff  and pointed the DNS to that webserver using
> /etc/hosts and the systemd-resolved stub resolver (I'm willing to
> share more on this if anyone is interested in actually building the
> images). This of course is a temporary patch that can be immediately
> reverted if Tails starts to mirror arm64 packages. Note that this
> implies that the wip/arm64 and wip/asahi branches won't build (not
> even on amd64!) without properly hijacking your DNS!
>
> 2. I had to fork tails/live-build (and use my fork as a submodule) in
> order to add a single small patch that teaches it how to deal with one
> single default configuration on arm64. There are multiple ways in
> which this can be reverted
>
> 3. more generally, I added a number of temporary patches which cannot
> be upstreamed for various reasons, but which can be reverted under
> appropriate conditions. All of them are marked as "Temporary:" in
> their commit messages, and the conditions under which they can be
> reverted are clearly stated. In the wip/arm64 branch, the only
> temporary patch which is not under Tails's control (i.e. whose removal
> does not depend on actions taken by the Tails project) is the
> inclusion of Heikki's build of the Tor Browser. This is what I meant
> before by "This makes the Tor Browser the single blocker for Tails on
> arm64".
> As for wip/asahi, most of the contents of the additional commit are
> temporary anyways (again, the kernel and Mesa package are not
> officially packaged yet by Debian), so the "Temporary:" label would
> have been an understatement. Asahi Tails (i.e. Tails on Apple Silicon
> Macs) can only be a thing if Debian puts out an official
> linux-image-asahi (possibly with proper backports, given the nature of
> Debian) and something like a mesa-asahi set of packages. This is,
> until the Asahi changes are merged into their respective upstreams
>
> 4. I'm following the current procedure of "first build the ISO and
> then convert to USB image" in order to keep the code as close as
> possible to feature/bookworm. The ISO is unbootable (UEFI does not
> boot ISO 9660 file systems), but the USB image works. Eventualy, one
> can just try to build the USB image directly
>
>
> There are tons of other details about the build process and contents
> of the image I could share (e.g., off the top of my head, Tails cloner
> does not work on arm64 because it doesn't find some syslinux/mbr files
> which are intentionally not there anymore) and I'm already probably
> forgetting important stuff, but I think this email is already long
> enough, so if anybody is interested feel free to ping me. The reason
> why I made this port is first, for fun. But then also, to provide a
> PoC that Tails can already run on Apple Silicon machines and that with
> some effort from various projects (Tails in providing arm64 mirrors
> and packages, Tor in finally providing an official arm64 release of
> the Tor Browser, Debian in packaging the Asahi kernel and Mesa
> libraries - until the Asahi changes get merged upstream), bringing
> Tails back to Apple machines, and bringing it for the first time to
> arm64 hardware, is just around the corner.
>
>
> Best,
>
> NoisyCoil
>
>
> P.S.: This is the first time I put my hands on the Tails codebase, so
> it may very well be that I got caught in some obvious gotchas. Also, I
> am not affiliated with the Asah Linux project, the Debian Bananas Team
> (or the Debian project at large), the Tor project, or any other
> organization mentioned above.
> _______________________________________________
> Tails-dev mailing list
> Tails-dev@???
> https://www.autistici.org/mailman/listinfo/tails-dev
> To unsubscribe from this list, send an empty email to
> Tails-dev-unsubscribe@???.