Re: [Tails-dev] [Tails-project] boot tails iso with grub

Delete this message

Reply to this message
Author: linux-service
Date:  
To: The Tails public development discussion list
New-Topics: Re: [Tails-dev] [Tails-project] boot tails iso with grub
Subject: Re: [Tails-dev] [Tails-project] boot tails iso with grub
Dear,

More and more business customers ask to disable usb on their notebooks
for security, so we have no option other than work with grub and iso.

We working with iso's:

menuentry "tails" {
    set isofile="/iso/tails.iso"
    loopback loop $isofile
set root=(loop)
    linux (loop)/live/vmlinuz boot=live iso-scan/filename=${isofile}
findiso=${isofile} apparmor=1 nopersistence noprompt timezone=Etc/UTC
block.events_dfl_poll_msecs=1000 splash noautologin module=Tails
slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1
union=aufs  quiet toram
    initrd (loop)/live/initrd.img
}

We have created a bash script with gksu or pkexec for the user for
updating their tails iso :

#!/bin/bash
cd /iso
gksu -- bash -c 'xterm -e "rm tails.iso; wget
http://95.211.190.99/astick1804/tails.iso"'

We have also a script for updating grub's 40_custom.

I am donating to tails per sold computer.


Guy

Op 31/10/18 om 11:06 schreef intrigeri:
> Hi!
>
> Meta: redirecting from tails-project@ to our development mailing list
> and taking over from our Help Desk who, understandably, cannot handle
> this further than "this is not supported, sorry" :)
>
> linux-service:
>> We are selling opensource computers and install default a system where a
>> tails iso on the harddrive is booted with grub2 toram.
> Interesting! There are a number of concerns with this approach but I'd
> like to help you do this in a way that's reasonably safe for your
> clients and does not cause us too much additional work.
>
>> The hdd(s) are not mounted. Is this way of booting tails equal secure as
>> booting from usb or dvd?
> There are a few concerns about this approach, some of them tackle
> your question:
>
>   - How do you force live-boot to start from an internal drive?
>     I assume you need to remove live-media=removable, no?
>     Note that doing this implies full trust in the internal hard drive,
>     which is not something the users may expect when using Tails.

>
>   - Do you communicate to your clients, somehow, that the way you're
>     installing this Tails system is unsupported by the Tails project
>     and the resulting system may behave differently than a "real" Tails?

>
>   - How do you keep the kernel command line up-to-date? Assuming you
>     hard-code it in the GRUB configuration, please be aware that we
>     sometimes change it. I'm worried your GRUB config and what the
>     installed ISO expects might get de-synchronized over time.

>
>   - How do handle upgrades? I'm worried that your clients are left
>     with an obsolete Tails and no documented way to upgrade it.

>
>   - We'll soon stop supporting the ISO image except for DVDs and
>     virtual machines (https://labs.riseup.net/code/issues/15292).
>     Probably not a big deal for you in terms of initial installation,
>     but this will make upgrades even harder for your clients. And an
>     important upcoming security improvement (persistent RNG seed) will
>     only work when Tails is installed on a USB stick.

>
>   - The Tails user experience relies more and more on our opt-in
>     persistence feature. While we still support read-only Tails, be
>     aware that you're shipping a flavour of Tails with a restricted
>     feature set. It would be nice to communicate this to your users
>     and point them to our doc about installing a full-blown Tails :)

>
> Cheers,