Feature #6397: Support booting from USB devices exposed as non-removable
Have live-boot honor FSUUID=
See parent ticket for the rationale, and desired user interface. boyska volunteered to add the needed support to live-boot.
#2 Updated by intrigeri almost 4 years ago
boyska can't work on this before September, and even then he encourages me to find someone else to work on this. Not sure how to proceed -- probably I'll send a call for volunteers on tails-dev@ + debian-live@, and then unassign this from me.
Also note that live-boot (at least 5.x) already supports some kind of UUID checking, but it's not suitable for security purposes: the UUID is generated at ISO build time, embedded in the initramfs and in the ISO filesystem, and at boot time the initramfs checks that the UUID on the boot drive is the one it knows about. Given the content of the ISO is public information, an attacker can very well plant the same in their fake Tails they put on the internal hard drive, so this doesn't help wrt. "not load the OS from an internal hard drives, while still looking for all devices even though they say they're not removable".
#3 Updated by intrigeri almost 4 years ago
- Subject changed from Wait for live-boot to support FSUUID to Have live-boot honor FSUUID=
- Assignee deleted (
- Type of work changed from Wait to Code
Not sure how to proceed -- probably I'll send a call for volunteers on tails-dev@ + debian-live@, and then unassign this from me.
Sent to tails-dev@: https://mailman.boum.org/pipermail/tails-dev/2015-July/009222.html.
#7 Updated by intrigeri about 2 years ago
This (re?)implements bits I was mentioning in #7475#note-2:
It's still not suitable for security reasons, but if we combine it with what I describe on #6397#note-42 (that would be enough to solve the parent ticket), then we get a nice bonus UX improvement (no more random behavior anymore when starting a computer with two Tails sticks attached), without having to fiddle with anything bootloader-specific. These two solutions can be combined as live-boot looks for the UUID only on devices that satisfy whatever