Dear,
More and more business customers ask to disable usb on their notebooks
for security, so we have no option other than work with grub and iso.
We working with iso's:
menuentry "tails" {
set isofile="/iso/tails.iso"
loopback loop $isofile
set root=(loop)
linux (loop)/live/vmlinuz boot=live iso-scan/filename=${isofile}
findiso=${isofile} apparmor=1 nopersistence noprompt timezone=Etc/UTC
block.events_dfl_poll_msecs=1000 splash noautologin module=Tails
slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1
union=aufs quiet toram
initrd (loop)/live/initrd.img
}
We have created a bash script with gksu or pkexec for the user for
updating their tails iso :
#!/bin/bash
cd /iso
gksu -- bash -c 'xterm -e "rm tails.iso; wget
http://95.211.190.99/astick1804/tails.iso"'
We have also a script for updating grub's 40_custom.
I am donating to tails per sold computer.
Guy
Op 31/10/18 om 11:06 schreef intrigeri:
> Hi!
>
> Meta: redirecting from tails-project@ to our development mailing list
> and taking over from our Help Desk who, understandably, cannot handle
> this further than "this is not supported, sorry" :)
>
> linux-service:
>> We are selling opensource computers and install default a system where a
>> tails iso on the harddrive is booted with grub2 toram.
> Interesting! There are a number of concerns with this approach but I'd
> like to help you do this in a way that's reasonably safe for your
> clients and does not cause us too much additional work.
>
>> The hdd(s) are not mounted. Is this way of booting tails equal secure as
>> booting from usb or dvd?
> There are a few concerns about this approach, some of them tackle
> your question:
>
> - How do you force live-boot to start from an internal drive?
> I assume you need to remove live-media=removable, no?
> Note that doing this implies full trust in the internal hard drive,
> which is not something the users may expect when using Tails.
>
> - Do you communicate to your clients, somehow, that the way you're
> installing this Tails system is unsupported by the Tails project
> and the resulting system may behave differently than a "real" Tails?
>
> - How do you keep the kernel command line up-to-date? Assuming you
> hard-code it in the GRUB configuration, please be aware that we
> sometimes change it. I'm worried your GRUB config and what the
> installed ISO expects might get de-synchronized over time.
>
> - How do handle upgrades? I'm worried that your clients are left
> with an obsolete Tails and no documented way to upgrade it.
>
> - We'll soon stop supporting the ISO image except for DVDs and
> virtual machines (https://labs.riseup.net/code/issues/15292).
> Probably not a big deal for you in terms of initial installation,
> but this will make upgrades even harder for your clients. And an
> important upcoming security improvement (persistent RNG seed) will
> only work when Tails is installed on a USB stick.
>
> - The Tails user experience relies more and more on our opt-in
> persistence feature. While we still support read-only Tails, be
> aware that you're shipping a flavour of Tails with a restricted
> feature set. It would be nice to communicate this to your users
> and point them to our doc about installing a full-blown Tails :)
>
> Cheers,
