Re: [Tails-dev] Tails for arm64 (with support for Apple Sili…

Poista viesti

Vastaa
Lähettäjä: noisycoil
Päiväys:  
Vastaanottaja: NoisyCoil via Tails-dev
Kopio: Tails Dev
Aihe: Re: [Tails-dev] Tails for arm64 (with support for Apple Silicon)
Dear all,

I have some exciting news.

TLDR; All Tails-specific apps now work on arm64 (with two minor "not-my-bug" caveats). You can now cross-build Tails for arm64 on an x86_64 machine.


First, as of my last commits, Tails Cloner now works on all my arm64 branches. This means that, with two exceptions (see ahead), all user-facing Tails-specific applications - namely Tails Cloner, Persistent Storage, Back Up Persistent Storage, Tails Documentation, WhisperBack -, plus the Tor Browser (the unofficial build) and OnionShare (factoring out the known bugs) now work on arm64. As for the other applications, I have not spent much time checking them one-by-one yet, so I can't promise anything, but in general they seem in good state.

The two exceptions to the above could be classified as "not my bug":

1. WhisperBack crashes at startup on Apple Silicon only. I believe this should be fixed upstream (I mean in the main Tails repos) so I've filed a bug (https://gitlab.tails.boum.org/tails/tails/-/issues/20200) and drafted a quick fix (https://gitlab.tails.boum.org/tails/tails/-/merge_requests/1410).

2. Creation of persistent storage misbehaves when running Tails in an arm64 VM. Hardware platforms (i.e. Apple Silicon and RPi) are not affected by this issue, nor are x86_64 VMs (I tested your Tails 6.0-rc1 build).
More precisely, when running in a VM, GDM restarts while creating persistent storage. The Tails greeter thus re-appears, and if you try to get past that the GNOME session doesn't go back to where it was. Persistent storage is still created correctly (the application runs to completion in the background!), but at that point there's not much you can do other than restart the VM. After restarting, everything works fine (including persistence).
I have determined that this is due to the "udevadm trigger" command internally run by tails-persistent-storage, and that this is not Tails specific: even on a vanilla Debian Bookworm arm64 installation, a VM will log out of the user session when "udevadm trigger" is called (but there's no Tails greeter workflow in vanilla Debian, so there you can just re-login). Since you already have https://gitlab.tails.boum.org/tails/tails/-/issues/20020, I will not address this issue at this moment.


The second and most exciting news is you can now cross-build Tails for arm64 on an x86_64 machine! Keeping in mind that you still need to hijack your DNS to download the arm64 packages, to build an arm64 version of Tails on x86_64:

- install the "binfmt-support", "qemu-user-static", "qemu-system-arm" and "qemu-efi-aarch64" Debian packages: sudo apt-get install -y binfmt-support qemu-user-static qemu-system-arm qemu-efi-aarch64
- include "crossarm64" in TAILS_BUILD_OPTIONS

Internally, cross-building works as follows. First binfmt-support and qemu-user-static automagically turn vmdb2 into a cross-arm64 image builder, so that an arm64 Vagrant box is built in place of an am64 one. Then the Vagrant box is run in emulation (via qemu proper instead of kvm) and does exactly the same job it would during a native build, only MUCH slower. And when I say "much slower" I mean it: on a last-generation 32-cores, 64GB x86_64 machine, my first build took 13 hours, the second one 6 hours, the third one 3-4 hours (depending on pre-existing caches), vs ~ 15 minutes for a native x86_64 build and ~ 1 hour on a 4-core 8GB Raspberry Pi 5 for a native arm64 build. So cross-builds should only be done when necessary (e.g. in production? ;-) ).

Note that I only attempted to cross-build on a single Ubuntu 23.10 machine, so the qemu configuration that's used for emulation may need some tweaks. For example, I'm not sure whether the "gic version='3'" feature, which is needed to emulate more than 8 cores (and up to 512, see https://www.qemu.org/docs/master/system/arm/virt.html) is supported on all x86_64 machines. If anybody attempts the cross build and it doesn't work, please write to me so we can get it fixed.


Best,

NC