Re: [Tails-dev] Tails for arm64 (with support for Apple Sili…

Poista viesti

Vastaa
Lähettäjä: n9iu7pk
Päiväys:  
Vastaanottaja: NoisyCoil via Tails-dev
Aihe: Re: [Tails-dev] Tails for arm64 (with support for Apple Silicon)
Hi NoisyCoik,


> The second and most exciting news is you can now cross-build Tails for
> arm64 on an x86_64 machine! Keeping in mind that you still need to
> hijack your DNS to download the arm64 packages, to build an arm64
> version of Tails on x86_64:


After a couple of attempts & fails finally I could build a crossarm 
compiled raspberry pi 5 bootable (from USB) image - it was a big moment 
to see Tails running on rpi!

- Build platform: Intel i7 8 cores and > 32 GB RAM.

- followed your DNS hijack - with some changes see nginx.conf and 
docker-compose.yml below. In short: debian-security for example isn't 
available unsecure with http:// but only secure https:// and thus must 
be rewritten - redirect http to https would require a TLS server setup - 
too much efforts.

- forked from your/NoisyCoil's repository into 
https://gitlab.tails.boum.org/N9iu7pk/tails -> all changes to get a 
successfull build are pushed to this branch

- I used base_branch = 'wip/raspi'
    I'm not shure, whether that was the proper/intended choice. With 
'stable' or 'devel' the build ended up with building x86_64 instead of 
aarch64/arm64. Didn't investigated that any further.

- had some issues with certificates (i.e. raspi_chroot) and preparing 
apt sources (wip/raspi must be mapped to stable in 
auto/scripts/tails-custom-apt-sources)

- took day's for a first build (of course - running a full emulated arm 
VM on amd64 :D ). When choosing to keep the vm running afterwards, 
sometime the vm won't stop with rake vm:halt, had to kill qemu.

- without any build options the VM grabbed all 8 available cores and 50% 
of the available RAM

- Tor-Browser was running!

- the IMG was bootable, some issues
    * at boot time: failed to start systemd-sysctl.servide - apply 
kernel variables
    * when trying to modify stetting (language keyboard etc.) in the 
startup screen the system got "frozen"

I'd like to propose - as you already did - the two(or more)-image EFI 
idea (i.e. rpi and apple). Seems not to be an issue of ressources on 
users side (as todays usb-sticks < 64 GB becomes rare) but a problem of 
build ressources in terms of the timed snapshots from debian are doubled 
also for arm and nearly multiplied build timea are needed and for each 
platform an adjusted/modified kernel, dtb's & boot stack would be 
required -> which rather the task of projects like 
https://wiki.debian.org/DebianKernel/ARMMP.

Best regards
niuu7pk

PGP 7426 4598 B5AD 4D12 1699 C710 [ D602 E331 4D12 FFCB ]
https://keys.openpgp.org/search?q=D602E3314D12FFCB

events {}

http {
    server {
        server_name time-based.snapshots.deb.tails.boum.org;
        listen *:80;
        error_log /var/log/nginx/tails.log debug;
        rewrite_log on;
        rewrite ^\/(debian)\/pool(\/?.*) http://ftp.debian.org/$1/pool$2;
        rewrite ^\/(debian-security)\/pool(\/?.*) https://deb.debian.org/$1/pool$2;
        rewrite ^\/(debian)\/[0-9]+(\/?.*) http://ftp.debian.org/$1$2;
        rewrite ^\/(debian-security)\/[0-9]+(\/?.*) https://deb.debian.org/$1$2;
        rewrite ^\/[0-9.]+(\/?.*) https://deb.debian.org$1;


        location ~ ^/(debian|debian-security|tails)/project/trace/(debian|debian-security|tails) {
            proxy_pass http://204.13.164.63:80;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Protocol $scheme;
            proxy_set_header X-Forwarded-Host $http_host;
        }


        location ~ ^/(tails|torproject) {
            proxy_pass http://204.13.164.63:80;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Protocol $scheme;
            proxy_set_header X-Forwarded-Host $http_host;
        }
    }
}