Project

General

Profile

Bug #15016

Bug #12474: Document troubleshooting tips for more failure scenarios throughout installation assistant

Explain better how to disable Secure Boot

Added by emmapeel almost 2 years ago. Updated 24 days ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Installation
Target version:
-
Start date:
12/05/2017
Due date:
% Done:

0%

Feature Branch:
Type of work:
End-user documentation
Blueprint:
Starter:
Affected tool:
Installation Assistant

Description

Many users contact frontdesk because they need to disable Secure Boot.

This is not easy to understand on the Install instructions (at least for this kind of users). It should be more prominent.

I send them to the microsoft page:

https://technet.microsoft.com/en-us/library/dn481258.aspx

image221.png View - image mentioned at comment #14 (202 KB) emmapeel, 04/03/2018 09:42 AM

bitlocker-recovery-dialog.jpg View (51.6 KB) cbrownstein, 01/15/2019 07:26 PM

secure-boot-violation-dialog.jpg View (39.4 KB) cbrownstein, 01/15/2019 07:26 PM


Related issues

Related to Tails - Feature #6560: UEFI Secure boot Confirmed 01/02/2014
Blocks Tails - Feature #16711: Core work 2019Q3 → 2019Q4: Technical writing Confirmed 01/08/2016

Associated revisions

Revision e24b1204 (diff)
Added by sajolida over 1 year ago

Point to the Microsoft documentation on disabling secure boot (Will-fix: #15016)

History

#1 Updated by emmapeel almost 2 years ago

  • Blocks Feature #14758: Core work 2017Q4 → 2018Q1: Technical writing added

#2 Updated by u over 1 year ago

  • Assignee set to sajolida

@sajolida: may you check who could work on this and when please? thanks!

#3 Updated by u over 1 year ago

  • QA Check deleted (Dev Needed)

#4 Updated by u over 1 year ago

Basically, in https://tails.boum.org/install/win/usb/index.en.html#install-inc-steps-restart-first-time we could better explain "Disable Secure Boot" with an interrogation mark or by linking somewhere (https://en.wikipedia.org/wiki/Hardware_restriction#Secure_boot for example).

#5 Updated by sajolida over 1 year ago

  • Subject changed from Install docs: Secure Boot to Explain better how to disable Secure Boot
  • Assignee changed from sajolida to emmapeel
  • QA Check set to Ready for QA

What about that: doc/15016-disable-secure-boot.

#6 Updated by sajolida over 1 year ago

  • Status changed from Confirmed to In Progress

Applied in changeset commit:8ed0bcb2ed93e97b688f4a2497fded10edc46e2f.

#7 Updated by emmapeel over 1 year ago

  • Assignee changed from emmapeel to sajolida

I like it. Maybe with your correction my suggestion is not needed anymore, but just wanted to point out:

I have noticed that many users don't get that the problem at boot is that they haven't disabled the Secure Boot. The message displayed by the BIOS is not clear, or maybe too close to the Tails ISO image wording, for the users to think they have a problem with the ISO instead of with their BIOS settings.

So I think that maybe we could add something about secure boot also to the Troubleshooting section 'if Tails does not start'.

#8 Updated by sajolida over 1 year ago

  • Target version set to Tails_3.7
  • QA Check changed from Ready for QA to Dev Needed

#9 Updated by sajolida over 1 year ago

  • Assignee changed from sajolida to emmapeel
  • QA Check changed from Dev Needed to Info Needed

I'm doing a first merge of the branch.

But I don't understand your comment...

In "Troubleshooting - Tails does not start at all" we are instructing users to:

  • Get to the Boot Menu, testing various key combinations.
  • Edit their BIOS settings (including disabling Secure Boot) if they can't get to the Boot Menu or the Boot Menu doesn't lead to the Boot Loader Menu (syslinux).

Which is what you seem to propose...

Are you saying that we should also rephrase the following paragraph to mention explicitly failures related to Secure Boot:

« If none of the potential boot menu keys identified in step 3 work or if the USB stick does not appear in the list, then try the second troubleshooting technique described below. »

What happens if you have secure boot enabled and get to the Boot Menu? Does the Tails USB stick appears in the Boot Menu? What happens if you select it?

Or maybe you mean something else that I didn't get...

#10 Updated by emmapeel over 1 year ago

sajolida wrote:

What happens if you have secure boot enabled and get to the Boot Menu? Does the Tails USB stick appears in the Boot Menu? What happens if you select it?

Or maybe you mean something else that I didn't get...

Yes, I will try to compile the messages the users receive.

The computer will say something like 'error on the image' or 'unsafe image' and the users think they didn't downloaded the ISO well, they don't think their Windows is bluffing on them.

#11 Updated by emmapeel over 1 year ago

  • Assignee changed from emmapeel to sajolida
  • QA Check deleted (Info Needed)

#12 Updated by sajolida over 1 year ago

  • Blocks deleted (Feature #14758: Core work 2017Q4 → 2018Q1: Technical writing)

#13 Updated by sajolida over 1 year ago

  • Assignee changed from sajolida to emmapeel
  • Target version deleted (Tails_3.7)

Ok, then I'd like to have concrete examples of what happens, either a description of the screen or a photo, before writing more stuff. Could you do that?

No hurry, so I'm removing the target version and the blocking relationship with Core work 2018Q1.

#14 Updated by emmapeel over 1 year ago

Here an example:
-------------------
Secure boot:
-------------------
Image failed to verify with ACCESS DENIED
Press any key to continue

I attach the screenshot image221.png

#15 Updated by u about 1 year ago

  • Assignee changed from emmapeel to sajolida
  • QA Check set to Info Needed

Assigning to sajolida for comment.

#16 Updated by sajolida about 1 year ago

  • Assignee deleted (sajolida)
  • QA Check deleted (Info Needed)

Ok!!!

So now I understand that people somehow manage to tell their computer to try starting on a Tails USB stick with Secure Boot enabled and that's the error message they get. I didn't know this was possible...

We should definitely document that!

This is on our installation flow and can possibly affects a vast majority of our users, so let's make this part of our core work.

Thanks for resurrecting this ticket u!

#17 Updated by intrigeri about 1 year ago

#18 Updated by cbrownstein 9 months ago

  • Assignee set to cbrownstein

I'll work on this.

#19 Updated by cbrownstein 8 months ago

Here is a (scary) Secure Boot experience I had the other day:

I borrowed a Microsoft Surface Laptop 2 running Windows 10 Home. My plan was to test the new Tails USB image.

The USB image copied to a USB stick using Etcher without any issues.

I left the USB stick in the laptop. I tried to boot from advanced startup1.

[1] https://support.microsoft.com/en-us/help/4026206/windows-get-to-safe-mode-and-other-startup-settings-in-windows-10

The Microsoft logo displayed for a few seconds before the laptop booted into Windows.

No messages were displayed to explain why the laptop booted into Windows instead of Tails.

From previous experience, I suspected this was a Secure Boot issue.

I restarted the laptop and held the volume-up button on boot2 to access the BIOS/UEFI.

[2] https://support.microsoft.com/en-us/help/4023532/surface-how-do-i-use-the-bios-uefi

I was presented with a window on boot:

SecureBoot violation!

One or more of the selected boot devices had a SecureBoot violation! Returning to Surface settings. Please verify SecureBoot key configuration and boot device selection.

I disabled Secure Boot in the BIOS/UEFI.

I restarted with the USB stick in the laptop.

The laptop tried to boot into Windows. But, I was asked for a BitLocker recovery key! (See the attached picture.)

I did not have a recovery key. I was worried that I had just lost all the data on the internal drive of this laptop!

I re-enabled Secure Boot per the dialog and restarted the laptop. I was still being prompted for a recovery key.

(Very) luckily I was able to get a recovery key.

I decided not to make further attempts to boot Tails. I did not want to risk losing the data on this borrowed laptop.

#20 Updated by intrigeri 8 months ago

  • Parent task set to #12474

#21 Updated by sajolida 8 months ago

Wow, crazy!

BitLocker needs your recovery key to unlock your drive because Secure Boot has been disabled.

#22 Updated by sajolida 7 months ago

  • Blocks Feature #15941: Core work 2018Q4 → 2019Q2: Technical writing added

#23 Updated by sajolida 2 months ago

  • Blocks Feature #16711: Core work 2019Q3 → 2019Q4: Technical writing added

#24 Updated by sajolida 2 months ago

  • Blocks deleted (Feature #15941: Core work 2018Q4 → 2019Q2: Technical writing)

#25 Updated by sajolida about 1 month ago

Our MOSS grant about supporting Secure Boot has been approved and we'll have to deliver it by July 2020. It's in while but significantly improving our documentation will be a lot of work and we have tons of other important things to do. So I propose to reject this ticket.

Maybe before closing it, you could share any relevant findings with us in case you already identified some easy things to fix.

#26 Updated by intrigeri about 1 month ago

So I propose to reject this ticket.

Agreed.

#27 Updated by sajolida 24 days ago

  • Status changed from In Progress to Rejected
  • Assignee deleted (cbrownstein)

Also available in: Atom PDF