Bug #15016
Explain better how to disable Secure Boot
0%
Description
Many users contact frontdesk because they need to disable Secure Boot.
This is not easy to understand on the Install instructions (at least for this kind of users). It should be more prominent.
I send them to the microsoft page:
Files
Subtasks
Related issues
Related to Tails - |
Resolved | 2018-12-17 | |
Blocks Tails - |
Resolved | 2016-01-08 |
History
#1 Updated by emmapeel 2017-12-05 08:04:26
- blocks
Feature #14758: Core work 2017Q4 → 2018Q1: Technical writing added
#2 Updated by Anonymous 2018-01-17 09:09:35
- Assignee set to sajolida
@sajolida: may you check who could work on this and when please? thanks!
#3 Updated by Anonymous 2018-01-17 09:09:45
- QA Check deleted (
Dev Needed)
#4 Updated by Anonymous 2018-01-17 09:16:22
Basically, in https://tails.boum.org/install/win/usb/index.en.html#install-inc-steps-restart-first-time we could better explain “Disable Secure Boot” with an interrogation mark or by linking somewhere (https://en.wikipedia.org/wiki/Hardware_restriction#Secure_boot for example).
#5 Updated by sajolida 2018-02-24 13:44:45
- Subject changed from Install docs: Secure Boot to Explain better how to disable Secure Boot
- Assignee changed from sajolida to emmapeel
- QA Check set to Ready for QA
What about that: doc/15016-disable-secure-boot.
#6 Updated by sajolida 2018-02-24 16:36:43
- Status changed from Confirmed to In Progress
Applied in changeset commit:8ed0bcb2ed93e97b688f4a2497fded10edc46e2f.
#7 Updated by emmapeel 2018-02-27 13:00:09
- Assignee changed from emmapeel to sajolida
I like it. Maybe with your correction my suggestion is not needed anymore, but just wanted to point out:
I have noticed that many users don’t get that the problem at boot is that they haven’t disabled the Secure Boot. The message displayed by the BIOS is not clear, or maybe too close to the Tails ISO image wording, for the users to think they have a problem with the ISO instead of with their BIOS settings.
So I think that maybe we could add something about secure boot also to the Troubleshooting section ‘if Tails does not start’.
#8 Updated by sajolida 2018-03-14 09:31:11
- Target version set to Tails_3.7
- QA Check changed from Ready for QA to Dev Needed
#9 Updated by sajolida 2018-03-22 19:13:49
- Assignee changed from sajolida to emmapeel
- QA Check changed from Dev Needed to Info Needed
I’m doing a first merge of the branch.
But I don’t understand your comment…
In “Troubleshooting - Tails does not start at all” we are instructing users to:
- Get to the Boot Menu, testing various key combinations.
- Edit their BIOS settings (including disabling Secure Boot) if they can’t get to the Boot Menu or the Boot Menu doesn’t lead to the Boot Loader Menu (syslinux).
Which is what you seem to propose…
Are you saying that we should also rephrase the following paragraph to mention explicitly failures related to Secure Boot:
« If none of the potential boot menu keys identified in step 3 work or if the USB stick does not appear in the list, then try the second troubleshooting technique described below. »
What happens if you have secure boot enabled and get to the Boot Menu? Does the Tails USB stick appears in the Boot Menu? What happens if you select it?
Or maybe you mean something else that I didn’t get…
#10 Updated by emmapeel 2018-03-22 22:08:55
sajolida wrote:
> What happens if you have secure boot enabled and get to the Boot Menu? Does the Tails USB stick appears in the Boot Menu? What happens if you select it?
>
> Or maybe you mean something else that I didn’t get…
Yes, I will try to compile the messages the users receive.
The computer will say something like ‘error on the image’ or ‘unsafe image’ and the users think they didn’t downloaded the ISO well, they don’t think their Windows is bluffing on them.
#11 Updated by emmapeel 2018-03-22 22:50:09
- Assignee changed from emmapeel to sajolida
- QA Check deleted (
Info Needed)
#12 Updated by sajolida 2018-03-26 19:48:41
- blocked by deleted (
)Feature #14758: Core work 2017Q4 → 2018Q1: Technical writing
#13 Updated by sajolida 2018-03-26 19:49:09
- Assignee changed from sajolida to emmapeel
- Target version deleted (
Tails_3.7)
Ok, then I’d like to have concrete examples of what happens, either a description of the screen or a photo, before writing more stuff. Could you do that?
No hurry, so I’m removing the target version and the blocking relationship with Core work 2018Q1.
#14 Updated by emmapeel 2018-04-03 09:43:19
- File image221.png added
Here an example:
—————————-
Secure boot:
—————————-
Image failed to verify with ACCESS DENIED
Press any key to continue
I attach the screenshot image221.png
#15 Updated by Anonymous 2018-08-16 13:00:47
- Assignee changed from emmapeel to sajolida
- QA Check set to Info Needed
Assigning to sajolida for comment.
#16 Updated by sajolida 2018-08-16 19:20:32
- Assignee deleted (
sajolida) - QA Check deleted (
Info Needed)
Ok!!!
So now I understand that people somehow manage to tell their computer to try starting on a Tails USB stick with Secure Boot enabled and that’s the error message they get. I didn’t know this was possible…
We should definitely document that!
This is on our installation flow and can possibly affects a vast majority of our users, so let’s make this part of our core work.
Thanks for resurrecting this ticket u!
#17 Updated by intrigeri 2018-08-17 06:14:16
- related to
Feature #6560: UEFI Secure boot added
#19 Updated by cbrownstein 2019-01-15 19:35:53
- File bitlocker-recovery-dialog.jpg added
- File secure-boot-violation-dialog.jpg added
Here is a (scary) Secure Boot experience I had the other day:
I borrowed a Microsoft Surface Laptop 2 running Windows 10 Home. My plan was to test the new Tails USB image.
The USB image copied to a USB stick using Etcher without any issues.
I left the USB stick in the laptop. I tried to boot from advanced startup[1].
The Microsoft logo displayed for a few seconds before the laptop booted into Windows.
No messages were displayed to explain why the laptop booted into Windows instead of Tails.
From previous experience, I suspected this was a Secure Boot issue.
I restarted the laptop and held the volume-up button on boot[2] to access the BIOS/UEFI.
[2] https://support.microsoft.com/en-us/help/4023532/surface-how-do-i-use-the-bios-uefi
I was presented with a window on boot:
> SecureBoot violation!
>
> One or more of the selected boot devices had a SecureBoot violation! Returning to Surface settings. Please verify SecureBoot key configuration and boot device selection.
I disabled Secure Boot in the BIOS/UEFI.
I restarted with the USB stick in the laptop.
The laptop tried to boot into Windows. But, I was asked for a BitLocker recovery key! (See the attached picture.)
I did not have a recovery key. I was worried that I had just lost all the data on the internal drive of this laptop!
I re-enabled Secure Boot per the dialog and restarted the laptop. I was still being prompted for a recovery key.
(Very) luckily I was able to get a recovery key.
I decided not to make further attempts to boot Tails. I did not want to risk losing the data on this borrowed laptop.
#20 Updated by intrigeri 2019-01-27 13:18:08
- Parent task set to
Bug #12474
#21 Updated by sajolida 2019-01-29 15:44:41
Wow, crazy!
BitLocker needs your recovery key to unlock your drive because Secure Boot has been disabled.
#22 Updated by sajolida 2019-02-21 07:35:10
- blocks
Feature #15941: Core work 2018Q4 → 2019Q2: Technical writing added
#23 Updated by sajolida 2019-07-18 16:59:28
- blocks
Feature #16711: Core work 2019Q3 → 2019Q4: Technical writing added
#24 Updated by sajolida 2019-07-18 16:59:30
- blocked by deleted (
)Feature #15941: Core work 2018Q4 → 2019Q2: Technical writing
#25 Updated by sajolida 2019-08-10 17:09:45
Our MOSS grant about supporting Secure Boot has been approved and we’ll have to deliver it by July 2020. It’s in while but significantly improving our documentation will be a lot of work and we have tons of other important things to do. So I propose to reject this ticket.
Maybe before closing it, you could share any relevant findings with us in case you already identified some easy things to fix.
#27 Updated by sajolida 2019-08-29 08:46:52
- Status changed from In Progress to Rejected
- Assignee deleted (
cbrownstein)