Project

General

Profile

Feature #17492

Feature #6560: UEFI Secure boot

Update documentation wrt. using GRUB + Secure Boot for USB boot on EFI 64-bit

Added by intrigeri about 1 month ago. Updated 4 days ago.

Status:
Needs Validation
Priority:
Elevated
Assignee:
Category:
-
Target version:
Start date:
12/17/2018
Due date:
% Done:

0%

Feature Branch:
doc/17492-secure-boot
Type of work:
End-user documentation
Blueprint:
Starter:
Affected tool:

Description

  • don't recommend disabling Secure Boot (i.e. delete 2 lines in install/inc/steps/restart_first_time.inline.mdwn) except on Apple computers (Apple's implementation of Secure Boot only allows starting macOS and Windows)
  • adding/changing boot options
  • booting in "Troubleshooting mode"

Subtasks

Bug #16229: Boot Loader Menu documentation does not support 32-bit UEFINeeds Validationcbrownstein

Feature #16410: Document how to allow macOS Startup Security Utility to boot on external mediaNeeds Validationcbrownstein


Related issues

Blocks Tails - Feature #17247: Core work 2020Q1 → 2020Q2: Technical writing Confirmed
Blocks Tails - Feature #15122: Rename Tails Greeter to be more plain Needs Validation 12/27/2017

History

#1 Updated by intrigeri about 1 month ago

For now this is tentatively scheduled for Tails 4.5, whose RC should be published late March. But at the end of our current sprint, segfault and I will check where we're at and possibly adjust the timeline.

#2 Updated by intrigeri about 1 month ago

  • Subject changed from Update documentation wrt. using GRUB for USB boot on EFI 64-bit to Update documentation wrt. using GRUB + Secure Boot for USB boot on EFI 64-bit

#3 Updated by intrigeri about 1 month ago

#4 Updated by intrigeri about 1 month ago

  • Blocks Feature #17247: Core work 2020Q1 → 2020Q2: Technical writing added

#5 Updated by intrigeri about 1 month ago

  • Description updated (diff)

I confirm we plan to ship this in 4.5~rc1, scheduled for late March.

segfault and I will meet on March 5 at 10:00 CET. IIRC that's not a suitable time for you but it would be a good time for us to look into any question you may have sent us earlier :)

#6 Updated by intrigeri 12 days ago

  • Parent task changed from #15806 to #6560

#7 Updated by sajolida 6 days ago

#8 Updated by sajolida 6 days ago

  • Status changed from Confirmed to Needs Validation
  • Assignee changed from sajolida to cbrownstein
  • Feature Branch changed from feature/6560-secure-boot+force-all-tests to doc/17492-secure-boot

I think I'm done with this (big) branch!

@cbrownstein:

  • I also worked on #16410 and #15122 in this same branch because I thought that it made sense to do this all at once.
  • I didn't spend a lot of time improving any old sentence affected by some smaller change, but feel free to do so: translations are going to be broken on these anyway.
  • I stopped using DocBook-style CSS classes as per #16221, though the new style is not documented yet in the Style Guide. Basically it's the same logic but with <em> and <strong> instead of our custom classes (eg. 'application').
  • Some images overflow their <div> sections: forget about them. With #15112 we'll be able to make all these sections wider thanks to the space that we will gain on the right without the sidebar.
  • The wild renaming on PO files from e257c1fbee, 280701d27c, and 8657a6d1a2 were done in a batch using sed. Hopefully they will prevent some translations to break but it's best effort: don't review them one by one!!!

Also this is meant to be release with Tails 4.5 (April 7). I'm quite proud to have my draft ready 2 weeks in advance :) I hope it leaves you plenty of time for this long review.

@intrigeri: I'd also like you to review bits of this branch for technical correctness. I would be good if you read at least the following commits (and maybe the resulting final sections as well):

  - /doc/advanced_topics/boot_options
    - a938d82607
  - /install/mac/usb#start-tails
    - fadd9c4709
    - 53336bc6e2
  - /install/win/usb#start-tails
    - d4edefb9a7
    - 08bf1b0600
    - b794d7772a
  - /install/win/usb#welcome-screen → "Tails not starting entirely" 
    - fa9130af4c

#9 Updated by intrigeri 6 days ago

Hi,

intrigeri: I'd also like you to review bits of this branch for technical correctness. I would be good if you read at least the following commits (and maybe the resulting final sections as well):

All these commits look great to me!

Comments:

  • On /install/win/usb#welcome-screen → "Tails not starting entirely", grub-with-options.png and syslinux-with-options.png are not displayed.
  • d4edefb9a7: I don't think the code changes behind this work warrant dropping the part about trying the other boot method (legacy vs. UEFI), if the first one fails. IMO everything (apart "Disable Secure boot") that this commit removes is useful for troubleshooting.
  • 08bf1b0600 makes me a bit sad (we have seen cases where buggy firmware, that failed to boot Tails, were fixed by upgrading) but I understand your reasoning and I'm fine with your conclusion.

#10 Updated by sajolida 4 days ago

@intrigeri:

  • On /install/win/usb#welcome-screen → "Tails not starting entirely", grub-with-options.png and syslinux-with-options.png are not displayed.

Oops, they were broken by a renaming → fixed in 84661f96b4.

  • d4edefb9a7: I don't think the code changes behind this work warrant dropping the part about trying the other boot method (legacy vs. UEFI), if the first one fails. IMO everything (apart "Disable Secure boot") that this commit removes is useful for troubleshooting.

I wasn't sure about this so that's useful info.

We're talking about:

  • Enabling Legacy mode
  • Enable CSM boot
  • Disable UEFI

My concern is that disabling UEFI might break starting Windows and it
might break BitLocker to enable it back. It happened to Cody :) See
https://redmine.tails.boum.org/code/issues/15016#note-19.

But we can probably find some kind of middle-ground.

What still feels safe would be:

  • Enable CSM boot

For reference:
https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#CSM_booting

  • Enabling Legacy mode as fallback, ie. without disabling UEFI

That's what I did on my laptop until now but I don't think that all
laptops support this, do they? This might be hard to phrase but I can
try and put some warnings around it.

  • Disable UEFI if you don't have Windows installed

Would other Linuxes still boot in Legacy even if they were installed
in UEFI?

  • 08bf1b0600 makes me a bit sad (we have seen cases where buggy firmware, that failed to boot Tails, were fixed by upgrading) but I understand your reasoning and I'm fine with your conclusion.

Ok. I can try to add it back and add fat warnings around it. I should
also tell people to go check the support pages of the computer manufacturer.

Deal?

#11 Updated by intrigeri 4 days ago

Hi,

  • d4edefb9a7: I don't think the code changes behind this work warrant dropping the part about trying the other boot method (legacy vs. UEFI), if the first one fails. IMO everything (apart "Disable Secure boot") that this commit removes is useful for troubleshooting.

[...]
What still feels safe would be:

Sounds good.

  • Enabling Legacy mode as fallback, ie. without disabling UEFI

That's what I did on my laptop until now but I don't think that all
laptops support this, do they? This might be hard to phrase but I can
try and put some warnings around it.

Indeed, I doubt every firmware supports this.

Would other Linuxes still boot in Legacy even if they were installed in UEFI?

I don't think so.

Let's keep in mind that there are 2 possible goals here:

  • tweaking the firmware once for all, so that the computer starts Tails and the other installed OS: that's ideal of course, but not always achievable
  • tweaking the firmware every time one starts Tails (and toggling settings back before rebooting to the other OS): it sucks; that's what users had to do so far when their OS requires Secure Boot; but for some users, it could be the only way to use Tails, and I am sympathetic with this situation
  • 08bf1b0600 makes me a bit sad (we have seen cases where buggy firmware, that failed to boot Tails, were fixed by upgrading) but I understand your reasoning and I'm fine with your conclusion.

Ok. I can try to add it back and add fat warnings around it. I should
also tell people to go check the support pages of the computer manufacturer.

Deal?

Deal!

In passing: I don't know about Windows but on modern Linux with a decent desktop environment and a UEFI installation, one gets firmware updates for free.
Personally I haven't had to do any manual operation to update my laptop's firmware since a few years.
So perhaps this issue is less important than I thought, and checking manufacturer support pages is not needed in most cases.

Also available in: Atom PDF